Apple: Beware of Rigged QuickTime Movies

 
 
By Ryan Naraine  |  Posted 2006-09-12 Email Print this article Print
 
 
 
 
 
 
 

Apple ships an update to its QuickTime media player to correct seven code execution flaws affecting Mac and Windows users.

Multiple security flaws in Apples QuickTime media player could put Mac and PC users at risk of malicious hacker attacks, according to a warning from the Cupertino, Calif. company.

Apple released QuickTime 7.1.3 as a high-priority update alongside warnings that maliciously crafted movie and image files could be used to execute harmful code on vulnerable computers.

The update fixes a total of seven vulnerabilities, including an integer overflow that occurs when viewing maliciously crafted movies that use the H.264 digital video codec standard.

By carefully crafting a corrupt H.264 movie, an attacker can trigger an integer overflow or buffer overflow which may lead to an application crash or arbitrary code execution with the privileges of the user, Apple warned in an advisory.

The QuickTime update addresses the issue by performing additional validation of H.264 movies.

The company also warned that specially rigged QuickTime movies can lead to an application crash or arbitrary code execution because of a separate buffer overflow bug in the program.

A third flaw in the way QuickTime deals with corrupt FLC movie could also lead to arbitrary code execution.

The program also contains bugs in the way FlashPix files and maliciously-crafted SGI images are rendered.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

 
 
 
 
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...

 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel