Running QuickTime may well involve more risk to users than just the risk of
seeing bad video content. Apple has pushed out a security update for its
QuickTime software, the second security update to the media playing software
in just over a month.
QuickTime version 7.3 fixes at least 7 security issues that could have left
users PC or Macs at the mercy of hackers.
Two of the fixes deal with separate flaws related to how QuickTime provides
descriptions for images. CVE-2007-2395 describes a flaw whereby if a user
simply viewed a QuickTime file with a corrupt image description it could
trigger arbitrary code execution. Apple has now added new file validation
checks to ensure that won’t happen anymore. In another fix related to
descriptions, the issue that Apple identified was a heap buffer overflow
condition that also could have allowed for arbitrary code execution.
Java usage also presented a problem for QuickTime.
CVE-2007-3751 describes what the Apple advisory identifies as multiple
vulnerabilities,” which may allow untrusted Java applets to obtain elevated
privileges.” The fix? Apple has now ensured that untrusted Java applets
can’t access QuickTime.
While QuickTime is often though of as just a video media player it can show
still images as well, the QuickTime 7.3 release fixes two issues related to
that use case. The two flaws have to deal with how QuickTime processes PICT
images. If a user views a maliciously crafted file it could have led to
either a stack buffer overflow or a crash, in either case arbitrary code
execution could have been the ultimate result. The Apple fix for the issue
is to provide additional validation of PICT files.
QuickTime 7.3 is being released just barely a month after the 7.2 release
came out. The 7.2 release dealt with a number of long standing URL
handling issues that Apple had attempted to fix for the better part of 2007.