Apple Fixes 7 Flaws In Mac, Windows QuickTime

The newest version of QuickTime, 7.1.3, patches 7 bugs in how the application checks a variety of file formats, including QuickTime, FLC, and H.264 movies; and FlashPix and SGI images. In each case, a malformed file can trigger a heap, buffer, or integer overflow, or in one case, an exception, that then might let the attacker introduce his own code to the PC or Mac, essentially hijacking the computer.

Although Apple does not rank its security updates, Danish security company Secunia collectively rated the QuickTime fix as "Highly critical," its second-most-dire label.

"In order to exploit this vulnerability, attackers must social engineer victims into visiting a Web site under their control," read an online advisory by iDefense, which was credited with reporting one of the vulnerabilities to Apple. iDefense added that users of both Internet Explorer and Firefox were at risk. "Testing shows that either browser can be used as an attack vector," iDefense's warning went on. "It is also possible to open this type of file directly from within QuickTime or from a playlist that QuickTime has opened."

The last time Apple patched QuickTime was in mid-May, when it fixed a dozen flaws in the player program.

QuickTime 7.1.3 can be downloaded from the Apple Web site for Windows, or the software can be updated by selecting Help|Update Existing Software within the Windows edition.