14 DAY TRIAL // Alongside the updates to iTunes, GarageBand and the MobileMe Control Panel (exclusive to Windows users), Apple has posted an update to its QuickTime media player. Bringing the software to version 7.6.2, the Mac maker has increased reliability, improved compatibility and enhanced the security of QuickTime on both Mac and Windows.
In the Support section of its web site, Apple describes the latest update to QuickTime as follows:
About QuickTime 7.6.2 for Mac QuickTime 7.6.2 includes changes that increase reliability, improve compatibility and enhance security.
This release is recommended for all QuickTime 7 users.
On a more detailed note, Apple reveals that QuickTime 7.6.2 improves compatibility with Apple ProRes media, while adding support for iTunes 8.2, the just-released update to iTunes, which, for its part, adds iPhone OS 3.0 support.
As with iTunes 8.2, QuickTime 7.6.2 has a security side as well. QuickTime, however, had many more holes to plug – 10, to be precise. Particularly, one of the addressed issues (available for Mac OS X v10.4.11, Mac OS X v10.5.7, Windows Vista and XP SP3) has been discovered by Charlie Miller of Independent Security Evaluators and Damian Put working with TippingPoint's Zero Day Initiative. Miller, as readers should know, is the winner of the CanSecWest Pwn2Own hacking contest, awarded first place for compromising an Apple MacBook through a Safari flaw.
The security researcher's latest find was that “viewing a maliciously crafted JP2 image may lead to an unexpected application termination or arbitrary code execution,” in earlier QuickTime versions. The flaw is described as follows:
A heap buffer overflow exists in QuickTime's handling of JP2 images. Viewing a maliciously crafted JP2 image may lead to an unexpected application termination or arbitrary code execution.
Crediting Charlie Miller and Damian Put for reporting this issue, Apple claims to have patched this vulnerability through improved bounds checking.
Apple also posts a note to QuickTime 6 Pro users revealing that “Installing QuickTime 7 or later will disable the QuickTime Pro functionality in prior versions of QuickTime, such as QuickTime 6. If you are a QuickTime 6 Pro user and you proceed with this installation, you will need to purchase a QuickTime 7 Pro registration code in order to regain QuickTime Pro functionality,” Apple explains. Therefore, users are required to visit the Apple Online Store to purchase a QuickTime 7 Pro registration code, after installation.