Apple patches 11 QuickTime bugs

Apple Inc. patched QuickTime late Wednesday to fix 11 flaws in the Mac and Windows versions of the media player. All but two of the bugs could be used by hackers to hijack users' machines.

QuickTIme 7.4.5 — the third security update Apple has released for the program so far in 2008 — plugs vulnerabilities in how the player handles Java and PICT image files, parses some data objects and uses Animation codec content, among others. Nine of the 11 bugs patched Wednesday were characterized by Apple as allowing "arbitrary code execution," a phrase the company uses to describe the most serious threats. Unlike vendors such as Microsoft Corp. and Oracle Corp., Apple doesn't rank the bugs it fixes with a scoring or labeling system.

Many of the vulnerabilities can be exploited if attackers are able to trick users into visiting malicious Web sites or open rigged files. Of those in the second category, Apple warned that some of the bugs could be triggered by malicious movie or PICT files. Mac users can upgrade to QuickTime 7.4.5 using the operating system's built-in Software Update feature, while Windows users can either download the new edition from the Apple site or use the optional Windows update tool.

Download: Apple Quicktime v7.4.5 | ~22 MB for Windows (without iTunes)
News Source: Computer World

Report a problem with article
Previous Story

Policing internet 'not ISP's job'

Next Story

Microsoft Introduces $10,000 Digital Home Makeover Contest

22 Comments

Commenting is disabled on this article.

Apple warned that some of the bugs could be triggered by malicious movie or PICT files

Glad to see they've plugged some holes. Can't speak to it sucking in Windows though as I use OS X. Although, back when I used XP it was definitely slow.

Does it fix the File Type Association take over on Windows XP? After installing the previous version of QT, I was not able use other programs with certain file types, especially mp3's , QT acted like a virus, not even registry tricks worked.

I'll post the stuff I posted in the Mac Software Updates forum here (just in case it will help anyone):

Just tested it on a clean Vista x64+SP1 system. Embedded quicktime videos play perfectly on the 32bits IE7. HD clips also play well. File associations picking is fixed now. It finally seems to be fully compatible w/ the x64 Windows.


Also, people checked and it doesn't fix the "Quicktime has black controls in Firefox under Vista x64" bug (I couldn't comment on this one since I don't use Firefox).

Avi.

Installing apple software on Windows makes things go wrong, at least in my personal experience.

I installed QT once and got rid of it quick. if sites want to show their videos in .mov I'll just go find them somewhere else.

Apple really starts to bug me.

Not only did the Apple Software Updater "forget" that I told him to ignore the Safari update and never intend to install it (of course the option reappeared because Apple is trying to trick Windows users into installing their browser) but secondly the update shows again Apple's way of forcing users to adopt everything King Jobs decides which is best for their users, without letting them a choice.

After installing the iTunes update, even without ever having run iTunes on my PC, the Apple updater forced all my mp3, wav, aac music files to be played automatically with the damn iTunes by overwriting my previous file associations. I really hate when programs overwrite my settings without even asking my permission.

I guess Apple users are comfortable with that but I am not. As a windows user, I like to have control over my system, knowing where all my files are stored and be able to decide what's best for me by myself.

I really would like to see quicktime and itunes again separated because I will most probably never uses iTunes.

Another thing I noticed is that the Apple Updater started itself automatically even without any apple software running. What secret background service have they again installed to perform this? And why does the installer not ask me if I want to install the Apple Mobile device support or not because I don't want to install... ever

(vacs said @ #3)
After installing the iTunes update, even without ever having run iTunes on my PC, the Apple updater forced all my mp3, wav, aac music files to be played automatically with the damn iTunes by overwriting my previous file associations. I really hate when programs overwrite my settings without even asking my permission.

Yes, Windows often get complained about because it's so "nagging" and makes users take more decisions, when Apple "just works" with a minimum of user interaction. However, if not done right and the designers are *too* afraid of asking, it can lead to problems like these. There are extremes on both sides that are best avoided, IMHO.

I had the exact same problem in Windows XP with "Malicious Software Removal Tool". I can't get Auto-Update to leave me the FRICK alone!

Sidebar: Does anyone know how to get "Malicious Software Removal Tool" to stop being in the update queue? I always deselect it and tell it not to remind me again. But damnit, it's always there! Always!

(vacs said @ #3)
I really would like to see quicktime and itunes again separated because I will most probably never uses iTunes.

iTunes depends on QuickTime, so you can't have iTunes without QT. However, you can have QT without iTunes. Just get the QT-only installer. When you go to QT's download page it gives you an option with iTunes and without iTunes.

Even if you did accidentally install iTunes, you can just uninstall it. Uninstalling iTunes doesn't uninstall QuickTime.

(Axon said @ #3.2)
I had the exact same problem in Windows XP with "Malicious Software Removal Tool". I can't get Auto-Update to leave me the FRICK alone!

Sidebar: Does anyone know how to get "Malicious Software Removal Tool" to stop being in the update queue? I always deselect it and tell it not to remind me again. But damnit, it's always there! Always!

It is because a new version is released every month..

(rob.derosa said @ #5)
It is because a new version is released every month..

It's the same software though. All they're doing is updating the definitions and giving it a new name. Sounds like of like a point update to me.

Right, to some extent. Though MS has made changes to AxtiveX and IE in general so you can lock it down and not have to worry.

I don't remember the last ActiveX related patch for IE7 though. I guess it's stopped being a issue for me with IE7 and it's add-on manager.

The Mac and Windows versions don't match up. For OS X you're right, the newest is 7.6.2 but this is the latest for Windows.