Apple patches 11 QuickTime flaws

Summary:Apple pushed out the latest version of QuickTime and patched 11 vulnerabilities in its third security update of 2008.Late Wednesday, Apple pushed the update, which covers QuickTime on all platforms.

Apple pushed out the latest version of QuickTime and patched 11 vulnerabilities in its third security update of 2008.

Late Wednesday, Apple pushed the update, which covers QuickTime on all platforms. The following flaws affect QuickTime on Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista, XP SP2 unless noted otherwise. Among the key patches:

CVE-2008-1013 fixes a flaw where Java applets allow for elevated privileges. Apple says:

An implementation issue in QuickTime for Java allows untrusted Java applets to deserialize objects provided by QTJava. Visiting a web page containing a maliciously crafted Java applet could allow the disclosure of sensitive information, or arbitrary code execution with the privileges of the current user. This update addresses the issue by disabling the ability of untrusted Java applets to deserialize QTJava objects.

CVE-2008-1014 addresses an information disclosure issue that occurs when a user downloads a movie. Apple says:

Specially crafted QuickTime movies can automatically open external URLs, which may lead to information disclosure. This update addresses the issue through improved handling of external URLs embedded in movie files.

CVE-2008-1015 addresses another movie file issue. A maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution, says Apple, adding "an issue in QuickTime's handling of data reference atoms may result in a buffer overflow."

CVE-2008-1016, CVE-2008-1017 and CVE-2008-1018 all address flaws that lead to code execution and application termination issues for folks that download malicious movies.

CVE-2008-1019 addresses "a maliciously crafted PICT image file (that) may lead to an unexpected application termination or arbitrary code execution." CVE-2008-1020 and CVE-2008-1023 addresse a PICT image file flaw only Vista and XP SP2.

CVE-2008-1021 fixes another movie file flaw that can terminate an application or lead to a code execution vulnerability. Platforms affected are Vista and XP SP2.

CVE-2008-1022 addresses an QuickTime VR movie flaw. "Viewing a maliciously crafted QuickTime VR movie file may lead to an unexpected application termination or arbitrary code execution," says Apple.

Topics: Hardware, Apple, Mobility, Open Source, Security

About

Larry Dignan is Editor in Chief of ZDNet and SmartPlanet as well as Editorial Director of ZDNet's sister site TechRepublic. He was most recently Executive Editor of News and Blogs at ZDNet. Prior to that he was executive news editor at eWeek and news editor at Baseline. He also served as the East Coast news editor and finance editor at CN... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.