Apple QuickTime Gets Security Makeover

Apple ships a new version of its flagship media player to plug several code execution vulnerabilities.

Apple Computer Inc.s flagship QuickTime media player has received a security-centric makeover to plug several code execution vulnerabilities.

The release of QuickTime 7.0.4 comes months after researchers warned that attackers could rig QuickTime files to execute arbitrary code on Windows and Mac machines.

In all, the update provides patches for five different buffer overflow vulnerabilities affecting users of Mac OS X v10.3.9 and later, Windows 2000 and Windows XP.

In an advisory, Apple warned that a maliciously crafted QTIF (QuickTime Image File Format) image may result in arbitrary code execution.

The new software version will perform additional validation of the images to thwart potential exploits.

/zimages/4/28571.gifBeware of strange iTunes/QuickTime movies. Click here to read more.

The update also performs additional validation of TGA images to correct a flaw that can lead to denial-of-service or arbitrary code execution attacks.

The software makeover also fixes a bug in the way QuickTime reads TIFF and GIF images.

A fifth vulnerability, in the way QuickTime processes rigged media files, can lead to a buffer overflow and code execution, the company warned.

Its the second major QuickTime security update from Apple in recent months. Last November, the Cupertino, Calif.-based company shipped a QuickTime update to protect against "highly critical" system access and denial-of-service vulnerabilities.

That patch covered four different flaws, including an integer overflow error in the handling of a "Pascal" style string when loading a ".mov" video file.

This can result in memory overwrite due to a large memory copy, potentially allowing arbitrary code execution via a specially crafted video file.

/zimages/4/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.