Shhh!!! No Roaring in the Library!

It may lack drama after all the excitement of BlackHat (which is my excuse for not having noticed it earlier), but Apple QuickTime 7.7 fixes a stack-based buffer overflow issue that was flagged officially back in April 2011, as described on the National Vulnerabilities Database entry CVE-2011-0245.

The problem arises from a bounds checking error in the handling of PICT files. An attacker could use this vulnerability to execute "arbitrary" malicious code or effect some kind of denial of service by exploiting what SANS describes in an @RISK bulletin as a "signedness error." If you can forgive that horrible phrase, you can subscribe to these alerts at of course, they cover a lot more than Mac issues, so subscribers tend to be system administrators and the like.

According to Apple, the issue is addressed in Mac OS X v10.6.8 and doesn't affect OS X v10.7 (Lion) systems.

John R. Quain has flagged a couple of other security issues that Lion addresses. Address Space Library Randomization is designed to hamper the activities of malware by randomizing the location of system and application software in memory space. In fact, it was suggested that implementation of ASLR in Windows Vista would effectively render AV software obsolete: clearly, that was extraordinarily optimistic... Apple introduced a limited implementation in Leopard (it covered libraries, but not stack, heap or code randomisation) and extended it to 64-bit applications in Snow Leopard. Lion extends it further to 32-bit apps and the heap. It also includes an enhanced version of FileVault which now offers whole-disk encryption, not just encryption of directories.

What’s Hot on Infosecurity Magazine?