Four critical vulnerabilities in Apple QuickTime
Apple has released update 7.4 for QuickTime that fixes four critical security vulnerabilities. Three of the vulnerabilities can be exploited by attackers using crafted movies to inject malicious code and execute it with the user's privileges. To fall victim, a user need only visit a crafted website or open a movie received via e-mail. The fourth vulnerability is triggered when processing compressed PICT files. Apple has released downloads of the update for Windows XP SP2 (22 MB), Windows Vista (22 MB), Mac OS X v10.3.9 (50 MB), Mac OS X v10.4.9 (51 MB) and Mac OS X v10.5 (55 MB) or later.
The QuickTime vulnerability reported last week remains unfixed. This allows crafted RTSP servers to inject malware onto a client. Apple has had to contend with multiple vulnerabilities in QuickTime over the last few months, all of which have permitted code injection. The company fixed four vulnerabilities in December, seven in November and one in October. Even prior to that, Apple had to fix multiple vulnerabilities in the QuickTime framework in July.
However, it is hard to recommend alternative media players. Multiple vulnerabilities have been found in VLC Media Player in recent weeks. Microsoft's Windows Media Player appears to have few security issues at present, but users should beware of a gaining false sense of security from the absence of security updates - this does not necessarily mean that there are no vulnerabilities!
- About the security content of QuickTime 7.4, security advisory from Apple
(mba)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
