Apple fixes eight critical vulnerabilities in QuickTime
A security update from Apple fixes a total of eight vulnerabilities in the multimedia system QuickTime. All eight are the result of buffer overflows, which could be used by an attacker to introduce and execute code on a system. To do so, the victim merely has to open a malicious file using QuickTime - the file can, for example, be received as an e-mail attachment or be downloaded from a website. Whether or not the attacker can thereby gain control over the computer depends on the operating system and the configuration.
The vulnerabilities are present both in versions for Mac OS X and for Windows 2000, XP and Vista. Users should usually work with restricted privileges under Mac OS X and Vista. The known privilege escalation vulnerability in Mac OS X, which allows an attacker to obtain root privileges, was closed by Apple with the previous security update.
The buffer overflows in QuickTime occur when processing manipulated 3GP, MIDI, QuickTime, PICT and QTIF files. Apple QuickTime versions 7.1.4 and earlier are affected. Updating to 7.1.5 fixes the problem under both Mac OS X and Windows. It is not known whether the vulnerability has already been exploited.
- About the security content of QuickTime 7.1.5, advisory from Apple
- Apple QuickTime Color Table ID Heap Corruption Vulnerability, security advisory from iDefense