Apple slaps more bandaids on QuickTime

Summary:Apple has shipped a new QuickTime version to plug at least three more security vulnerabilities that put Mac OS X and Windows users at risk of code execution attacks.

Apple ships another batch of QuickTime patches
Apple has shipped a new QuickTime version to plug at least three more security vulnerabilities that put Mac OS X and Windows users at risk of code execution attacks.

The QuickTime 7.3.1 update addresses the QuickTime RTSP (Real Time Streaming Protocol) Content-Type header flaw that was first released on security mailing lists on November 26.    Exploit code for this vulnerability -- which dings Mac and Windows machines -- is publicly available.

From Apple's advisory:

A buffer overflow exists in QuickTime's handling of Real Time Streaming Protocol (RTSP) headers. By enticing a user to view a maliciously crafted RTSP movie, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue by ensuring that the destination buffer is sized to contain the data.

[ SEE: Latest QuickTime bug leaves XP, Vista vulnerable ]

The latest update also patches a high-risk vulnerability that allows hackers to manipulate QTL files to crash QuickTime or launch malware attacks.

The third issue --  multiple vulnerabilities in QuickTime's Flash media handler -- could also lead to arbitrary code execution.  With this update, Apple disables the Flash media handler in QuickTime except for a limited number of existing QuickTime movies that are known to be safe.

Not counting silent (undocumented) fixes, Apple has patched at least 35 security holes in QuickTime this year.

ALSO SEE: Apple QuickTime under siege and QuickTime high on list of most vulnerable Windows apps

Topics: Hardware, Apple, Mobility

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.