Apple patches serious QuickTime flaws

Stephen Withers
Friday, 04 April 2008 01:15

Your IT - Home IT

The latest version of QuickTime fixes another 11 vulnerabilities, all but one of which could be exploited to execute arbitrary code.

QuickTime 7.4.5 is available for Mac OS X 10.3, 10.4 and 10.5, plus Windows XP and Vista.

The majority of the flaws - eight of them - involve buffer overflows that can variously be exploited through maliciously crafted PICT, Animation or VR content, and in some cases through movie files regardless of their actual content.

Such vulnerabilities typically arise because programmers assumed the data processed by their software would always be reasonable. For instance, if the specification says a certain element will be no longer than 255 bytes and the code doesn't check the length of that element, it may be possible for an attacker to create a file with an oversized version of that element which is used to introduce arbitrary code into the system.

Other bugs addressed include privilege escalation by untrusted Java applets, mishandling of external URLs in movie files, and memory corruption caused by malformed movie files.

Most of the patches are common to versions for both operating systems, though three are specific to Windows.

The new version of QuickTime can be installed via Software Update (Apple Software Update on Windows) or downloaded from Apple's web site.