QuickTime 7.6: security patches and more

Stephen Withers
Thursday, 22 January 2009 05:14

IT Industry - Development

The latest version of QuickTime for Mac OS X and Windows delivers a smattering of improvements, but many users will choose to install it just for the security fixes it provides.

In its usual terse way, Apple's announcement states only that "QuickTime 7.6 includes changes that increase reliability, improve compatibility and enhance security."

New versions are offered for Mac OS X 10.4 Tiger, 10.5 Leopard, and Windows.

Some additional information has been provided in a separate knowledgebase article.

"Reliability" refers to improvements in the playback of Motion JPEG media and the export of audio tracks from MPEG video files.

"Compatibility" refers to changes that affect iChat and Photo Booth.

And there are also a couple of quality improvements. Single-pass H.264 encoding quality and AAC encoding fidelity are both said to have been improved.

On the security side, QuickTime 7.6 fixes seven issues, all of which affect the Tiger, Leopard and Windows versions.

In each case, a successful exploit could cause either the application to quit unexpectedly (a denial of service attack) or arbitrary code execution.

The various flaws can be exploited through maliciously crafted RTSP URLs; movie files containing JPEG atoms; QTVR, AVI, H.263 or Cinepak movies; or MPEG-2 video files with MP3 audio.

Apple also released an update to the QuickTime MPEG-2 Playback Component for Windows that improves input validation to prevent maliciously crafted movies causing arbitrary code execution or crashing application. Mac OS X is not affected by this issue, according to Apple.

The updates can be obtained by via Software Update (Apple Software Update on Windows) or from Apple Support Downloads.