The bugs could allow attackers to crash or stuff malicious code onto Windows or Mac OS X machines.
Apple on Tuesday patched its QuickTime media player to fix 7 critical vulnerabilities that could crash the Windows or Mac OS X application, or let attackers stuff their own malicious code into machines.
The newest version of QuickTime, 7.1.3, patches 7 bugs in how the application checks a variety of file formats, including QuickTime, FLC, and H.264 movies; and FlashPix and SGI images. In each case, a malformed file can trigger a heap, buffer, or integer overflow, or in one case, an exception, that then might let the attacker introduce his own code to the PC or Mac, essentially hijacking the computer.
Although Apple does not rank its security updates, Danish security company Secunia collectively rated the QuickTime fix as "Highly critical," its second-most-dire label.
"In order to exploit this vulnerability, attackers must social engineer victims into visiting a Web site under their control," read an online advisory by iDefense, which was credited with reporting one of the vulnerabilities to Apple. iDefense added that users of both Internet Explorer and Firefox were at risk. "Testing shows that either browser can be used as an attack vector," iDefense's warning went on. "It is also possible to open this type of file directly from within QuickTime or from a playlist that QuickTime has opened."
The Business of Going DigitalDigital business isn't about changing code; it's about changing what legacy sales, distribution, customer service, and product groups do in the new digital age. It's about bringing big data analytics, mobile, social, marketing automation, cloud computing, and the app economy together to launch new products and services. We're seeing new titles in this digital revolution, new responsibilities, new business models, and major shifts in technology spending.