Apple released version 7.1.5 Update to its QuickTime media player
software to address security vulnerabilities. The release can be downloaded at Apple’s Web site.
QuickTime is part of Apple’s popular iTunes software.
As reported by the U.S. Computer Readiness Team (CERT), the QuickTime 7.1.5
release resolves a number of vulnerabilities in the way different types of image and media files are handled.
According to CERT, an attacker could exploit these vulnerabilities by convincing a user to access a specially crafted image or media file with a vulnerable version
of QuickTime. Since QuickTime configures most Web browsers to handle
QuickTime media files, an attacker could exploit these vulnerabilities using
a Web page.
In one example a heap buffer overflow
existed in QuickTime’s handling of MIDI files. By enticing a user to open a
malicious MIDI file, an attacker can trigger the overflow, which may lead to
an application crash or arbitrary code execution. This update addresses the
issue by performing additional validation of MIDI files.
In another case, viewing a maliciously crafted 3GP file may lead to an
application crash or arbitrary code execution. The problem was identified as
an integer overflow that existed in QuickTime’s handling of 3GP video files.
By enticing a user to open a malicious movie, an attacker can trigger the
overflow, which Apple said may lead to an application crash or arbitrary
code execution. The 7.1.5 update addresses the issue, Apple said, by
performing additional validation of 3GP video files. This issue does not
affect Mac OS X.
Like Microsoft and other software companies, Apple regularly releases patches and
security fixes to its software.