Apple Updates QuickTime for 16 Security Vulnerabilities
A big security update for QuickTime and iTunes affects both Windows and Mac users.
The iPad isn't the only new item from Apple this week. Users of Apple's QuickTime software on both Mac and Windows platforms are being treated to a security update that fixes 16 security vulnerabilities.
Not all of the issues being patched by Apple in the QuickTime 7.6.6 update affect all supported Windows and Mac platforms, however.
That's because last week, Apple released Mac OS X 10.6.3, which provides protections against multiple memory corruption issues that could potentially have been triggered by QuickTime via maliciously encoded audio and video files.
However, Mac OS X 10.5.8, Windows 7, Vista and XP users of QuickTime have remained at risk of running corrupted audio content that could have potentially led to arbitrary code execution. The vulnerabilities were a result of memory corruption issues in QDM2- and QDMC-encoded audio content.
One set of issues already fixed in Mac OS X 10.6.3 -- and now being extended to Microsoft Windows and Mac OS X 10.5.8 users -- deals with security vulnerabilities in video encoding formats. QuickTime 7.6.6 provides fixes to protect against handling errors with a number of encoding formats, including H.263, H.261, H.264, Sorenson, MPEG, FLC, FlashPix, M-JPEG, and RLE.
There are five fixes in QuickTime 7.6.6 that are specific just to Windows users of Apple's media playing software. Two fixes deal with issues related to security vulnerabilities triggered by malicious PICT image files that could have potentially led to arbitrary code execution.
The 7.6.6 update also addresses a similar memory corruption issue that affects BMP images viewed by QuickTime's Windows users.
Another Windows-only fix protects against a color table issue.
"A memory corruption exists in the handling of color tables in movie files," Apple stated in its advisory. "Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This issue is addressed by performing additional validation of color tables."
Alongside the QuickTime 7.6.6 update, Apple has also issued the iTunes 9.1 update. With iTunes 9.1, Apple is delivering seven fixes in total of which six are specific to Windows platforms.
The only issue in iTunes 9.1 that affects both Mac and Windows is an MP4 file import issue.
"An infinite loop issue exists in the handling of MP4 files," Apples stated in its advisory. "A maliciously crafted podcast may be able to cause an infinite loop in iTunes, and prevent its operation even after it is relaunched. This issue is addressed through improved validation of MP4 files."
The other Windows-specific issues fixed in iTunes 9.1 include a color profile fix and fixes for image handing issues affecting TIFF and BMP files. There is also a fix for a flaw in iTunes on Windows that potentially could have enabled a user to get full system privileges.
"During the installation process, a race condition may allow a local user to modify a file that is then executed with system privileges," Apple stated in its advisory. "The issue is addressed through improved access controls for installation files."
March 30, 2010
New Mac 10.6.3 update addresses a long list of security and stability issues.