Apple Patches QuickTime, Updates iTunes

Apple has issued a slew of critical patches for its QuickTime media player and updated the digital media application iTunes. Version 7.6.2 of QuickTime received the majority of patches, targeted at patching holes that allow maliciously crafted files to perform unexpected application terminations or arbitrary code executions.

The iTunes upgraded software now supports iPhone and iPod touch with the iPhone’s 3.0 software update, and Version 8.2 also includes “many accessibility improvements and bug fixes,” according to Apple. In March, Apple announced that iPhone firmware Version 3.0 was due to be released in mid-2009.

One QuickTime patch fixes a memory corruption issue that existed in the player’s handling of Sorenson 3 video files, while another addressed the issue of a heap buffer overflow existing in the handling of FLC compression files. Eight of the patches concern Apple and Microsoft operating systems, and two patches address vulnerabilities found only in Microsoft Vista and XP versions.

The update is the second this year for QuickTime; the first, issued in January, fixes seven security vulnerabilities. Microsoft noted in a security report published in 2008 that, in the first half of 2008, a QuickTime flaw had been the third-most attacked vulnerability for Windows XP users and the fourth-most attacked for Vista customers.

Michael Oh, founder of the Apple-specific, Boston-based company Tech Superpowers, said based on the support page for the QuickTime update, all of the vulnerabilities related to the idea that it is theoretically possible for a user to click on a URL, encoded in a certain way, and it may crash QuickTime or be used to execute a code.

“I wouldn’t say it’s a large threat for the average user, but it’s a common attack vector used by a lot of hackers sending out spam, so it’s a pretty common type of thing you see out there,” he said. He pointed out there are theoretical hacks that can happen on any number of platforms, and singled out Apple’s diligence in security issues.

“Apple has a pretty serious stance on security and addressing these issues,” he said. “They are very good at pushing these updates down to users—Apple simply sees those vulnerabilities, addresses them behind the scenes and then releases the updates."

Oh said the stuff that really gets mainstream media attention, such as viruses or Trojans, tends to be things that have a mechanism to propagate wildly—as the term "virus" suggests. “It’s important to mention that none of the vulnerabilities have any sort of mechanism to propagate like that,” he said. “That’s a really critical thing you should look at with a security patch.”