Wednesday, July 3, 2013

Apple Security Update 2013-003

--

[Updated 2013-07-04 6:40 pm ET]

Warning: I'm in rant mode. Apple has seriously messed up this update and I'm not pleased.

Apple released Security Update 2013-003 on July 2nd. Sadly, Apple didn't get this update together until July 4th, and problems still remain! Annoying. Apple's documentation download / documentation team is crap. Expect me to pester Apple about this mess. Please join in!

WHAT went wrong?! 

1) On July 2nd, at the Downloads page, Apple provided dead end URLs for three of the update versions on their Downloads page. Idiots. Thankfully the URLs were repaired July 3rd.

2) July 2nd, Apple intermittently provided then pulled the Lion Server version. Idiots. Thankfully, Apple corrected this problem July 3rd.

3) ALL the updates have THE SAME NAME, except when they were for the server version of whatever. NOT ACCEPTABLE. For any professional downloading all the updates for various machines, this is DEADLY STUPID. - - 'Let's see here. The only way to tell these downloads apart is by comparing their sizes with the sizes listed on the Downloads page. Great. Thanks Apple.' Idiots. Apple has NOT fixed this blunder as of yet. If they do, I'll update this post.

4) For over 48 hours, Apple still had NOTHING listed on their 'Apple Security Updates' page regarding Security Update 2013-003. Not - A - Thing. Idiots. - Apple fixed this problem on July 4.

[I've never seen this level of idiocy at Apple, short of the minimum wage worthy tech support at the iTunes Store. And no, Apple's furious work to complete iOS 7 and OS X 10.9 Mavericks is NOT a valid excuse for this garbage. This is seriously messed up and unacceptable, especially from beloved Apple. Something is severely wrong over there. I hate it when anti-Apple FUD comes true. And so on.]

Now that Apple has, over two days late, provided their notes about the update at the Apple Security Updates page, it's redundant to post it here. But I'm going to keep it for those who may find it convenient. Here you go:
APPLE-SA-2013-07-02-1 Security Update 2013-003

Security Update 2013-003 is now available and addresses thefollowing:

QuickTime
Available for:  Mac OS X 10.6.8, Mac OS X Server 10.6.8,OS X Lion v10.7.5, OS X Lion Server v10.7.5,OS X Mountain Lion v10.8.4
Impact:  Playing a maliciously crafted movie file may lead to anunexpected application termination or arbitrary code execution
Description:  A buffer overflow existed in the handling of Sorensonencoded movie files. This issue was addressed through improved boundschecking.
CVE-ID
CVE-2013-1019 : Tom Gallagher (Microsoft) & Paul Bates (Microsoft)working with HP's Zero Day Initiative

QuickTime
Available for:  Mac OS X 10.6.8, Mac OS X Server 10.6.8,OS X Lion v10.7.5, OS X Lion Server v10.7.5,OS X Mountain Lion v10.8.4
Impact:  Playing a maliciously crafted movie file may lead to anunexpected application termination or arbitrary code execution
Description:  A buffer overflow existed in the handling of H.264encoded movie files. This issue was addressed through improved boundschecking.
CVE-ID
CVE-2013-1018 : G. Geshev working with HP's Zero Day Initiative

QuickTime
Available for:  Mac OS X 10.6.8, Mac OS X Server 10.6.8,OS X Lion v10.7.5, OS X Lion Server v10.7.5,OS X Mountain Lion v10.8.4
Impact:  Viewing a maliciously crafted movie file may lead to anunexpected application termination or arbitrary code execution
Description:  A buffer underflow existed in the handling of 'mvhd'atoms. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2013-1022 : Andrea Micalizzi aka rgod working with HP's Zero DayInitiative

Security Update 2013-003 may be obtained from the Software Updatepane in System Preferences, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/

The Software Update utility will present the update that appliesto your system configuration.

For OS X Mountain Lion v10.8.4
The download file is named: SecUpd2013-003.dmg
Its SHA-1 digest is: 5452c463819106ec30e9f365031f65f1b6c538c0

For OS X Lion v10.7.5
The download file is named: SecUpd2013-003.dmg
Its SHA-1 digest is: c94eeaee2e329f75830140598c8973b6a8e1b22d

For OS X Lion Server v10.7.5
The download file is named: SecUpdSrvr2013-003.dmg
Its SHA-1 digest is: 849d5d4fd5c5a46f84d3607a84b6957fe4f10a00

For Mac OS X v10.6.8
The download file is named: SecUpd2013-003.dmg
Its SHA-1 digest is: 59f7be08ba2f3e343539c011793f7e31773f9caa

For Mac OS X Server v10.6.8
The download file is named: SecUpdSrvr2013-003.dmg
Its SHA-1 digest is: 7586022106c870e46139016ddc5e667def454430

Information will also be posted to the Apple Security Updatesweb site: http://support.apple.com/kb/HT1222

This security update is specifically for QuickTime. It is applicable to OS X 10.6.8 through 10.8.4. Historically, QuickTime is Apple's least secure software.

All three security flaws are due to buffer overflow coding errors, the most common cause of modern coding security holes. Malicious versions of the following file types were able to trigger the buffer overflows:

- Sorenson encoded movies.
- H.264 encoded movies.
- MooV files containing mvhd atoms

You can read about Movie Atoms here:
http://developer.apple.com/library/mac/#documentation/QuickTime/QTFF/QTFFChap2/qtff2.html

mvhd stands for 'movie header'. If you search for 'mvhd' on the linked page above, you can read about its uses.

Thank you for sharing and enjoying!

:-Derek

Hey Apple: WAKE UP!

No comments:

Post a Comment