Critical Flaws Patched By Apple in QuickTime 7.5 Update
Apple released earlier QuickTime 7.5, which fixes a number of security bugs. The update is highly critical and it patches at least five code execution vulnerabilities in Windows XP, Windows Vista and Mac OS X. It fixes multiple buffer overflows, memory corruption issues and URI handling flaws that could allow malicious hackers to launch exploits with QuickTime movie or image files.
Apple’s security improvements include fixes for:
CVE-2008-1581 (for Windows Vista and Windows XP SP2): An issue in QuickTime’s handling of PixData structures when processing a PICT image may result in a heap buffer overflow. Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution. This issue does not affect systems running Mac OS X.
CVE-2008-1582 (for Mac OS X v10.3.9, Mac OS X v10.4.9 – v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2): A memory corruption issue exists in QuickTime’s handling of AAC-encoded media content. Opening a maliciously crafted media file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of media files.
CVE-2008-1583 (for Mac OS X v10.3.9, Mac OS X v10.4.9 – v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2): A heap buffer overflow exists in QuickTime’s handling of PICT images. Opening a maliciously crafted PICT image file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking.
CVE-2008-1584 (for Mac OS X v10.3.9, Mac OS X v10.4.9 – v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2): An issue in QuickTime’s handling of Indeo video codec content may result in a stack buffer overflow. Viewing a maliciously crafted movie file with Indeo video codec content may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by not rendering Indeo video codec content.
CVE-2008-1585 (for Mac OS X v10.3.9, Mac OS X v10.4.9 – v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2): A URL handling issue exists in QuickTime’s handling of file: URLs. This may allow arbitrary applications and files to be launched when a user plays maliciously crafted QuickTime content in QuickTime Player. This update addresses the issue by revealing files in Finder or Windows Explorer rather than launching them.
More on CyberInsecure:
August 1st, 2008 at 5:57 am
I have read about QuickTime Alternative and Real Player Alternative – imho smaller size and faster work unlike QuickTime. What your opinion?