QuickTime Update Plugs More Holes

Latest update addresses five issues and follows the spring 2008 update to plug 11 security holes.

Apple has released a new version of QuickTime to fix five security issues that could allow hackers to take control of a system via malicious movie or image files.

The QuickTime 7.5 update comes roughly two months after Apple released Version 7.45 to plug 11 security holes in the application. This time around, the update addresses a series of buffer overflows, URL-handling flaws and memory corruption issues affecting Mac OS X and Windows XP and Vista users.

Among the issues is QuickTime's handling of PixData structures that when processing a PICT image can cause a heap buffer overflow and lead to arbitrary code execution or cause the application to close unexpectedly. The flaw affects Windows Vista and XP Service Pack 2 users only, the company stated in its advisory.

A second heap buffer overflow vulnerability can be caused by opening a malicious PICT image file. This flaw, which can also lead to unexpected application termination or allow attackers to execute code, affects users of several versions of Mac OS X as well as Windows Vista and XP SP2 users.

The update also addresses a stack buffer overflow vulnerability in QuickTime's handling of Indeo video codec content, which Apple has addressed by not rendering it. The final two vulnerabilities are a memory corruption issue caused by the way QuickTime handles AAC-encoded media content and URL handling issues. Both flaws affected several versions of Mac OS X as well as Windows XP SP2 and Windows Vista.