Apple has released updates for both iTunes and QuickTime, which contain a number of security fixes. The QuickTime 7.6.2 update (information here) includes fixes for maliciously crafted movie, FLC, PSD and PICT files, among others, which could lead to “unexpected application termination or arbitrary code execution.” This is a 57 MB update for Mac OS X 10.5, and a 48 MB update for 10.4.
Macworld is reporting that instructions for finding one of the QuickTime flaws was “hidden” in a recent book on hacking Mac OS X written by Charlie Miller and Dino Dai Zovi. “Miller disclosed during a talk at the CanSecWest conference in March that he had hidden instructions for finding the flaw in his book. After members of Apple’s security team approached him at the conference to ask about the issue, he handed over the exploit code.”
The iTunes update (information here) fixes a single vulnerability which only affects Mac OS X 10.4 and Windows: “A stack buffer overflow exists in iTunes when parsing “itms:” URLs. Accessing a maliciously crafted “itms:” URL may lead to an unexpected application termination or arbitrary code execution.” It also contains bug fixes and compatibility for the forthcoming version of the iPhone OS. It is a 72 MB update.
Users are advised to apply these updates as soon as possible. Many users don’t realize that QuickTime is used by Mac OS X for all video and image viewing, and is therefore a very commonly used component.