On the heels of its best quarterly results ever, Apple is updating its QuickTime media playing software on both Mac and Windows platforms.
The new QuickTime 7.6 release is Apple’s first security update of the year and fixes at least seven issues that could potentially allow an attacker to control a vulnerable system.
Among the issues fixed in the QuickTime 7.6 release is one for protecting against a maliciously constructed RTSP (Real Time Streaming Protocol) URL. According to Apple’s advisory the RTSP URL could trigger an application crash or possible arbitrary code execution. RTSP-related vulnerabilities were at the top of Apple’s QuickTime fix list a year ago as well for the first QuickTime update of 2008.
Though QuickTime is often used to play QuickTime MOV-formatted media, it can also play other media such as the AVI format. The 7.6 update provides a fix for a vulnerability that could have been triggered by a user viewing a malicious AVI file that could have triggered a heap buffer overflow condition.
AVI isn’t the only format that could have posed a risk to QuickTime users. The 7.6 update also provides fixes for an MPEG-2 vulnerability as well as buffer overflow issues with H.263-encoded movie files and Cinepak encoded movie files. The buffer overflow conditions could possibly have been exploited by an attacker to crash QuickTime or to execute arbitrary code.
The Quick Time 7.6 release comes after a challenging year for Apple in 2008 when security researchers repeatedly found multiple vulnerabilities in QuickTime.
At one point in 2008, Whitehat Security researcher Jeremiah Grossman told InternetNews.com that he expects to see more Apple security problems as Apple’s market share grows.
In contrast, security researchers who attended a recent Black Hat Webcast argued that one of Apple Mac OSX’s best security features is that it doesn’t enjoy a wide market penetration.