Apple updates QuickTime, fixing a number of remote code execution flaws. One security researcher expects malware writers to launch exploits via drive-by attacks.
A new version of QuickTime plugs security holes that leave users open to remote code execution attacks by hackers.
In Version 7.6, Apple covered seven such flaws that could be exploited by malicious media files or other techniques. The upgrade is available for Mac OS X v10.4.9 – v10.4.11 and Mac OS X v10.5 or later, as well as for Microsoft Windows Vista and Windows XP SP2 and SP3.
Several of the bugs involve heap buffer overflows. One lies in QuickTime’s handling of RTSP (Real Time Streaming Protocol) URLs. According to the advisory, accessing a rogue RTSP URL may lead to a crash or arbitrary code execution.
Another lies in how QuickTime processes AVI movie files that could also lead to either a crash or remote code execution. The update fixes the issue through improved bounds checking.
Two other heap buffer overflow bugs exist in QuickTime’s handling of THKD atoms in QuickTime Virtual Reality movie files and its handling of JPEG atoms in QuickTime movie files. The final heap buffer overflow is due to a signedness issue involving the use of Cinepak encoded movie files that can be exploited by rogue movie files.
Other security flaws in the update are a buffer overflow that exists in the handling of MPEG-2 video files with MP3 audio content, as well as a memory corruption issue that can be exploited by malicious H.263 encoded movie files.
QuickTime is no stranger to malware authors. Andrew Storms, director of security for nCircle, expects malware targeting these flaws to surface as drive-by attacks.
“Any user watching Internet videos with QuickTime could easily become infected with a single click,” Storms said. “You don’t have to look any further than yesterday’s huge Internet audience watching [President Barack Obama’s] inauguration online to get a sense of the potential impact of these vulnerabilities. Web video has huge potential for every malware author.”