In addition to its announcement of a new iPhone, Apple has also released a new version of its QuickTime software.
The reason? To fix several nagging problems related to security concerns.
According to the Danish security research organization Secunia, the new release, version 7.5, claims to fix such vulnerabilities as:
- A boundary error when parsing packed scanlines from a PixData structure in a PICT file can be exploited to cause a heap-based buffer overflow via a specially crafted PICT file.
- An error in the processing of AAC-encoded media content can be exploited to cause a memory corruption via a specially crafted media file.
- A boundary error in the processing of PICT files can be exploited to cause a heap-based buffer overflow via a specially crafted PICT file.
- A boundary error in the processing of Indeo video codec content can be exploited to cause a stack-based buffer overflow via a specially crafted movie file with Indeo video codec content.
- An error in the handling of "file:" URLs can be exploited to, e.g., execute arbitrary programs when playing specially crafted QuickTime content in QuickTime Player.
Secunia said that successful exploitation of these vulnerabilities may allow execution of arbitrary code - meaning that a hacker could take control of a user's PC
Said Cameron Hotchkies, security researcher with TippingPoint's DVLabs, “Usually the security vulnerabilities in QuickTime are buffer overflows or integer overflows that are file-parsing related or size-related issues in the internal file format. So a buffer overflow as a security vulnerability is not that uncommon.”
QuickTime has been the source of multiple bugs this year. Apple earlier this year released an update to the media player that addressed 11 vulnerabilities. Four patches were issued in January
“A lot of people are looking into the QuickTime format recently, going over it with a fine-tooth comb, trying to pick out as many vulnerabilities as they can," Hotchkies said.