Apple fixes QuickTime for Java security flaw

Stephen Withers
Wednesday, 02 May 2007 06:34

Your IT - Home IT

Apple has moved quickly to fix the QuickTime for Java vulnerability that earned discoverer Dino Dai Zovi a $10,000 purse from a competition at the recent CanWestSec security conference.

QuickTime 7.1.6 for Mac OS X and Windows overcomes the vulnerability that allowed reading or writing out of the bounds of the allocated heap. This flaw meant a maliciously crafted Java applet could trigger the execution of arbitrary code.

The speedy release of the patch - just a week and a half after the flaw was discovered - underlines its seriousness. A successful exploit meant an attacker could gain control of a computer simply by luring its user to a malicious web page. No other action is required of the user, and there is no outward sign that the attack is taking place. Thus the vulnerability has been likened to the ANI flaw in Windows, which led Microsoft to release a patch outside its normal monthly release cycle.

Other changes in version 7.1.6 include support for Final Cut Studio 2 and timecode and closed captioning display in QuickTime Player.

The Windows version also includes "numerous bug fixes" according to Apple officials.

Mac users may download the update from Apple's web site or via Software Update; Windows users can download it from Apple's web site or via the Apple Software Update utility installed as part of the 'iTunes + QuickTime' package.