Article

Apple fixes multiple QuickTime flaws

Bill Brenner

Apple Computer Inc. has fixed a variety of QuickTime flaws attackers could exploit to cause a denial of service or launch malicious code.

The security holes affect Mac OS X and Windows platforms where the media player is running.

Requires Free Membership to View

Apple has released an updated version of QuickTime, 7.0.4, to fix the problems.

According to the Cupertino, Calif.-based company:

The first problem is that a maliciously-crafted QTIF image could be used to launch malicious code. "By carefully crafting a corrupt QTIF image, an attacker can trigger a heap buffer overflow that may result in arbitrary code execution," Apple said. "This update addresses the issue by performing additional validation of GIF images."

The second problem is that viewing a maliciously-crafted TGA image could be used to launch malicious code. "By carefully crafting a corrupt TGA image, an attacker can trigger a buffer overflow, integer overflow, or integer underflow that may result in a denial of service or arbitrary code execution," Apple said. "This update addresses the issue by performing additional validation of TGA images."

The third problem is that viewing a maliciously-crafted TIFF image could be used to launch malicious code. "By carefully crafting a corrupt TIFF image, an attacker can trigger an integer overflow that may result in a denial of service or arbitrary code execution," Apple said. "This update addresses the issue by performing additional validation of TIFF images."

The fourth problem is that a maliciously-crafted GIF image could be used to launch malicious code. "By carefully crafting a corrupt GIF image, an attacker can trigger a heap buffer overflow that may result in arbitrary code execution," Apple said. "This update addresses the issue by performing additional validation of GIF images."

The fifth problem is that a maliciously-crafted media file could be used to launch malicious code. "By carefully crafting a corrupt media file, an attacker can trigger a heap buffer overflow that may result in arbitrary code execution," Apple said. "This update addresses the issue by performing additional validation of media files."