Apple Repairs Five QuickTime Flaws

The patches, which are addressed in Apple's updated in QuickTime 7.5, affect the previous version 7.4.5, which was released in April.

Four of the five repairs affect numerous versions of Mac OS X and Windows, while one patch affects only Windows Vista and XP SP2.

Two of the updates fix heap buffer overflow errors resulting from QuickTime's mishandling of the PICT image file. Both vulnerabilities could be exploited if a user was enticed to open a maliciously-crafted PICT image, which would allow an attacker to take complete control of the user's computer or shut it down entirely.

Another update fixed a memory corruption issue in QuickTime's handling of AAC-encoded media content, which could be exploited if a user were to open a malicious media file. Once exploited, the attacker could execute arbitrary malicious code or cause the application to terminate unexpectedly.

Sponsored post

One patch, affecting both Windows and Mac, addressed a URL handling issue in QuickTime's handling of file:URLs. To exploit the vulnerability, remote attackers could launch malicious code after a user played malicious content in QuickTime player, which could be hosted on a malicious Website.

To plug the holes, the URL file update addressed the issue by displaying files in Finder or Windows Explorer rather than launching them, Apple said in its security posting.

In addition, the final patch repaired an error in QuickTime's handling of its Indeo video codec content, resulting from a stack buffer overflow vulnerability. A user could be the victim of a remote code attack by viewing a malicious movie file with Indeo video codec content -- which is addressed by simply not rendering the video codec content.

While Apple doesn't have a system to rate the severity of its security flaws, those allowing remote code execution are often considered "critical" when rated by other software companies.

Security experts recommend that users running the affected applications update their computers to QuickTime 7.5 as soon as possible. Mac users will be automatically updated by their computer's built-in Software Update feature. Windows users can download the QuickTime updates from the Apple Website.