Apple Patches Bugs In QuickTime ... Again

For the second time this month, Apple released a security update to fix vulnerabilities in its QuickTime media player.
For the second time in less than a month, Apple has released a patch for a critical vulnerability in its popular QuickTime media player.

The security update for QuickTime 7.1.6 addresses multiple vulnerabilities in Apple QuickTime for Java, stated an alert on the U.S.-CERT Web site. The vulnerabilities could cause arbitrary code execution by a remote hacker, along with information disclosure.

QuickTime is Apple's multimedia technology.

According to the update on Apple's site an attacker can trigger a flaw that leads to enabling remote control of a system by enticing a user to visit a Web page containing a malicious Java applet. This new update addresses the problem by performing additional validation of Java applets.

Apple also noted that a design flaw exists in QuickTime for Java, which may allow a Web browser's memory to be read by a Java applet. If an attacker takes advantage of the bug, it could lead to the disclosure of sensitive information. The security update fixes the hole by clearing memory before allowing it to be used by untrusted Java applets.

Apple is crediting John McDonald, Paul Griswold, and Tom Cross of IBM Internet Security Systems X-Force, and Dyon Balding of Secunia Research for reporting these issues.

Early this month, Apple released a new version of QuickTime that fixed a "highly critical" vulnerability. The version update, which is for both the Mac OS X and Windows, plugs a hole that could open up the millions of people who use an iPod to attacks on their desktops and laptops. The iPod uses the iTunes media player, which people run on their PCs and Macs. ITunes, in turn, uses QuickTime.

The U.S.-CERT gave the vulnerability a 10 out of 10 points in its risk-rating scale. Researchers are recommending that users get the update as soon as possible.

In early March, Apple released a different update to deal with multiple vulnerabilities in QuickTime. That fix -- the QuickTime 7.1.5 Update -- patched eight security bugs. According to several advisories on the U.S.-CERT Web site, the vulnerabilities included three buffer overflow bugs and three integer overflow bugs.

Just last week, Apple released a security update with a total of 13 fixes for vulnerabilities in Mac OS X versions known as Panther and Tiger. The patches covered the desktop and server versions of the operating system. The vulnerabilities fixed range from the benign, such as a hacker inserting code that would result in the sudden termination of an application, to the more critical, such as making a computer vulnerable to password theft or a denial of service attack.