Version 7.7 of Apple’s QuickTime software is available for Windows and the 10.5 generation of OS X. The new version addresses 14 vulnerabilities.
In particular the vulnerabilities concern QuickTime’s handling of pict, JPEG2000, WAV, QuickTime movie, JPEG, GIF, H.264, QTL and other movie files.
Four arbitrary code execution weaknesses concern the handling of STSC, STSS, STSZ and STTS atoms in QuickTime movie files.
They were all discovered by Matt ‘j00ru’ Jurczyk and reported through TippingPoint’s Zero Day Initiative program. Another vulnerability discovered by Luigi Auriemma stems from the handling of audio channels in all movie files.
It’s worth noting that none of the fourteen patched vulnerabilities affect Mac OS X systems. One vulnerability concerns the cross-site disclosure of video data.
“A cross-origin issue existed in QuickTime plug-in‘s handling of cross-site redirects. Visiting a maliciously crafted website may lead to the disclosure of video data from another site. This issue is addressed by preventing QuickTime from following cross-site redirects,” Apple explains in its security advisory.
QuickTime is a valuable target for cyber criminals, because it is installed on a very large number of computers. Almost all people who own an iPod, iPhone or iPad, use iTunes and iTunes uses QuickTime for audio and video playback.
Latest version of QuickTime for Windows and Mac can be downloaded from here.