Apple released an update on Monday for its QuickTime media player, fixing seven flaws that could allow an attacker the ability to remotely execute malicious programs on computers running Mac OS X or Windows.
The vulnerabilities include memory handling errors in the way that QuickTime processes PICT images, privilege escalation issues in QuickTime for Java, and the handling of "atoms," the special data structures that make up a QuickTime file. Six of the seven flaws could lead to remote code execution, according to Apple's advisory.
The update came ten days after Apple released Mac OS X 10.5 "Leopard" -- the latest major upgrade to its operating system -- and a week after security firms warned Mac OS X users that a well-known Windows attack had been ported to the Mac OS X to become one of the first serious Trojan horses for the platform. In the past year, Apple has had to deal with increased scrutiny from vulnerability researchers, and QuickTime has often been the focus of their bug finding.
The vulnerabilities affect Mac OS X 7.3.9 "Panther", 7.4.9 "Tiger", and 7.5 "Leopard," as well as Microsoft Windows XP Service Pack 2 and Windows Vista. The update, which can be downloaded through Apple's Software Update feature or from the Web site, upgrades QuickTime to version 7.3.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos