On the heels of its best quarterly results ever, Apple is updating its QuickTime media playing software on both Mac and Windows platforms.
The new QuickTime 7.6 release is Apple's first security update of the year and fixes at least seven issues that could potentially allow an attacker to control a vulnerable system.
Among the issues fixed in the QuickTime 7.6 release is one for protecting against a maliciously constructed RTSP (Real Time Streaming Protocol) URL. According to Apple's advisory the RTSP URL could trigger an application crash or possible arbitrary code execution. RTSP-related vulnerabilities were at the top of Apple's QuickTime fix list a year ago as well for the first QuickTime update of 2008.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=iThough QuickTime is often used to play QuickTime MOV-formatted media, it can also play other media such as the AVI format. The 7.6 update provides a fix for a vulnerability that could have been triggered by a user viewing a malicious AVI file that could have triggered a heap buffer overflow condition.
AVI isn't the only format that could have posed a risk to QuickTime users. The 7.6 update also provides fixes for an MPEG-2 vulnerability as well as buffer overflow issues with H.263-encoded movie files and Cinepak encoded movie files. The buffer overflow conditions could possibly have been exploited by an attacker to crash QuickTime or to execute arbitrary code.
The Quick Time 7.6 release comes after a challenging year for Apple in 2008 when security researchers repeatedly found multiple vulnerabilities in QuickTime.