Apple Issues 11 QuickTime Patches

Altogether, update 7.4.5 addresses bugs that affect all operating systems including Mac OS X, Windows XP and Vista.

Four of the updates—15 , 16,17, and 18—address serious errors resulting from a memory corruption issue in QuickTime's handling of movie media tracks. Security experts say that the flaw allowed the possibility of a system crash after a user was enticed to view a maliciously crafted movie file. Malicious attackers could then run another application on top of the one that crashed, with the power to completely shut down a system or execute arbitrary code on a users' computer.

All four patches basically address the same vulnerabilities and prevent the same problems, researchers say. "It's the same idea. An attacker can run a user's application without permission," said Jamz Yaneza, research project manager for Trend Micro. "They really want to crash your file and run something else."

Yaneza said that another set of serious patches included 19, 20 and 23, which all repair errors in QuickTime's image files. As with the movie file vulnerabilities, attackers would have the ability to shut down a system or run another application without user consent after viewers opened a malicious picture file.

Sponsored post

Another error, addressed by update 21, remedies a buffer overflow vulnerability within the animation codec, which is used to create and view animation, while update 22 affects a less common graphics application running only on the Windows platform.

While Apple does not specifically rank its vulnerabilities, those that allow remote code execution would compare to those ranked "critical" with other vendors.

"You run the risk of downloading this malformed file, you run the risk of hackers getting into your computer, and making it part of a bot network," said Yaneza.

The latest round of QuickTime patches follow shortly on the heels of numerous updates to the media player that were released in November and December 2007, addressing problems with the player's streaming protocol among other things.

Security experts recommend that users update their machines with the latest patches as soon as possible.