The bugs could allow attackers to crash or stuff malicious code onto Windows or Mac OS X machines.
Apple on Tuesday patched its QuickTime media player to fix 7 critical vulnerabilities that could crash the Windows or Mac OS X application, or let attackers stuff their own malicious code into machines.
The newest version of QuickTime, 7.1.3, patches 7 bugs in how the application checks a variety of file formats, including QuickTime, FLC, and H.264 movies; and FlashPix and SGI images. In each case, a malformed file can trigger a heap, buffer, or integer overflow, or in one case, an exception, that then might let the attacker introduce his own code to the PC or Mac, essentially hijacking the computer.
Although Apple does not rank its security updates, Danish security company Secunia collectively rated the QuickTime fix as "Highly critical," its second-most-dire label.
"In order to exploit this vulnerability, attackers must social engineer victims into visiting a Web site under their control," read an online advisory by iDefense, which was credited with reporting one of the vulnerabilities to Apple. iDefense added that users of both Internet Explorer and Firefox were at risk. "Testing shows that either browser can be used as an attack vector," iDefense's warning went on. "It is also possible to open this type of file directly from within QuickTime or from a playlist that QuickTime has opened."
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.