14 DAY TRIAL // The newly released Apple QuickTime 7.7 addresses a number of critical vulnerabilities, most of which can be exploited to execute arbitrary code on targeted systems.
The new QuickTime version is available for Mac OS X v10.5.8, Mac OS X Server v10.5.8, Windows 7, Vista, and XP SP2 or later.
In total, fourteen vulnerabilities that can be exploited by tricking victims into opening malformed files were patched.
This means that some of these flaws have remote exploitation vectors, either through the browser plugins or through network shares.
In particular, the vulnerabilities concern QuickTime's handling of pict, JPEG2000, WAV, QuickTime movie, JPEG, GIF, H.264, QTL and other movie files.
Four arbitrary code execution weaknesses concern the handling of STSC, STSS, STSZ and STTS atoms in QuickTime movie files.
They were all discovered by Matt 'j00ru' Jurczyk and reported through TippingPoint's Zero Day Initiative program. Another vulnerability discovered by Luigi Auriemma stems from the handling of audio channels in movie files in general.
It's worth noting that none of the fourteen patched vulnerabilities affect Mac OS X systems. One vulnerability results in cross-site disclosure of video data.
"A cross-origin issue existed in QuickTime plug-in's handling of cross-site redirects. Visiting a maliciously crafted website may lead to the disclosure of video data from another site. This issue is addressed by preventing QuickTime from following cross-site redirects," Apple explains in its security advisory.
QuickTime is a valuable target for cyber criminals because it is installed on a very large number of computers. Almost all people who own an iPod, iPhone or iPad, use iTunes and QuickTime for audio and video playback.
The latest version of QuickTime for Windows can be downloaded from here. The latest version of QuickTime for Mac can be downloaded from here.