Apple has once again debugged QuickTime Player. The lpatch for its popular media player fixes a total of 11 vulnerabilities that range from denial of service attacks, elevated privileges and remote code execution.
Altogether, update 7.4.5 addresses bugs that affect all operating systems including Mac OS X, Windows XP and Vista.
Four of the updates -- 15 , 16,17, and 18 -- address serious errors resulting from a memory corruption issue in QuickTime's handling of movie media tracks. Security experts say that the flaw allowed the possibility of a system crash after a user was enticed to view a maliciously crafted movie file. Malicious attackers could then run another application on top of the one that crashed, with the power to completely shut down a system or execute arbitrary code on a users' computer.
All four patches basically address the same vulnerabilities and prevent the same problems, researchers say. "It's the same idea. An attacker can run a user's application without permission," said Jamz Yaneza, research project manager for Trend Micro. "They really want to crash your file and run something else."
Yaneza said that another set of serious patches included 19, 20 and 23, which all repair errors in QuickTime's image files. As with the movie file vulnerabilities, attackers would have the ability to shut down a system or run another application without user consent after viewers opened a malicious picture file.
Another error, addressed by update 21, remedies a buffer overflow vulnerability within the animation codec, which is used to create and view animation, while update 22 affects a less common graphics application running only on the Windows platform.
While Apple does not specifically rank its vulnerabilities, those that allow remote code execution would compare to those ranked "critical" with other vendors.
"You run the risk of downloading this malformed file, you run the risk of hackers getting into your computer, and making it part of a bot network," said Yaneza.
The latest round of QuickTime patches follow shortly on the heels of numerous updates to the media player that were released in November and December 2007, addressing problems with the player's streaming protocol among other things.
Security experts recommend that users update their machines with the latest patches as soon as possible.
|
Symantec's Code Red: The Law Enforcement/Anonymous E-Mail Exchange Law enforcement officials negotiated via e-mail for more than two weeks with an Anonymous group member trying to extort $50,000 from Symantec to keep stolen product code off the Internet. |
|
How To Sell IT Security Services To Your Customers Cyberattacks can cost a business thousands, even millions, of dollars, and can deal a death blow to some. Here's how IT solution providers can help guard against malicious attacks. |
|
Cybersecurity Experts: What They Know Could Scare You A recent report based on interviews with security experts in government, business and academia finds more than half in agreement that a worldwide arms race is taking place in cyberspace. |
 More
Slide Shows |
- Insider Threats: The Next Frontier for Security Resellers and SMBs
- Complete Security and Your Bottom Line: Sophos, Value and the Channel
- Tough Threats, Tougher Security: How You Can Leverage New Solutions To Combat A “Targeted Attack” Landscape
- Dark Clouds Ahead: Why the Mid-Market Needs To Ramp Up Cloud Security and How You Can Help Them Get There
