Cross-platform QuickTime vulnerability gets a fix
Last week, we reported on a security vulnerability in QuickTime that affected all Java-enabled browsers on both Mac and Windows platforms. The hole allowed malicious code to be executed through a simple web page or e-mail, and it was said to be as serious as the animated cursor flaw that hit several versions of Windows back in March. Well, as CNet now reports, Apple has patched the vulnerability by releasing new versions of QuickTime numbered 7.1.6. The Windows release can be downloaded from this page, while the Mac version is up over here.
Apple has also put up a note on its support site that provides more details about the flaw. According to Apple, the problem lies with a QuickTime for Java implementation issue that "may allow reading or writing out of the bounds of the allocated heap," which can lead to arbitrary code execution if a user runs a malicious Java applet. The patch fixes the hole by "performing additional bounds checking when creating QTPointerRef objects."