Apple: Beware of Rigged QuickTime Movies

Apple ships an update to its QuickTime media player to correct seven code execution flaws affecting Mac and Windows users.

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

Multiple security flaws in Apples QuickTime media player could put Mac and PC users at risk of malicious hacker attacks, according to a warning from the Cupertino, Calif. company.

Apple released QuickTime 7.1.3 as a high-priority update alongside warnings that maliciously crafted movie and image files could be used to execute harmful code on vulnerable computers.

The update fixes a total of seven vulnerabilities, including an integer overflow that occurs when viewing maliciously crafted movies that use the H.264 digital video codec standard.

By carefully crafting a corrupt H.264 movie, an attacker can trigger an integer overflow or buffer overflow which may lead to an application crash or arbitrary code execution with the privileges of the user, Apple warned in an advisory.

The QuickTime update addresses the issue by performing additional validation of H.264 movies.

The company also warned that specially rigged QuickTime movies can lead to an application crash or arbitrary code execution because of a separate buffer overflow bug in the program.

A third flaw in the way QuickTime deals with corrupt FLC movie could also lead to arbitrary code execution.

The program also contains bugs in the way FlashPix files and maliciously-crafted SGI images are rendered.


Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.