More media flaws patched by QuickTime 7.5

Stephen Withers
Wednesday, 11 June 2008 10:21

Opinion and Analysis

Malformed media files continue to be a popular way of subverting software. Apple's QuickTime 7.5 fixes another five vulnerabilities uncovered by researchers.

Available for Mac OS X and Windows XP and Vista, QuickTime 7.5 addresses two heap buffer overflows in the handling of malformed PICT files, a memory corruption issue associated with malformed AAC files, and a stack buffer overflow triggered by malformed Indeo video files.

All four are said to be exploitable to cause unexpected application termination or arbitrary code execution. Interestingly, the fix for the Indeo issue is that QuickTime 7.5 simply does not attempt to render Indeo content. That's not as drastic as it seems, since to the best of my knowledge QuickTime on Mac OS X has never supported Indeo.

The fifth vulnerability allowed QuickTime files to open arbitrary applications or documents by specifying a file: URL. QuickTime 7.5 changes this behaviour to merely showing the specified file in the Finder or Windows Explorer. According to Apple officials, QuickTime 7.5 also improves compatibility with certain unspecified applications.

Separate versions of QuickTime 7.5 are available for Mac OS X 10.5 Leopard, 10.4 Tiger, 10.3 Panther, and Windows XP and Vista. Download sizes range from 23 to 56M. They can be downloaded from Apple's web site, or via Software Update (Mac) or Apple Software Update (Windows).