Apple released QuickTime 7.5 late on Monday, fixing a handful of security issues, including holes that would have allowed someone to run malicious code on a computer and remotely control it.
One of the issues, which would have allowed a maliciously crafted PICT image file to run code, affected computers running Windows Vista and XP SP2.
Four other issues affected Vista and XP SP2, as well as Mac OS X 10.3.9, Mac OS X 10.4.9 through 10.4.11, and Mac OS X 10.5 or later. QuickTime 7.5 fixes a memory corruption issue in the software's handling of AAC-encoded media content; a heap buffer overflow related to PICT images; a stack buffer overflow related to the handling of Indeo video codec content; and a URL issue that was addressed by revealing files in Finder or Windows Explorer rather than launching them.
More information can be found on the Apple Web site.
Credit for reporting the different security issues was given to Dyon Balding of Secunia Research; Dave Soldera of NGS Software and Jens Alfke; Liam O Murchu of Symantec; an anonymous researcher working with TippingPoint's Zero Day Initiative; and Vinoo Thomas and Rahul Mohandas of McAfee Avert Labs, along with Petko D. Petkov of Gnucitizen working with TippingPoint's Zero Day Initiative.
Two months ago, Apple released QuickTime 7.4.5, which addressed a number of "highly critical" security flaws in the media player.
Apple has released a QuickTime security update to address "highly critical" security flaws in its media player that could allow malicious attackers to take control of a user's system.
The security flaws affect QuickTime 7 versions running on the Mac OS X and Windows. Users are advised to update to QuickTime 7.4.5, according to an Apple advisory issued Wednesday.
Apple issued 11 security updates designed to prevent malicious attackers from disclosing users' sensitive information, executing arbitrary code, or causing an application to suddenly crash.
Users can be hit with such evil dealings when visiting a Web site rigged with malicious Java applets, view a tampered movie file or open a malicious PICT image file, according to the advisory.
Lovely, eh?
For those who want to delve deeper into the nitty gritty details of the vulnerabilities check out TippingPoint Zero Day Initiative, which discovered some of these flaws, as well as security researcher Secunia, which lists all 11 updates.
The Apple QuickTime zero-day exploits are also targeting systems running Apple Safari 3.0 on Windows, Firefox, and Microsoft's Vista, XP, Internet Explorer 6, and IE7,
SANS also reminded people to undo the workarounds once Apple develops a patch for the security problem. Otherwise, the QuickTime streams won't work on your system.
Security researchers are warning that exploit code has been published that can take advantage of an extremely critical security flaw in a protocol supported by Apple QuickTime.
Apple QuickTime versions 7.2 and 7.3 on Microsoft Windows Vista and Windows XP Pro SP2 are both affected, according to an advisory originally posted on Milw0rm.com.
And because Apple's iTunes contains a component of QuickTime, installations of iTunes are also at risk, according to a security advisory by the United States Computer Emergency Readiness Team (US-CERT).
The security flaw is found in the Real Time Streaming Protocol (RTSP) supported by Apple's QuickTime Streaming Server and QuickTime player, US-CERT notes. As a result, users who load a malicious RTSP stream via a QuickTime Media Link file or by visiting a malicious Web page, may find their systems compromised. Malicious attackers, for example, could execute arbitrary code from users' systems or launch a denial-of-service attack.
Earlier this month, Apple released QuickTime 7.3 to address seven security flaws in QuickTime 7.2. The fixes, however, did not deal with the RTSP vulnerability cited by security researchers over the past three days.
US-CERT is recommending users consider several workarounds to potentially minimize exposure to the RTSP vulnerabilities. The workarounds include disabling QuickTime ActiveX controls on Internet Explorer, QuickTime plug-ins for Mozilla-based browsers, JavaScript, and file association for QuickTime files. Other suggestions include avoiding QuickTime files that come from untrusted sources.
Security firm Secunia has rated the vulnerability "extremely critical."
- prev
- 1
- next
