Apple has plugged a total of ten holes in its QuickTime Player for Mac and Windows

Jun 2, 2009 14:28 GMT  ·  By

Apple has disclosed that both iTunes 8.2 and QuickTime 7.6.2 have been suffering from a few security issues, with QuickTime alone being in need of some ten patches. Two of these ten security holes recently plugged by Apple have been confirmed as Windows-specific.

In a Support document detailing the security content of QuickTime 7.6.2, Apple reveals that as many as 8 issues plagued QuickTime versions for Mac OS X v10.4.11, Mac OS X v10.5.7, Windows Vista and XP SP3.

Among those was security issue CVE-ID: CVE-2009-0957. Discovered by renowned hacker Charlie Miller of Independent Security Evaluators as well as Damian Put working with TippingPoint's Zero Day Initiative, the flaw triggers unexpected application termination or arbitrary code execution should the user view a maliciously crafted JP2 image.

Apple explains that “a heap buffer overflow exists in QuickTime's handling of JP2 images. Viewing a maliciously crafted JP2 image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking,” the company claims.

Issues CVE-ID: CVE-2009-0010 and CVE-ID: CVE-2009-0954, available for Windows Vista and XP SP3, have similar impacts only in different circumstances: by opening a maliciously crafted PICT image, and by opening a maliciously crafted movie file. The two vulnerabilities have been addressed in QuickTime 7.6.2 through additional validation of PICT images and, respectively, through improved bounds checking.

According to Apple, “QuickTime 7.6.2 includes changes that increase reliability, improve compatibility and enhance security.” The company touts this release as “recommended for all QuickTime 7 users.”

Upon releasing the update, Apple also posted a note to QuickTime 6 Pro users, revealing that QuickTime Pro functionality in prior versions of QuickTime (such as QuickTime 6) would be disabled following the installation of QuickTime 7 or later.

Download QuickTime 7.6.2 for Mac (Free)

Download QuickTime 7.6.2 for Windows (Free)