Security Updates, Notices for Mac OS X
Myrrh writes "eEye reports they discovered a heap overflow in QuickTime 6.5, which 'allows a remote attacker to reliably overwrite heap memory with user-controlled data and execute arbitrary code.' Now's a swell time to visit Apple and download the updates for both programs." Also, Apple today released Security Update 2004-05-03, which includes updates for AFP Server, CoreFoundation, and IPSec, and is, like the QuickTime 6.5.1 update, available via Software Update.
Mod this a -1 STUPID but who finds most of these security flaws?
No matter if it's OS X, Windows, or Linux, there are always these security fixes popping up. I assume there is a QA team that is working on this stuff but unless there is a vulnerability that manifests itself in the form of a virus or hacked system, who finds these things and why were they looking in the first place?
I only came here to do two things; kick some ass, and drink some beer...looks like we're almost out of beer.
The heap overflow vulnerability mentioned here only applies to the Windows version of the Quicktime player, not the Mac OS version.
Actually, that's a completely seperate vulnerability. The one talked about here is the one discovered by eEye and not the one discovered by iDefense.
This is not suprising, just 1 month ago I mentioned that quicktime was vulnerable to buffer overflows left and right because there is absolutely no input validation done. I was flamed for saying that, but here we have 3 different buffer overflows patched all at once.