Apple has released a new version of QuickTime to fix several vulnerabilities that could allow remote attackers to execute arbitrary code and hijack a user’s computer.
The seven flaws can be exploited when users view a maliciously crafted image or media file on a vulnerable version of QuickTime, according to an advisory released today by the United States Computer Emergency Readiness Team (US-CERT). In addition, attackers can use websites as a delivery vector because most web browsers are configured to handle QuickTime media files.
The flaws could lead to remote and unauthorized attackers executing arbitrary code, potentially leading to a DoS condition, the advisory said. According to an Apple security update, the malicious crafted files that could lead to exploitation include SGI images, FlashPix, and FLC, QuickTime and H.264 movies.
Apple recommends upgrading to the latest QuickTime version for Apple and Windows, released earlier this week.
"QuickTime 7.1.3 is an important release that delivers numerous bug fixes and addresses critical security issues," the company said on its Apple Downloads webpage. "This update is recommended for all QuickTime 7 users and is required for playback of content purchased in the iTunes Store."
An Apple spokesman could not be reached for comment today.
Apple credited Mike Price of McAfee Avert Labs with reporting the vulnerabilities. A representative from the security firm could not be reached for comment today.
US-CERT also reported critical flaws in Adobe Flash Player. In order for the vulnerabilities to be exploited and attackers to take control of affected systems, they must load a malicious Shockwave Flash File (SWF) into the application, Adobe said Tuesday in a security bulletin.
Adobe recommends users update to the latest version, 220.127.116.11, by downloading it from the Adobe Player Download Center website or by using the auto-upgrade feature.
Click here to email Dan Kaplan.