Apple patches 11 QuickTime flaws

Apple patches 11 QuickTime flaws

Summary: Apple pushed out the latest version of QuickTime and patched 11 vulnerabilities in its third security update of 2008.Late Wednesday, Apple pushed the update, which covers QuickTime on all platforms.


Apple pushed out the latest version of QuickTime and patched 11 vulnerabilities in its third security update of 2008.

Late Wednesday, Apple pushed the update, which covers QuickTime on all platforms. The following flaws affect QuickTime on Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista, XP SP2 unless noted otherwise. Among the key patches:

CVE-2008-1013 fixes a flaw where Java applets allow for elevated privileges. Apple says:

An implementation issue in QuickTime for Java allows untrusted Java applets to deserialize objects provided by QTJava. Visiting a web page containing a maliciously crafted Java applet could allow the disclosure of sensitive information, or arbitrary code execution with the privileges of the current user. This update addresses the issue by disabling the ability of untrusted Java applets to deserialize QTJava objects.

CVE-2008-1014 addresses an information disclosure issue that occurs when a user downloads a movie. Apple says:

Specially crafted QuickTime movies can automatically open external URLs, which may lead to information disclosure. This update addresses the issue through improved handling of external URLs embedded in movie files.

CVE-2008-1015 addresses another movie file issue. A maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution, says Apple, adding "an issue in QuickTime's handling of data reference atoms may result in a buffer overflow."

CVE-2008-1016, CVE-2008-1017 and CVE-2008-1018 all address flaws that lead to code execution and application termination issues for folks that download malicious movies.

CVE-2008-1019 addresses "a maliciously crafted PICT image file (that) may lead to an unexpected application termination or arbitrary code execution." CVE-2008-1020 and CVE-2008-1023 addresse a PICT image file flaw only Vista and XP SP2.

CVE-2008-1021 fixes another movie file flaw that can terminate an application or lead to a code execution vulnerability. Platforms affected are Vista and XP SP2.

CVE-2008-1022 addresses an QuickTime VR movie flaw. "Viewing a maliciously crafted QuickTime VR movie file may lead to an unexpected application termination or arbitrary code execution," says Apple.

Topics: Hardware, Apple, Mobility, Open Source, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Great, means they'll beg me to download iTunes again...

    I only have QuickTime installed. Every QuickTime is patched, Apple Software Update (ASU) begs me to download the iTunes+QuickTime bundle, even though the first time iTunes was offered I said ignore it (via the menu) (and, I say ignore it with each subsequent offering. It's getting maddening.

    Also, yesterday ASU tried to push Safari 3.1 on me once again, even though I ignored that "update" the first time it showed up. Someone teach these people how to program!
    • I'm taking Quicktime off

      I only use it for a few movie trailers and while good quality, its streaming leaves much to be desired.

      Like you I am sick of Apple trying to make me use iTunes and Safari even though I keep unchecking them.

      Make your Windows PC more secure and dump Quicktime.
      • Yeah because...

        WMV has NEVER had a security fix *rolleseyes*
        • I Think (Hope?) He Has VLC in Mind as an Alternative

          QuickTime and WMC both have their security and stability issues, Stuka - which is why I use VLC for all my video viewing needs on both Windows and Mac. :)
        • WMV?

          I think you're the only one who has mentioned that software up to this point...

          Your anti-MS rage blinds you to the fact that there are MANY MANY MANY other media players out there.

          Don't be so sour that your favorite one is a piece of shiat.
        • Also

          Something you conveniently chose to ignore is the fact that PB_z and tonymcs also complained about Apple incessant attempts at shoving iTunes, Qt and Safari down people's throats, even after those people hav specifically said they don't want that stupid software.

          That's exactly how smart companies DON'T try to build relationships with customers.

          so go ahead and beeeeeh beeeeeh beeeeeeeeeh
      • RE: Apple patches 11 QuickTime flaws

        I love these message boards <a href="">replica watches</a>
    • You don't need Quicktime

      Try this:
  • Steve says they're not flaws

    Steve says that they're just very clever features that the noobs don't understand because they're..well...noobes. Steve says cool people don't worry about bugs in Apple software's Apple software. I listen to Steve
  • RE: Apple patches 11 QuickTime flaws

    an apple patch, oh no, . . did it remove Real as well or install Safari?
  • RE: Apple patches 11 QuickTime flaws

    Who needs it?????

    QuickTime Alt works just as well without APPLE!
  • RE: Apple patches 11 QuickTime flaws

    Good luck trying to remove Quick time.
  • Here's something better then quicktime
  • Holy Cow.

    Why isn't there more blogs on how poorly written Apple software is? <br><br>
    Posters and most bloggers on here spend more than their share of time bashing Vista, when after a year there was only around 20 security updates to load when you bought Vista. I had that done in 20 minutes on a high speed cable network. Vista blazes through updates over the network so fast it's unbelievable. <br><br>
    On the other hand, I never see relentless blogs and posts about how literally awful Apple software is written. It's a joke that any supposedly objective company would have anti MS blogs almost daily, but rarely even say a bad word about software that has demonstrated time and time again to be so inferior to any other software, Windows or Linux alike. <br><br>
    How many security updates are waiting when you purchase that new Mac with an OS that is barely over SIX months old? At 6 months, Vista had maybe 10, so we are talking 15 to 1 here. <br>
    Way to go ZDNet, blog Vista to death and let OSX and other Apple software, the undisputed King of Patches to slip by with nary a word about how unstable, unsafe and painfully slow Apple software is, not to mention the time spent maintaining this nightmare of an OS and features. OS X fans try to claim the Mac is lower maintenance machine, but they also tend to compare it against a 1995 PC running first version of win95. You haven't noticed this? AT this point in time, there is clearly just as many hardware issues, as they use the very same components as any other PC OEM. On to the software maintenance aspect, how could anyone claim Windows is higher maintenance when Apple is patching OSX and it's packages at a 15 to 1 higher rate. That is fact, not some number I pulled out of a hat. <br><br>
    So let's get this straight, you pay twice as much for the hardware, which is the same hardware in a PC at half the cost, you pay the same for the OS, since OSX cost the same as Vista on a preloaded machine, possibly more, and you spend 15 as much Time patching the OSX machines. <br><br>
    Yes, it is a travesty of justice but it won't stop because the bloggers will write anyk