QuickTime 7.1.6 released: Resolves CanSecWest Java flaw

Apple has released QuickTime 7.1.6, quickly patching a previously reported serious flaw that affects the handling of Java applets in Mac OS X Web browsers.

The company's description of the patched flaw is as follows:

"An implementation issue exists in QuickTime for Java, which may allow reading or writing out of the bounds of the allocated heap. By enticing a user to visit a web page containing a maliciously-crafted Java applet, an attacker can trigger the issue which may lead to arbitrary code execution. This update addresses the issue by performing additional bounds checking when creating QTPointerRef objects. Credit to Dino Dai Zovi working with TippingPoint and the Zero Day Initiative for reporting this issue."

QuickTime 7.1.6 is available through Software Update, or as a 43.6 MB standalone download.

For information on how to safely apply this update, see our recently published guide "Applying system updates: A minimalist approach."

Problems after applying this update? Please let us know.

Resources