Apple patches QuickTime and iTunes vulnerabilities
Apple has released updates to its iTunes and QuickTime applications that fix several critical security vulnerabilities in the popular media players. In addition to reliability and compatibility improvements, QuickTime 7.6.2 addresses 10 security vulnerabilities which could be used to execute arbitrary code.
The QuickTime update patches a total of six buffer overflows, a Sorenson 3 video file memory corruption issue, a sign extension problem in image description atoms and an uninitialised memory access issue. Two vulnerabilities in the handling of Clipping Regions (CRGN) and PICT images were only found in the Windows versions of QuickTime. For an attack to be successful, a user must first open a specially crafted malicious file.
Apple has also released iTunes 8.2 which, in addition to adding support for the upcoming iPhone 3.0 update, fixes a stack buffer overflow in the parsing of "itms:" URLs that could be used by attackers to remotely execute arbitrary code. For an attack to be successful, a user must first visit a maliciously crafted website.
All QuickTime and iTunes users are advised to update if they haven't already done so. QuickTime 7.6.2 is available to download for Windows XP SP3, Vista and Mac OS X 10.4.9 or higher. Version 8.2 of iTunes is available to download for Windows XP SP2 or later, Vista and Mac OS X 10.4.10 or higher.
See also:
- About the security content of QuickTime 7.6.2, security advisory from Apple.
- About the security content of iTunes 8.2, security advisory from Apple.
(crve)