Apple Patches QuickTime Flaw

A new QuickTime release fixes a heap corruption vulnerability that could allow an attacker to execute commands as the current user, Apple says.

Apple has addressed a heap corruption vulnerability in its popular QuickTime media player.

The flaw can be exploited remotely, and allows an attacker to execute arbitrary commands as the current user. Security researchers at VeriSigns iDefense Labs confirmed the vulnerability exists in version 7.1.3 of QuickTime on Windows, and previous versions are suspected to be vulnerable as well.

/zimages/6/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

Apple patched the problem in its latest QuickTime release, version 7.1.5.

"This update is recommended for all QuickTime 7 users," the Cupertino, Calif., company advised on its Web site. "QuickTime 7 will disable the QuickTime Pro functionality in prior versions of QuickTime, such as QuickTime 5 or QuickTime 6. If you proceed with this installation, you must purchase a new QuickTime 7 Pro key to regain QuickTime Pro functionality."

Apple was first notified of the flaw in December, according to iDefense researchers, in Sterling, Va.

/zimages/6/28571.gifAn Apple vulnerability project kicks off by releasing information about a QuickTime flaw. Click here to read more.

The vulnerability involves QuickTimes handling of Video media atoms. When the Color table ID field in the Video Sample Description is 0, QuickTime expects a color table to be present immediately after the description, iDefense researchers said. A byte swap is performed on the memory following the description—regardless of whether a table is present or not—and heap corruption will occur if the memory following the description is not part of the heap chunk being processed, researchers said.

In order to exploit this vulnerability, a victim must open a media file supplied by the hacker. This could be accomplished by either a direct link or a referral from a Web site under the attackers control. No further interaction is required in the default configuration. iDefense is currently unaware of any effective workarounds for this vulnerability.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.