Apple Patches 15 Security Flaws In QuickTime Media Player
The latest version, QuickTime 7.6.9, is available for Mac OS X, and an array of Windows platforms, including Windows 7, Vista and XP.
Overall, Apple labeled the entire QuickTime update with the highest severity ranking of "highly critical," indicating that the majority of vulnerabilities could lead to remote code execution attacks. Of the vulnerabilities Apple patched in its QuickTime application, the most critical could leave users susceptible to attacks designed to shut down or completely take control of their machines.
Included in the array of fixes were two patches, repairing a heap buffer overflow glitch and an uninitialized memory access issue in the way QuickTime handled JP2 images. The vulnerabilities allowed hackers to launch denial of service attacks or download malware onto users systems by enticing them to view malicious JP2 images.
In addition, the Cupertino-based company plugged at least six separate vulnerabilities that could lead to remote code execution or application termination if users opened various maliciously crafted MPEG and Sorenson encoded movie files. Altogether, the movie file updates addressed a signedness issue, memory corruption errors and integer and buffer overflow vulnerabilities. Hackers could then trick users into installing malware onto their systems by viewing malware-infused movie file, typically through some kind of social engineering scheme.
Meanwhile, the comprehensive update also addressed two security issues that could enable hackers to launch malware attacks by exploiting uninitialized memory access or memory corruption issues in FlashPix image files.
Apple also fixed a flaw that allowed cyber criminals to create a malicious avi file used in remote code execution attacks. As with other vulnerabilities, hackers would then execute the attacks by convincing the victims to open a malicious avi file.
The patch also addressed critical vulnerabilities occurring in PICT files, QTVR movie files, GIF images and Track Header atoms, while repairing a permissions issue in QuickTime that allowed hackers to access the contents of the Apple Computer directory in the victim's profile, leading to unintended information exposure.
Security experts recommend that QuickTime users install the update as soon as possible in order to reduce the risk of future attacks exploiting the vulnerabilities.
Apple's newest QuickTime 7.6.9 can be obtained with Apple's Software Update application or directly from the QuickTime Downloads site.