Apple patches QuickTime for Windows
If you’re a Windows users who normally takes no notice of Apple’s attempts to update your software (particularly when it’s trying to palm off Safari to you), make sure you do download the latest update to the QuickTime player. It fixes a potential security flaw.
The updated version is 7.6.7. It fixes a buffer overflow vulnerability: that’s where data that’s meant to be confined to one section of memory is allowed to spill over to other sections, creating the potential to run unauthorized code on the machine. The issue only affects Windows and not Mac systems.
According to Apple, the problem is with the way QuickTime’s error logging system works. This could be exploited if a user watched a “maliciously crafted movie file”. The fix simply disables the logging, so it wouldn’t be surprising for Apple to issue a more detailed remedy later on.
Even if you don’t knowingly use the QuickTime player, the update is worth installing as some online videos in the appropriate formats use QuickTime directly in the browser.
The update follows an issue with version 7.6.6 that could lead the player to download malware. It’s not a bug as such, but rather a feature allowing movie files to automatically visit a URL.
At least two files, both purporting to be copies of the recent Angelina Jolie movie Salt, triggered a URL that displays a prompt screen encouraging the user to download a video codec. As the video itself is simply a short clip with no picture (which is given away by the file being much smaller than a movie would be), some users might click to agree to this, but of course will actually be downloading malicious software.
As Apple has deemed this a social engineering trick rather than a security flaw, it appears the company hasn’t removed the URL feature with this latest update. As usual, if you’re going to download copyright-infringing material, the best advice is to think with your head rather than any other appendage.
Related Posts:
