Apple Inc. patched seven bugs in QuickTime today as it updated the media player to version 7.3 for both Mac OS X and Windows. To quash yet another Java-related vulnerability, Apple zapped QuickTime for Java. All but one of the vulnerabilities would be ranked critical by other vendors, but Apple does not rate flaws or assign an urgency score to patches. Instead, it uses the phrasing “arbitrary code execution” to note bugs which could be used by attackers to inject their own malicious software into an unpatched machine.
Two of the seven vulnerabilities are in QuickTime’s rendering of PICT images, one in how the player handles the QTVR (QuickTime Virtual Reality) file format, three in its movie file management, and one in how it works with Java applets.
The six flaws that involve image or video file formats can be exploited by attackers able to dupe users into opening malformed files, while the seventh — the one related to Java — could be leveraged simply by getting a user to a Web site with a malicious applet. That vulnerability, however, can only result in remote code execution if the attacker has some, if only limited, access rights to the target Mac or PC, said Apple.
To reduce the player’s attack surface, Apple essentially gave up on Java. Rather than patch the code yet again, it simply disabled QuickTime for Java in most situations. “This update addresses the issues by making QuickTime for Java no longer accessible to untrusted Java applets,” the accompanying advisory read.
Java has been a major problem for QuickTime. Apple has repeatedly patched the program against Java vulnerabilities, including a May answer for a bug that was used by a researcher to claim a $10,000 hack challenge prize, and a July update that fixed four more Java flaws.
QuickTime can be updated using Mac OS X’s built-in Software Update feature, while Windows XP and Vista users can either download QuickTime 7.3 from the Apple Web site or use the Windows-only update tool packaged with earlier editions.
Apple also refreshed iTunes, bumping it up to version 7.5 by fixing unspecified performance and stability bugs, as well as extending iPhone activation “wherever service is offered.” The iPhone activation enhancements were necessary because on Friday, the iPhone goes on sale in the U.K. and Germany, where customers will use the software to activate their devices and sign up with mobile service providers O2 Ltd. and T-Mobile International AG, respectively.