14 DAY TRIAL // In releasing QuickTime 7.7.2 to the masses this week, Apple has fixed 17 security issues all affecting the Windows implementation of the multimedia framework. All users of QuickTime 7 on Windows are advised to apply the update and patch the flaws.
Apple confirms in a support document that “QuickTime 7.7.2 improves security and is recommended for all QuickTime 7 users on Windows.”
As usual, another KB article holds the details about all 17 bugs, the people who discovered them, and what were the methods employed by Apple to close the holes. For most of the vulnerabilities, the Cupertino giant is careful to outline that they don’t affect OS X systems.
For example, affecting Windows 7, Vista, XP SP2 or later, “Opening a maliciously crafted MP4 encoded file may lead to an unexpected application termination or arbitrary code execution,” reads the description of one vulnerability stemming from “an uninitialized memory access issue [...] in the handling of MP4 encoded files.”
Apple clarifies that, although Mac users have also been hit by this particular problem, “for OS X Lion systems, this issue is addressed in OS X Lion v10.7.3. For Mac OS X v10.6 systems, this issue is addressed in Security Update 2012-001,” the company adds.
Credits go out to Luigi Auriemma and pa_kt (both working with HP's Zero Day Initiative) for discovering this bug.
Another bug affecting the same Windows (OS) iterations “may lead to an unexpected application termination or arbitrary code execution,” when viewing a maliciously crafted movie file.
The culprit is “an off by one buffer overflow [...] in the handling of rdrf atoms in QuickTime movie files.”
As with the aforementioned bug, Mac users saw it fixed in the most recent software releases.
QuickTime 7.7.2 supports various languages, including Deutsch, English, Français, Español, Italiano, Nederlands, Dansk, Norsk Bokmål, Polski, Português, Português Brasileiro, Pусский, Suomi, Svensk, Chinese, Japanese and Korean.
QuickTime 7.7.2 is only the last in a long string of security updates released by Apple following the Flashback Trojan threat reported a month ago.