QuickTime update fixes code-execution holes

By Dan Goodin in San Francisco → More by this author

6 Nov 2007 00:15

Install it now

Once again, there's a new version of QuickTime media player, and if you know what's good for you, you'll install it soon, whether you use Windows or OS X.

Apple issued QuickTime 7.3 on Monday to nix seven bugs that left users vulnerable to online miscreants. Six of the flaws made it possible for attackers to remotely run malicious software on a victim's PC. A seventh, which resided in QuickTime for Java, could allow untrusted Java applets to run with elevated privileges, Apple said in a security advisory on its website.

As Apple's popularity has surged over the years, so too has its appeal to organized criminals. Last week a supplier of security products to Mac users detailed a sophisticated Trojan lurking in the wild that causes OS X users to see spoofed web pages when trying to access eBay and other commerce-related destinations.

QuickTime has long been an attractive target because it is widely installed on a variety of Windows and Mac operating systems. The last major security overhaul for QuickTime came in July, when Apple fixed eight security holes. Last month, the company also patched a Windows-only hole that allowed attackers to inject malicious code onto vulnerable systems. The vast majority of QuickTime attacks require a victim to be tricked into clicking on a malicious link first.

Apple credited a variety of sources for discovery of the latest flaws. They included Adam Gowdiak and employees of 48bits.com, trapkit.de, Adobe and reversemode.com working with TippingPoint and the Zero Day Initiative. ®

8 comments posted — Comment period finished

Track this type of story as a custom Atom/RSS feed or by email.

Mac lambs line up for slaughter (16 January 2008)
Media player users beware: more vulns ahead (10 December 2007)
Latest QuickTime Exploit targets both Macs and PCs (29 November 2007)
Hacker defaces temples to OS X (27 November 2007)
QuickTime streaming media exploit targets unpatched bug (26 November 2007)
Leopard security bug puts Mail users at risk (20 November 2007)
With one bound, Apple is free of 54 security bugs (15 November 2007)
Macs seized by porn Trojan (31 October 2007)
Apple patches Windows QuickTime bug (4 October 2007)
Security maven: QuickTime flaw threatens PCs, Macs (12 September 2007)
Apple TV gets its first critical security patch (20 June 2007)
Apple plugs holes in new Safari beta (14 June 2007)
Apple plugs two QuickTime holes (30 May 2007)
Apple patches more than a dozen holes in OS X (25 May 2007)
Apple patches security hole in QuickTime (2 May 2007)
QuickTime, not Safari, to blame for MacBook vuln (25 April 2007)
Apple QuickTime update lances multiple bugs (6 March 2007)

Top 20 stories All The Week’s Headlines

Whitepapers
Java and J2EE performance The Data Governance Maturity Model Reliable Storage for Microsoft Exchange Life online: Mouse rage!

Breaking Hardware News

Intel ordered to dish documents on deleted antitrust lawsuit e-mails

AMD vs Intel Internal interviews must be disclosed to AMD

Intel has been ordered to hand over secret employee interviews from an internal investigation looking into documents and e-mails that went missing during its antitrust trial with AMD.

Get the ChannelReg newsletters

Related Whitepapers

Webcast : Why Today's Spam Filters Fail
Watch on-line now
Average CPU Power (ACP)
The Truth About Power Consumption Starts Here
The new way to defeat Spam
Increasing productivity with Abaca
Alternate Client Architectures
An overview of alternative architectures to deliver applications to the desktop
Podcast : Why Today's Spam Filters Fail
Listen or download now
Live Migration with AMD-V™ Extended Migration Technology
Live migration functionality works seamlessly across a broad range of AMD64 processors

Top Stories