Windows and Mac OS X Users at Risk Due To QuickTime Hole

Apple's QuickTime, the multimedia player able to handle so many formats, is again the main subject of the security advisories as SecurityFocus found a new flaw in version 7.2 and 7.3. The same source informed that the vulnerability is caused by the way QuickTime works with "specially crafted RTSP Response headers" and even if the flaw was confirmed in these two versions, it might affect some other releases of the application. At this time, there's no official report concerning a successful exploitation of the flaw but all the attackers who attempt to take advantage of it have to "entice an unsuspecting user to connect to a malicious RTSP server."

"Apple QuickTime is prone to a remote buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied input before copying it to an insufficiently sized stack-based memory buffer," SecurityFocuse wrote in the advisory. "Attackers can leverage this issue to execute arbitrary machine code in the context of the user running the affected application. Successful exploits will compromise the application and possibly the underlying computer. Failed attacks will likely cause denial-of-service conditions."

Apple didn't say a thing about the vulnerability but the Cupertino company has always managed to patch the reported glitches very fast so we're expecting a fix anytime soon.

This isn't the first time when QuickTime is vulnerable to attacks due to more or less critical vulnerabilities found in its engine so you should always keep an eye on the security advisories to find out the time to update the application.

QuickTime can be downloaded straight from Softpedia. The Windows version is available here while the Mac version can be taken using this link. The report didn't mention if only one of the two versions of QuickTime is affected by the flaw but since it confirmed the hole in the 7.2 and 7.3 releases, I guess both Windows and Mac versions should be updated soon. However, we're waiting for an official statement signed by the Cupertino company.