Apple has released an update for its media player Quicktime, on Windows, patching multiple vulnerabilities that result in the crashing of the software and some cases – remote code execution.
Tech behemoth Apple has pushed out an entirely new version of its native media player Quicktime for Windows PCs. The new version is addressed to patch nine vulnerabilities and is compatible with Windows 7 and Windows Vista, Apple revealed by releasing an advisory.
Elaborating on the vulnerabilities:
- Five out of the nine vulnerabilities, if exploited could potentially lead to the crash of the media player software or worse – remote execution.
- Two other vulnerabilities reported by Cisco and Fortinet are also vulnerable to remote code execution attacks.
- QuickTime software versions before 7.7.8 and running on Windows are also susceptible to CVE-2015-5785 and -5786. These are memory corruption errors.
Confirming the entirely unfortunate scenario that involves remote execution of arbitrary code, a SecurityTracker advisory read:
“A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user’s system.”
Related news: Apple Fixes Safari Bugs with New Patch
The software update for QuickTime is pushed out a week after a massive update that patched plenty of vulnerabilities in Mac OS X, OS X Server and IOS. One of the vulnerabilities included a critical privilege escalation bug that was disclosed a month before the patch.
Significantly, critical zero-day vulnerabilities discovered in OS X last weekend have still not been patched by Apple. The bugs were found by a teenager in Italy who went public with the information and the proof of concept code, not long after uncovering them. The two vulnerabilities are open to the bypass of security features and privilege escalation. These vulnerabilities affect OS X Yosemite and OS X Mavericks, but the current beta version of OS X codenamed El Capitan isn’t affected.
Apple has also confirmed that memory handling to contain denial-of-service and arbitrary code execution has been increased. The denial-of-service vulnerabilities specifically affect QuickTime versions 7.7.5 and 7.7.6 on 32-bit Windows computers.
After reporting the vulnerabilities, Cisco also added that:
- CVE-2015-3788 is marked as an invalid URL. There’s a flaw in the URL which enables the attacker to control and modify the size of a URL atom present in a .mov file. The exploit usually leads to QuickTime crashing on a Windows PC.
- CVE-2015-3789 is the vulnerability exploited when entries and a description table included in a 3GPP .mov file is controlled by an attacker.
Additional vulnerabilities can be found here, within Apple’s advisory.