Apple Patches QuickTime

Monday, August 24, 2015 @ 04:08 PM gHale

Apple patched nine vulnerabilities when it released QuickTime 7.7.8 for Windows.

The update addresses a series of memory corruption issues that can lead to the unexpected termination of the application or arbitrary code execution, according to the Apple advisory.

Apple Updates Slew of Products
Leveraging OS X Zero Day
Workaround for .NET Bug
Zero Day for Apple App Store, iTunes

Ryan Pentney and Richard Johnson of Cisco Talos, a researcher known as “WalkerFuz,” experts from Fortinet’s FortiGuard Labs, and Apple’s security team found the vulnerabilities.

The vulnerabilities found by Apple, WalkerFuz, and five of the six issues identified by Cisco also ended up patched August 13 in the OS X version of QuickTime 7.

The vulnerabilities reported by Talos researchers are denial-of-service (DoS) flaws that can end up exploited with the aid of specially crafted .MOV files, according to an advisory published by Cisco.

The security bugs are the result of an invalid URL atom size, invalid 3GPP stsd sample description entry size, invalid mhdv atom size, esds atom descriptor type length mismatch, mdat corruption, and tkhd atom matrix corruption.

“Several memory corruption vulnerabilities exist in Apple Quicktime and can manifest themselves due to improper handling of objects in memory. An adversary who crafts a specifically formatted .MOV file can cause Quicktime to terminate unexpectedly, creating a local denial of service condition,” Cisco’s Talos group said in a blog post.

Apple has had a difficult month, as earlier it patched over 100 vulnerabilities with the release of updates for OS X, OS X Server, iOS and Safari. Shortly after the updates released, an Italian researcher revealed the existence of a new local privilege escalation Zero Day vulnerability that affects all versions of OS X Yosemite.