Apple has released an update to QuickTime [1] for Mac OS X 10.3.9 and later, Windows XP, and Windows Vista. QuickTime 7.1.5 fixes numerous bugs, along with a flaw that could enable a maliciously crafted file to crash a program employing QuickTime or to allow arbitrary code execution - a phrase that often means there's a potential for an attacker to gain control of a computer or, at least, install malware.

Affected file types are broad: 3GP videos, MIDI files, native QuickTime movies, images in the venerable PICT file format, and QTIF files. Apple's notes indicate that a user need only open a maliciously crafted file, which means that Web sites could be used to launch attacks by embedding QuickTime documents in the right format.

There have been no reports of this flaw being exploited in the wild. A previous QuickTime flaw related to handling of JavaScript was exploited [2], notably on MySpace. Apple claims to have provided a temporary fix [3] to MySpace, but it's unclear if that fix has made it into QuickTime 7.1.5.

[1]: http://docs.info.apple.com/article.html?artnum=305149
[2]: http://www.securityfocus.com/brief/375
[3]: http://news.com.com/MySpace+to+Apple+Fix+that+worm/2100-7349_3-6141031.html

Permanent article URL: http://db.tidbits.com/article/8899
This is a specially formatted version of this TidBITS article that removes colors, and optionally removes images; it's designed to minimize the use of ink and paper.
Unless otherwise noted, this article is copyright © 2007 TidBITS Publishing, Inc.. TidBITS is copyright © 2008 TidBITS Publishing Inc. Reuse governed by this Creative Commons License: http://www.tidbits.com/terms/.