[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
NGS00015 Patch Notification: ImageIO Memory Corruption
- To: "bugtraq@xxxxxxxxxxxxxxxxx" <bugtraq@xxxxxxxxxxxxxxxxx>
- Subject: NGS00015 Patch Notification: ImageIO Memory Corruption
- From: "Research@NGSSecure" <research@xxxxxxxxxxxxx>
- Date: Mon, 22 Nov 2010 19:18:20 +0000
ImageIO Memory Corruption - CVE-2010-1845
22/11/2010
Dominic Chell of NGS Secure has discovered a high risk memory corruption
vulnerability affecting the ImageIO rendering framework. Viewing a maliciously
crafted PSD image may lead to an unexpected application termination or
arbitrary code execution. This issue can be remotely (client-side) exploited
through any application using the framework including Mail, Safari and
QuickLook.
Versions affected include:
Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 through v10.6.4, Mac
OS X Server v10.6 through v10.6.4
Apple has released a patch that addresses these issues. The announcement of
this patch can be found here:
http://support.apple.com/kb/HT1222
Patches can be downloaded from the following links.
Apple security updates are available via the Software Update mechanism:
http://support.apple.com/kb/HT1338
Apple security updates are also available for manual download via:
http://www.apple.com/support/downloads/
NGS Secure are going to withhold details about these flaws for three months.
Full details will be published on 22/02/2011. This three month window will
allow Apple customers the time needed to test and apply the patch set before
the details are released to the general public. This reflects NGS Secure's
approach to responsible disclosure.
NGS Secure Research
http://www.ngssecure.com/