RealTime IT News

QuickTime At Risk Again

Running QuickTime may well involve more risk to users than just the risk of seeing bad video content. Apple has pushed out a security update for its QuickTime software, the second security update to the media playing software in just over a month.

QuickTime version 7.3 fixes at least 7 security issues that could have left users PC or Macs at the mercy of hackers.

Two of the fixes deal with separate flaws related to how QuickTime provides descriptions for images. CVE-2007-2395 describes a flaw whereby if a user simply viewed a QuickTime file with a corrupt image description it could trigger arbitrary code execution. Apple has now added new file validation checks to ensure that won't happen anymore. In another fix related to descriptions, the issue that Apple identified was a heap buffer overflow condition that also could have allowed for arbitrary code execution.

Java usage also presented a problem for QuickTime.

CVE-2007-3751 describes what the Apple advisory identifies as multiple vulnerabilities," which may allow untrusted Java applets to obtain elevated privileges." The fix? Apple has now ensured that untrusted Java applets can't access QuickTime.

While QuickTime is often though of as just a video media player it can show still images as well, the QuickTime 7.3 release fixes two issues related to that use case. The two flaws have to deal with how QuickTime processes PICT images. If a user views a maliciously crafted file it could have led to either a stack buffer overflow or a crash, in either case arbitrary code execution could have been the ultimate result. The Apple fix for the issue is to provide additional validation of PICT files.

QuickTime 7.3 is being released just barely a month after the 7.2 release came out. The 7.2 release dealt with a number of long standing URL handling issues that Apple had attempted to fix for the better part of 2007.