Apple Fixes QuickTime Image Flaws QuickTime 7.1.5 Addresses New Security Vulnerabilities David Needle
Apple has released an update to its QuickTime media player software to address security vulnerabilities. The QuickTime 7.1.5 release can be downloaded at Apple's Web site. QuickTime is part of Apple's popular iTunes software.
As reported by the U.S. Computer Readiness Team (CERT), the QuickTime 7.1.5 release resolves a number of vulnerabilities in the way different types of image and media files are handled.
According to CERT, an attacker could exploit these vulnerabilities by convincing a user to access a specially crafted image or media file with a vulnerable version of QuickTime. Since QuickTime configures most Web browsers to handle QuickTime media files, an attacker could exploit these vulnerabilities using a Web page.
In one example a heap buffer overflow existed in QuickTime's handling of MIDI files. By enticing a user to open a malicious MIDI file, an attacker can trigger the overflow, which may lead to an application crash or arbitrary code execution. This update addresses the issue by performing additional validation of MIDI files.
In another case, viewing a maliciously crafted 3GP file may lead to an application crash or arbitrary code execution. The problem was identified as
an integer overflow that existed in QuickTime's handling of 3GP video files.
By enticing a user to open a malicious movie, an attacker can trigger the overflow, which Apple said may lead to an application crash or arbitrary
code execution. The 7.1.5 update addresses the issue, Apple said, by performing additional validation of 3GP video files. This issue does not affect Mac OS X.
Like Microsoft and other software companies, Apple regularly releases patches and
security fixes to its software.
