Patch/Configuration Management, Vulnerability Management

Apple patches two QuickTime flaws

Apple on Tuesday released a security patch for two issues in QuickTime 7.1.6 for Mac OS X and Windows.

The patch was distributed less than a week after Apple released 13 patches for 17 vulnerabilities in OS X.

One flaw is an implementation issue in QuickTime for Java, which can be exploited for remote code execution when a user visits a malicious website containing a specially crafted Java applet, according to Apple. The patch allows OS X to perform additional validation of Java applets.

Apple credited researchers John McDonald, Paul Griswold and Tom Cross of IBM Internet Security Systems and Dyon Balding of Secunia Research for reporting the flaw.

The other flaw is a design issue in QuickTime for Java, which can be exploited to capture sensitive information.

To take advantage of the flaw, an attacker must entice a user to visit a webpage containing a maliciously crafted Java applet, according to Apple.

The update clears browser memory before allowing it to be used by untrusted Java applets, according to Apple’s advisory.

Secunia said today that the flaw was discovered by Apple.

Tom Cross told today that the growing popularity of multi-platform applications could lead to the same code being executed on Windows, OS X and Linux platforms.

"These things affect every operating system that the software can run on, so it’s not just an OS X issue, it’s something that can affect Windows as well," he said. "And these give the attacker a certain degree of flexibility."

Reached today, Apple spokesman Anuj Nayar referred to the company advisory.

SANS Internet Storm Center handler Joel Esler said yesterday on the organization’s diary that some users had been confused as to what version of QuickTime is the most recent. Esler posted that QuickTime 7.1.6 is the current program version, adding that the bulletin is only a security update.

The flaws were ranked "critical" by FrSIRT in an advisory released on Tuesday.

Secunia today ranked the flaws as "highly critical," noting that they can be exploited to run arbitrary code on a victimized PC.

US-CERT advised users install the update and disable Java.

The release marks Apple’s fourth security bulletin of the month. Last week the Cupertino, Calif.-based company released patches for 17 flaws in OS X. It also fixed two critical vulnerabilities in Darwin Streamer Server 5.5.4 on May 10 and a flaw in QuickTime media player that was discovered at CanSecWest in April.

Get more IT security news. Click here for SC Magazine Blogs.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.