X
Tech
Home Tech Services & Software Open Source

Apple nukes QuickTime for Java, plugs more code execution holes

Less that a week after its QuickTime media player made the top-ten list of most vulnerable Windows applications, Apple shipped QuickTime 7.3 to patch a total of seven vulnerabilities that could lead to code execution attacks.
Written by Ryan Naraine, Contributor
Apple nukes QuickTime for Java, plugs 7 more vulnerabilities
Less than a week after its QuickTime media player made the top-ten list of most vulnerable Windows applications, Apple shipped QuickTime 7.3 to patch a total of at least seven vulnerabilities that could lead to code execution attacks.

The update, available for both Mac and Windows (XP and Vista) users, also includes the removal of QuickTime for Java, a move that significantly reduces the attack surface on the company's flagship digital media player.

Apple also shipped a new version of iTunes but there is no security content associated with that release.

According to an advisory from Cupertino, QuickTime 7.3 provides fixes for seven potentially serious flaws that could open up Mac and Windows machines to denial-of-service, privilege escalation or drive-by malware attacks.

[ SEE: Yahoo Messenger, QuickTime top list of most vulnerable Windows apps ]

The skinny on the flaws/fixes:

CVE-2007-2395: A memory corruption issue exists in QuickTime's handling of image description atoms. By enticing a user to open a maliciously crafted movie file, an attacker may cause an unexpected application termination or arbitrary code execution.

CVE-2007-3750: A heap buffer overflow exists in QuickTime Player's handling of Sample Table Sample Descriptor (STSD) atoms. By enticing a user to open a maliciously crafted movie file, an attacker may cause an unexpected application termination or arbitrary code execution.

CVE-2007-3751: Multiple vulnerabilities exist in QuickTime for Java, which may allow untrusted Java applets to obtain elevated privileges. By enticing a user to visit a web page containing a maliciously crafted Java applet, an attacker may cause the disclosure of sensitive information and arbitrary code execution with elevated privileges. This update addresses the issues by making QuickTime for Java no longer accessible to untrusted Java applets.

CVE-2007-4672: A stack buffer overflow exists in PICT image processing. By enticing a user to open a maliciously crafted image, an attacker may cause an unexpected application termination or arbitrary code execution.

CVE-2007-4676: A heap buffer overflow exists in PICT image processing. By enticing a user to open a maliciously crafted image, an attacker may cause an unexpected application termination or arbitrary code execution.

CVE-2007-4675: A heap buffer overflow exists in QuickTime's handling of panorama sample atoms in QTVR (QuickTime Virtual Reality) movie files. By enticing a user to view a maliciously crafted QTVR file, an attacker may cause an unexpected application termination or arbitrary code execution.

CVE-2007-4677: A heap buffer overflow exists in the parsing of the color table atom when opening a movie file. By enticing a user to open a maliciously crafted movie file, an attacker may cause an unexpected application termination or arbitrary code execution.

Editorial standards
Show Comments

Related

Anker Solix X1

Not into the Tesla Powerwall? You can now buy the Anker Solix X1

windows-11-laptop

Microsoft is now showing ads in Windows 11's Start menu. Here's how to block them

Placeholder product image alt text

The best AI image generators to try right now