X
Business
Home Business Enterprise Software

Code execution flaws hit QuickTime again

Apple has shipped a highly critical QuickTime software update with patches for at least five code execution vulnerabilities haunting Windows XP, Windows Vista and Mac OS X users.With QuickTime 7.
Written by Ryan Naraine, Contributor
Apple has shipped a highly critical QuickTime software update with patches for at least five code execution vulnerabilities haunting Windows XP, Windows Vista and Mac OS X users.

With QuickTime 7.5, Apple corrects multiple buffer overflows, memory corruption issues and URI handling flaws that could allow malicious hackers to launch exploits with QuickTime movie or image files.

The details from Apple's advisory:

CVE-2008-1581: Available for Windows Vista and Windows XP SP2

An issue in QuickTime's handling of PixData structures when processing a PICT image may result in a heap buffer overflow. Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution.  This issue does not affect systems running Mac OS X.

CVE-2008-1582: Available for Mac OS X v10.3.9, Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2 A memory corruption issue exists in QuickTime's handling of AAC-encoded media content. Opening a maliciously crafted media file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of media files.

CVE-2008-1583:  Available for Mac OS X v10.3.9, Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2 A heap buffer overflow exists in QuickTime's handling of PICT images. Opening a maliciously crafted PICT image file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking.

CVE-2008-1584:  Available for Mac OS X v10.3.9, Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2 An issue in QuickTime's handling of Indeo video codec content may result in a stack buffer overflow. Viewing a maliciously crafted movie file with Indeo video codec content may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by not rendering Indeo video codec content.

CVE-2008-1585:  Available for Mac OS X v10.3.9, Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2

A URL handling issue exists in QuickTime's handling of file: URLs. This may allow arbitrary applications and files to be launched when a user plays maliciously crafted QuickTime content in QuickTime Player. This update addresses the issue by revealing files in Finder or Windows Explorer rather than launching them.

Editorial standards
Show Comments

Related

asus-zenbook-14-main

The work laptop I recommend to most people is not made by Apple or Lenovo

Microsoft Copilot

7 reasons I use Copilot instead of ChatGPT

Bose QuietComfort Ultra case

Why I travel with Bose's QuietComfort Ultra headphones instead of the Sony XM5