Apple slaps more bandaids on QuickTime

Apple has shipped a new QuickTime version to plug at least three more security vulnerabilities that put Mac OS X and Windows users at risk of code execution attacks.

Apple ships another batch of QuickTime patches
Apple has shipped a new QuickTime version to plug at least three more security vulnerabilities that put Mac OS X and Windows users at risk of code execution attacks.

The QuickTime 7.3.1 update addresses the QuickTime RTSP (Real Time Streaming Protocol) Content-Type header flaw that was first released on security mailing lists on November 26.    Exploit code for this vulnerability -- which dings Mac and Windows machines -- is publicly available.

From Apple's advisory:

A buffer overflow exists in QuickTime's handling of Real Time Streaming Protocol (RTSP) headers. By enticing a user to view a maliciously crafted RTSP movie, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue by ensuring that the destination buffer is sized to contain the data.

[ SEE: Latest QuickTime bug leaves XP, Vista vulnerable ]

The latest update also patches a high-risk vulnerability that allows hackers to manipulate QTL files to crash QuickTime or launch malware attacks.

The third issue --  multiple vulnerabilities in QuickTime's Flash media handler -- could also lead to arbitrary code execution.  With this update, Apple disables the Flash media handler in QuickTime except for a limited number of existing QuickTime movies that are known to be safe.

Not counting silent (undocumented) fixes, Apple has patched at least 35 security holes in QuickTime this year.

ALSO SEE: Apple QuickTime under siege and QuickTime high on list of most vulnerable Windows apps

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.
See All