Apple patches up QuickTime and April update
Apple has released a QuickTime 7.1.6 update that should close the critical security hole discovered around 10 days ago during a Hack-a-Mac challenge. The reason for the hole was the inadequate filtering of parameters passed through a browser's Java Virtual Machine (JVM), to the toQTPointer routine in QuickTime Java extensions (QTJava.dll). This meant that an attacker could access a PC's memory via prepared Java applets on a website outside of the allocated domain and use this to inject code and execute it on the computer.
As the error was based in QuickTime, it didn't matter whether the user was visiting the webpage in Internet Explorer, Firefox or Safari according to Dino Dai Zovi, who discovered the hole. QuickTime versions for Windows and Mac OS X were affected. TippingPoint wrote in its error report that Windows Vista may also be affected, although there is currently no Vista version of QuickTime.
Apple also released an update of the previous April 2007-004 security updates for Mac OS X 10.3.9 and 10.4.9. These solve two problems caused by the old patches which involved the AirPort driver losing connection after waking from sleep and the FTP server enabling registered users to get access to data outside of the normal scope. The fault came down to a defective configuration file. The new version 1.1 also contains all the patches from the previous 1.0 update.
- About the security content of QuickTime 7.1.6, Apple's error report
- About Security Update 2007-004 v1.1, Apple error report