Apple Fixes a Quartet of QuickTime Flaws
Why is Apple being bombarded with security issues? One researcher blames its growing visibility -- and attitude.
With all the hype surrounding Apple this week and its MacWorld event it's easy to forget that Apple is a company under a security siege.
More specifically, Apple's QuickTime software has faced far more than its fair share of security woes over the past year. The software plays a critical role in Apple's ability to deliver multimedia content on its Mac and iTunes platforms.
Though not quite as high-profile as Apple's launch of the new Mac Air notebook, QuickTime didn't go ignored by Apple this week, receiving an update to version 7.4.
The first of the fixes in QuickTime 7.4 involves memory corruption with video files that have been compressed with the popular Sorenson 3 compression technology. The flaw could have led to arbitrary code execution or an application crash.
QuickTime 7.4 also contains a fix for a memory corruption issue related to its handling of Macintosh Resource records in movie files.
The third issued addressed in the QuickTime 7.4 update also relates to memory corruption -- this time in QuickTime's parsing of Image Descriptor (IDSC) atoms. For the first three memory corruption vulnerabilities fixed by QuickTime 7.4, Apple addresses each by performing additional validation to ensure files are not corrupt.
The fourth fixed issue stems from QuickTime's handing of PICT images. Apple noted in its advisory that, "A buffer overflow may occur while processing a compressed PICT image."
Apple's advisory explains that the fix for the PICT issue is to terminate the decoding of the PICT image when the result would extend beyond the end of the destination buffer.
The QuickTime 7.4 release does not address a Real Time Streaming Protocol (RTSP) problem with QuickTime, first reported last week.
With the QuickTime 7.4 release, Apple has now issued five QuickTime updates for security issues since October. It's a dark trend that may not necessarily mean that QuickTime is less secure than it once was.
Instead, it may just be a symptom of Apple's increasing popularity.