Apple Update Patches QuickTime Version 6.5.2 Resolves Security Flaw Ryan Naraine
Versions 6.5.1 and earlier of Apple's QuickTime for Windows player contain a security flaw that puts users at risk of computer hijack, the computer maker said in an advisory.
Apple's monthly security update for October includes a fix for the QuickTime vulnerability, which researchers say could lead to buffer overflow attacks in HTML environments.
According to the advisory, an attacker could execute arbitrary code on a user's system via specially crafted HTML documents.
"A sign extension of an overflowed small integer can result in a very large number being passed to a memory move function. The fix prevents the small integer from overflowing," Apple said, noting that this bug only affects Windows systems.
A separate heap buffer overflow was also patched to correct the way the player handles the decoding of BMP images. This flaw affects Mac OS X users and was previously fixed in Apple's September security update.
Research firm Secunia rates the QuickTime issue as "highly critical" and urged users to update to version 6.5.2, which was released Wednesday.
The October advisory also corrects a vulnerability in Apple Remote Desktop, which can be exploited by malicious users to gain root access on a vulnerable system.
Apple said the bug allows a user under certain circumstances during the login process to launch applications behind the login window with root privileges. Successful exploitation requires that the user has a valid account, has been granted "Open and quit applications" privileges, and that fast user switching is enabled.
Apple Remote Desktop users are urged to upgrade to version 2.1
or apply Security Update 2004-10-27 for version 1.x.
