Apple closes five critical security holes in QuickTime
Apple has released QuickTime 7.5, which fixes five vulnerabilities, all of which allowed code to be injected and executed. A buffer and heap overflow occur when specially crafted PICT files are opened. A memory error occurs when some AAC-encoded media are opened, and there is a buffer overflow related to the Indeo video codec.
Version 7.5 also closes a hole in the QuickTime player related to manipulated URLs. The hole has been known since the end of April, though Apple kept the details secret. In version 7.4.5, Apple quietly added its "Exploit Prevention Mechanism" (XPM), which is designed to make it harder for buffer overflows and other holes to be exploited under Vista. Nonetheless, the Address Space Layout Randomization (ASLR) under Windows Vista remains disabled for numerous libraries and applications of QuickTime – including the Indeo codec now categorised as vulnerable.
The update is available for Mac OS X v10.3.9, Mac OS X v10.4.9 to v10.4.11, Mac OS X v10.5 and later versions as well as for Windows Vista and Windows XP SP2. Although SP3 for XP is not explicitly mentioned, the update should work under it as well. Version 7.5 is the fourth update that Apple has provided this year for QuickTime to close a total of 20 holes, most of them critical. Only the VLC media player has had to be patched this often.
- About the security content of QuickTime 7.5, Apple security advisory