Friday

It's all about the plugins

Well, as a security aware internetuser, you patch your systems? Right? You even upgrade your browser from time to time? Very good! But don't forget about the plugins like flash and quicktime. Especially in Quicktime for Apple because a vulnerability was found some while ago. Matasano explains what the problem is:

  • If you have the QuickTime for Java extensions installed (in other words, if you have QuickTime installed),

  • then a Java applet will be allowed to construct and play with QuickTime objects, which are backed with unprotected C code,

  • and specifically, some of those objects wrap pointers to memory tracked by a dynamic C library,

  • and unfortunately those objects are not careful enough with the values passed to them by Java code,

  • so Java applets can overwrite arbitrary process memory directly,

  • which they should never be able to do, because keeping Java applet code from touching memory directly is the whole point of the applet sandbox.

For more details, check the blog. And to finish it off, several Adobe products contain a buffer overflow. including Photoshop. So keep your system up to date. It's becoming a real hassle.

No comments: