Apple fixes flaws in open-source Darwin server
Apple Thursday updated Darwin Streaming Server, an open-source version of the company’s QuickTime for-pay streaming server software, to patch a pair of critical vulnerabilities.
Darwin Streaming Server 5.5.5 fixes two overflow bugs that, if exploited, allow attackers to inject their own code into the machine. Danish vulnerability tracker Secunia rated the threat as “highly critical” yesterday, its second-highest ranking. VeriSign’s iDefense, which was credited by Apple with reporting the flaws, obtained the information about the vulnerabilities through its bounty-for-bugs Vulnerability Contributor Program.
“Remote exploitation of multiple buffer overflow vulnerabilities in Darwin Streaming Proxy allows attackers to execute arbitrary code with the privileges of running service, usually root,” warned the iDefense advisory.
The open-source server software streams QuickTime-formatted data to users and is aimed at Windows and Linux shops — which may not want to deploy Apple’s Mac OS X Server and its included QuickTime Streaming Server — and developers who want to modify the code to suit specific needs.