14 DAY TRIAL // In a Support document on the security content of QuickTime 7.6, Apple reveals that it has addressed as many as eight vulnerabilities found with the software, seven of which were common to Mac OS X v10.5.x, Windows Vista, and XP (SP2 and SP3).
The post outlines that accessing maliciously crafted RTSP URLs, QTVR, AVI and other movie files may lead to an unexpected application termination or arbitrary code execution on both Mac and Windows running platforms.
For example, Apple disclosed that viewing a maliciously crafted AVI movie file might lead to the above-mentioned events as discovered by an anonymous researcher working with TippingPoint's Zero Day Initiative. According to the bug's description, “a heap buffer overflow may occur while processing an AVI movie file. Opening a maliciously crafted AVI movie file may lead to an unexpected application termination or arbitrary code execution,” Apple says. “This update addresses the issue through improved bounds checking,” Apple explains.
Credit for finding that a buffer overflow exists in the handling of MPEG-2 video files with MP3 audio content was given to Chad Dougherty of the CERT Coordination Center for reporting this issue. Based on his findings, Apple discovered that viewing this kind of maliciously crafted movie file might also lead to an unexpected application termination / arbitrary code execution. As with the previous flaw, improved bounds checking was included with QuickTime 7.6 to address this issue.
However, Richard Lemon of Code Lemon found a vulnerability in QuickTime 7.5 that was exploitable solely on machines running Windows Vista, XP SP2 and SP3. His discovery was that “an input validation issue exists in the QuickTime MPEG-2 Playback Component for Windows,” Apple explains, whilst a maliciously crafted movie would lead to an unexpected application termination or arbitrary code execution, if accessed.
According to Apple, the QuickTime MPEG-2 Playback Component is provided separately from QuickTime, thus isn't installed by default. To learn more, head here. To download the latest version of QuickTime for your machine / OS, go here.