Hidden behind the massive hype that was the
iPhone 3G launch
is the fact that Apple’s critical QuickTime software, which enables multimedia playback and iTunes, remains software under siege.
The QuickTime 7.5 update fixes five issues that could potentially leave users at risk from attackers.
Though Apple (NASDAQ: AAPL) is patching QuickTime yet again, at least one of the security firms responsible for discovering some of the QuickTime flaws believes that Apple is moving some of the updates in a timely fashion.
Four of the issues affect QuickTime running on both Mac and Windows, while one issue is unique to Windows.
The Windows-only QuickTime 7.5 patch deals with a flaw in how the media software handles PICT images, which is identified as CVE-2008-1581. The flaw could have let an attacker execute arbitrary code or trigger an application crash.
A separate issue regarding PICT handling affects both Windows and Mac versions of QuickTime, and Apple identifies it as CVE-2008-1583.
Another flaw relates to how QuickTime handles the AAC format, which is the default for iTunes content. This problem could lead to a crash or arbitrary code execution.
3Com’s Tipping Point division is credited with reporting the final two flaws fixed in QuickTime 7.5. The patch for the issue CVE-2008-1584 fixes a flaw in how QuickTime handles Indeo video media content.
The other problem Tipping Point identified is CVE-2008-1585, which is a URL-handling flaw.
“A URL-handling issue exists in QuickTime’s handling of file: URLs,” Apple’s advisory states. “This may allow arbitrary applications and files to be launched when a user plays maliciously crafted QuickTime content in QuickTime Player. This update addresses the issue by revealing files in Finder or Windows Explorer rather than launching them.”
The QuickTime 7.5 update follows the QuickTime 7.4.5 update from April, which fixed 11 issues.
Apple has been the subject of scrutiny by security researchers, including Tipping Point. However, Cody Pierce, security researcher for TippingPoint’s DVLabs team, noted that in general Apple has been fairly responsive to issues the group raised.
“The first vulnerability listed, CVE-2008-1584, was reported on 2008-02-07, which is a little longer than desired but in general acceptable,” Pierce told InternetNews.com.
“As for CVE-2008-1585, Apple was very timely in correcting an issue taking a little over a month to respond,” Pierce added. “It is good to see vendors taking the effort to protect their customers quickly — I hope the trend continues.”