14 DAY TRIAL // QuickTime 7.6.4 includes changes that increase reliability, improve compatibility and enhance security, according to Apple. Recommended for all QuickTime 7 users, the new version also adds security fixes – three, to be precise, for Mac OS X v10.4.11, Mac OS X v10.5.8, Windows 7, Vista and XP SP3.
On the Support section of its website, Apple reveals that installing QuickTime 7.6.4 will disable the QuickTime Pro functionality in prior versions of QuickTime, such as QuickTime 6. The company behind the Mac operating system advises users to purchase a QuickTime 7 Pro registration code, if they are QuickTime 6 Pro users, and then proceed with this installation, in order to regain QuickTime Pro functionality.
As for the security side of the update, Apple has patched three holes in the player, all affecting users of Mac OS X v10.4.11, Mac OS X v10.5.8, Windows 7, Vista and XP SP3.
“A buffer overflow exists in QuickTime's handling of MPEG-4 video files,” the description of one of the vulnerabilities goes. “Opening a maliciously crafted MPEG-4 video file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking.” Apple credits Alex Selivanov for reporting the issue.
“A heap buffer overflow exists in QuickTime's handling of FlashPix files,” the support document detailing the security content of the update continues. “Viewing a maliciously crafted FlashPix file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking,” Apple says. Damian Put working with TippingPoint and the Zero Day Initiative reported this issue, according to the company run by Steve Jobs.
Lastly, QuickTime's handling of H.264 movie files also exposes the software to a heap buffer overflow, where “viewing a maliciously crafted H.264 movie file may lead to an unexpected application termination or arbitrary code execution,” according to the bug’s description. “This update addresses the issue through improved bounds checking,” Apple says, noting that an anonymous researcher working with TippingPoint and the Zero Day Initiative was able to point it out to the company so it could issue a fix.