Apple patches QuickTime for Macs, Windows

Seven serious security flaws in QuickTime media player software put both Windows PCs and Macs at risk of attack.

Joris Evers Staff Writer, CNET News.com

Joris Evers covers security.

Joris Evers

Sept. 13, 2006 6:24 a.m. PT

Apple Computer on Tuesday released an update to its QuickTime media player software that fixes seven security flaws, all of them serious.

The QuickTime vulnerabilities affect both Windows and Apple Mac OS X machines. Apple's update comes on the same day the company announced new digital music and video plans. Also, Microsoft on Tuesday released fixes for Office and Windows flaws.

The security flaws in QuickTime are all due to the application's failure to properly check and sanitize files in several formats: H.264, QuickTime, FLC, FlashPix and SGI. An attacker could craft a malicious file in any of those formats which, when opened, would fully compromise a vulnerable system or cause QuickTime to crash.

"A successful exploit may result in a remote compromise of the underlying computer," Symantec said in an alert sent to users of its DeepSight security intelligence service.

There are no known exploits for the flaws, Symantec said. This limits the threat. Apple regularly provides security updates for QuickTime, and often the flaws are in the handling of various file formats. Experts have said that cyberattackers are increasingly looking for flaws in applications.

Apple repaired the flaws in version 7.1.3 of QuickTime, which is available via the company's Software Update service and from the QuickTime Web site.