Apple plugs eight QuickTime holes

Apple on Monday released updates to its QuickTime media player software to repair eight serious security vulnerabilities.

The vulnerabilities expose both Macs and Windows PCs to cyberattack, Apple said in a security alert. In all cases, an attacker could craft a malicious file which, when opened with QuickTime, could give the miscreant full control over a computer running the software, Apple said.

The problems lie in the way QuickTime handles a number of formats. The security updates repair problems in the way the software handles QuickTime, MIDI, 3GP, PICT and QTIF files, according to the Apple alert.

The fixed version of QuickTime is release 7.1.5. Along with the fixes, the latest version also includes some functionality improvements, Apple said. The update is available for download from Apple's Web site or through the Apple update feature, the company said.

Apple regularly issues patches for QuickTime. In January, the Mac maker put out a fix for a zero-day flaw that was released as part of the " Month of the Apple Bugs" project.

Security researchers have increasingly been targeting applications such as QuickTime in recent months. With operating systems becoming more secure, widely used programs such as media players, instant-message tools and antivirus shields have become popular hacker targets, pundits have said.

[dansterpower]

Update Works Fine

Installed this update today on 3 boxes: No problems as of yet.

Works Fine, performance-wise.

Note: If you are a Quicktime Pro user, this upgrade requires a NEW
purchase of Quicktime Pro -- no upgrade is available. This is a
downside of about $30.

Dante

[lkrupp]

Does NOT require new Pro registration.

Pro users already using Quicktime 7 do not have to purchase a
new registration. A new registration is only required if you are
updating from Quicktime 6 or previous version. Apple has
NEVER required new Pro licenses for minor updates of version
releases.

Already using Quicktime Pro 7? No new license required.

Using an earlier version of Quicktime Pro and want to upgrade to
Quicktime Pro 7? New license required as has always been the
case. Nothing new here.

[Tergon]

My 7.1.3 Tells me that "there are no updates available."

Update Existing player did not find Quicktime's 7.1.5 update. I had to reinstall from Apple's Site.

:-(

[catstartk]

Purchase _not_ required.

This is NOT a new pay for version. Unless you are still using 6.x.
You will not need to purchase anything unless this was version 8.x,
purchase is not requires on a point upgrade. Installs just fine over
previous version 7.x.

... peace.

[M C]

Spin it, CNet, spin it - page views are at stake!

It's a minor update of QT, to go along with the update to iTunes. It also includes some incidental fixes.

So how does CNet portray it? "APPLE PLUGS HOLES!"

Geez louise. It's time to grow up.

[Siegfried Schtauffen]

No spin, just facts

Read what Apple say;

http://docs.info.apple.com/article.html?artnum=305149

[raycoast]

Apple Fans quick rally in defense

First of all, I find it funny when anybody puts blind trust in any software or hardware vendor. MS fanboys and Apple fanboys included.
Sorry no "spin" on this one, this is a High Severity Risk.
But a patch is available so no need to run for the hills either.
Truth of it is, if man can build it another man can tear it down. Simple as that.
I must say I am always amazed at how rude and defensive Apple fans can be on the forums.
I dont know how anybody can love either vendor that much. Only thing I can figure is MS and Apple PR employees go on all these boards to bicker back and forth.

[rapier1]

Overflows

Whats interesting is that all of the security holes are exploited
through buffer overflows. Many of these overflows seem to be
related to assumptions that the original programmers made
about the type of data that they expected to see. Of course,
going back and finding all of the buffer issues is a huge problem
in such a large piece of code. However, buffer overruns have
been an issue since day one and properly paranoid coding
practices should have been in place for the past decade if not
longer (I'm not targetting Apple - this is common in the entire
industry because programmers are, for lack of a better term,
lazy (I say this as a programmer)).

[coachgeorge]

U mean the Mac is susceptible?

After all of the marketing hype and propaganda, THE MAC IS SUSCEPTIBLE! Now that Apple has a product that is popular enough, the hackers will go to work on it. QuickTime is only the first step.
I guess the marketing group will have to rethink the advertising strategy.

[Macsaresafer]

Theoretically, yes.

Hackers have been trying since before OS X, and before OS X they
were successful. These patches are designed to keep making it
harder for a hacker to successfully attack the Mac. It's been
working for six years and counting. How's your platform of choice
doing?

[Lenter101]

The Applelites take a bite of reality

Boy, what a bunch of rationalizing pantywaists these Applelites are. MS has been hammered - on this site and in these talk-backs - for years for its security holes and usually with a final pronouncement to ..'buy an Apple', closing the sermons. Well, lo and behold Mr. Jobs, the one with those back dated stock options, has been revealed as not being a god at all but rather an average human being.(Something we MS users have known all along). I loved the guy who said that code is written by humans and therefore will have mistakes in it. I don't ever recall such a rationalization coming from an Applelite concerning MS and its 'human' errors.

What a bunch of phonies you Applelites are. Always nice to see phonies have their balloons popped. Looks like you'll have to find some other product or cause to support your phony superiority.

[dansterpower]

Go jump in a lake

I am so tired of whining windows fanboys.

Go jump in a lake.

[dansterpower]

And you obviously have not investigated the issue

If you truly took time to learn about the word, superiority in
relation to operating system security you would understand
when Apple's Unix Foundation is fundamentally more secure
than the XP and even Vista core.

Sorry, but you again rant without knowledge.

No rationalization involved, just factual basics of how operating
systems work.

And how do Steve jobs' stock option questions relate to security,
exactly? Can you fill me in on that stretch?