Apple flaw count for 2007: 111 and counting

Summary:Apple has slapped another patch on its QuickTime media player to plug two serious security vulnerabilities.

Apple has slapped another patch on its QuickTime media player to plug two serious security vulnerabilities.

quicktime

The QuickTime 7.1.6 update, available for both Mac and Windows users, addresses a pair of implementation flaws in QuickTime for Java, the architecture that provides APIs for developers to build multimedia into applications and applets.

The more serious of the two flaws could allow code injection attacks if a user is tricked into browsing to a malicious Web page.

The bug, reported by researchers from IBM ISS X-Force and Secunia, could allow instantiation or manipulation of objects outside the bounds of the allocated heap. "By enticing a user to visit a web page containing a maliciously crafted Java applet, an attacker can trigger the issue which may lead to arbitrary code execution," Apple said in an advisory.

The second flaw is a design issue n QuickTime for Java that could allow a Web browser's memory to be read by a Java applet.

"By enticing a user to visit a web page containing a maliciously crafted Java applet, an attacker can trigger the issue which may lead to the disclosure of sensitive information," Apple said.

The latest update brings the Apple patch count for 2007 up to 111.

Topics: Apple, Open Source

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.