14 DAY TRIAL // The latest version of Apple’s QuickTime media player for Windows operating system addresses a total of nine memory corruption issues that could ultimately allow executing arbitrary code.
Most of them were reported through HP’s Zero Day Initiative program and at the moment have not been detailed.
Cisco details remote code execution flaw
One vulnerability, identified as CVE-2015-3667, was disclosed to the developers by security researchers Ryan Pentney and Richard Johnson at Cisco’s Talos group and by Kai Lu from Fortinet.
If successfully exploited, it could lead to remote code execution by serving the victim a maliciously crafted file.
In a blog post on Tuesday, Cisco experts say that the attacker would need to corrupt an STBL atom included in a MOV video file to create an out-of-bounds read condition.
Continuing the attack would create a use-after-free scenario that can allow running rogue code on the affected machine.
An atom is a container with metadata about the movie. The researchers provided technical details about the bug, explaining how the data inside an STBL atom can be controlled.
Vulnerabilities impact Windows users
QuickTime is far from being the most popular media player on Windows, but the Pro version packs features that allow converting between different media formats for viewing on Apple devices or for sharing over the web. It also includes video editing functions, such as annotations or adding a new sound track.
The vulnerabilities solved in version 7.7.7 of the product can be exploited on Windows 7 and Windows Vista.
Along with patches for QuickTime, Apple has also released over 30 security updates for its mobile operating system, with the release of iOS 8.4.
Users are highly recommended to install the update as soon as possible because it addresses significant security issues.