In association with heise online

06 November 2007, 10:58

Apple closes seven critical vulnerabilities in QuickTime

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Apple has released QuickTime 7.3, which remedies seven critical vulnerabilities that attackers could exploit to infect systems with contaminants. All users need to do is open specially crafted videos or images with a vulnerable version of QuickTime. According to Apple's security advisory, the vulnerabilities are partly caused by flaws in the handling of Sample Table Sample Descriptor Atoms (STSD) in videos, Panorama Sample Atoms in QuickTime Virtual-Reality videos (QTVR), Image Description Atoms, and Color Table Atoms in QuickTime videos. (The term "Atom" refers to a container of descriptions or data.) As a result, heap overflows can be provoked that allow malicious code to be injected into memory and executed with the user's rights.

Similar flaws are found in the functions that represent images in the PICT format. In addition, Apple has also remedied a flaw in QuickTime related to the handling of Java applets. Attackers were reportedly able to compromise systems when users merely visited a manipulated website. Just last April, Apple had to close a Java-related QuickTime hole. The update is available for Mac OS X v10.3.9, Mac OS X v10.4.9, Mac OS X v10.5, Windows Vista and Windows XP SP2.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit