Security Updates, Notices for Mac OS X

Myrrh writes "eEye reports they discovered a heap overflow in QuickTime 6.5, which 'allows a remote attacker to reliably overwrite heap memory with user-controlled data and execute arbitrary code.' Now's a swell time to visit Apple and download the updates for both programs." Also, Apple today released Security Update 2004-05-03, which includes updates for AFP Server, CoreFoundation, and IPSec, and is, like the QuickTime 6.5.1 update, available via Software Update.

Who finds these security holes?

[amichalo]

Mod this a -1 STUPID but who finds most of these security flaws?

No matter if it's OS X, Windows, or Linux, there are always these security fixes popping up. I assume there is a QA team that is working on this stuff but unless there is a vulnerability that manifests itself in the form of a virus or hacked system, who finds these things and why were they looking in the first place?

Re:Windows version, not Mac OS.

[prockcore]

The heap overflow vulnerability mentioned here only applies to the Windows version of the Quicktime player, not the Mac OS version.

Actually, that's a completely seperate vulnerability. The one talked about here is the one discovered by eEye and not the one discovered by iDefense.

This is not suprising, just 1 month ago I mentioned that quicktime was vulnerable to buffer overflows left and right because there is absolutely no input validation done. I was flamed for saying that, but here we have 3 different buffer overflows patched all at once.

Anyone else have this problem with QT for Win?

[c0d3h4x0r]

Every time QT for Windows tries to paint the annoying "register now or later" splash-screen/pop-up, it immediately crashes. This is on Windows 2003 server with a Matrox G450 Dual-Head video card running the latest Matrox video drivers. This has been happening for me with the entire 6.x series of QuickTime for Windows.

Is anyone seeing this? Apple must not bother to ask Microsoft for the Windows Error Reporting data on QuickTime, because I've only submitted error reports on this crash about a bazillion times now.

Re:bad updates

[dthree]

I ran the updater on 2 macs at home and now I can't file share between them at all, cool! Now THAT is security!

I'm afraid of doing the update on my g5 office mac. I can't afford to loose filesharing, but now that the exploit is "published" all kinds of lemurs are gonna be trying to find the unpatched macs to exploit.

Re:Mac OS X Just Crashed

[ChaosWing]

Oddly enough, my Powerbook did the same thing as I was starting it up for the *sole purpose* of installing the update.

Uh oh

[fr0dicus]

My girlfriends iBook G4 (about two weeks old!) kernel panic'd in the Optimization stage of the update..... had to power button it, and now the spinning boot logo displays forever.... archive reinstall time?

Re:Hmm...

Reliable? No way man, haven't you read how blaster and sasser etc work? Half the time they go infect other computers, half the time they just crash and reboot the machine.

Re:bad updates

[lullabud]

I've run security updates on dozens of Macs over the last two years and have yet to see one break anything. This isn't like Microsoft Windows, y'know

contrarily, i've been using mac's for just over a year now and i've had one update install an ethernet driver that didn't work, and another update kernel panic my system into an unbootable state. however, i have to say that fixing these problems was way easier than anything i've seen in all the years i've been working on windows boxen.

Detail??

[-tji]

Is there any more thorough source of information on the nature of the changes in the security update?

For example, what IPSec changes were made?