Apple Issues QuickTime Security Fix

Apple patched 11 vulnerabilities, nine of which might have allowed an attacker to execute malicious code on a victim's machine.
Apple this week issued a security patch for its QuickTime multimedia software that addressed 11 vulnerabilities.

Nine of the 11 vulnerabilities might have allowed an attacker to execute malicious code on a victim's machine.

Eight of the vulnerabilities affect both Mac OS X and Windows versions of QuickTime. Three of the vulnerabilities affect Windows Vista and XP SP2 only.

Several of the flaws can be exploited through maliciously crafted movie files. Such attacks often take the form of e-mail messages with Web links to the malicious files.

Apple's patch comes a week after three security researchers at a Canadian security conference hacking contest managed to compromise a MacBook Air laptop using a zero-day vulnerability.

The exploit took advantage of a hole in Apple's Safari 3.1 Web browser.

TippingPoint Technologies, the sponsor of the contest, said that the vulnerability had been disclosed to Apple and that it would provide no further information about it until the hole was patched.

It's not immediately clear whether the Safari hole was related to QuickTime. TippingPoint Technologies was not immediately available for comment. But Apple did credit TippingPoint researchers for discovering six of the QuickTime flaws it fixed.

QuickTime, like other popular media applications such as Adobe's Flash, represents an appealing target for malicious hackers because it is widely distributed. With Apple's sales on the rise, QuickTime is likely to become even more common.

From the release of QuickTime 7.1.3 in January 2007 through the release of QuickTime 7.3.1 in December of that year, Apple fixed 34 QuickTime vulnerabilities. In 2006, Apple patched 28 QuickTime holes. So far in 2008, Apple has made 16 specific QuickTime repairs.