Apple has issued an updated version of QuickTime 7, now at version 7.7.2, for Windows systems in order to address a number of security flaws. The vulnerabilities listed either do not exist on the Mac version of QuickTime 7, or are already addressed in Lion. Most but not all of the flaws were discovered by researchers working in conjunction with HP’s “Zero Day Initiative” and are duly credited. A total of 17 flaws are addressed in the update.
All the vulnerabilities fixed in v7.7.2 can affect Windows systems running XP SP2 and later, including Vista and Windows 7. Most were invoked by visiting a malicously-crafted website or viewing a maliciously-crafted movie file, which could lead to an unexpected application termination or arbitrary code execution. Bugs were found in QuickTime’s handling of TeXML files, text tracks, H.264 encoded movies, uninitialized memory access issues, rdrf atoms and more.
Five of the errors fixed in 7.7.2 were already addressed in Snow Leopard’s Security Update 2012-001 and in OS X 10.7.3 for Lion. Six of the errors do not affect Macs at all, and a further one dealing with a use-after-free issue in the handling of JPEG2000-encoded movie files was address in OS X 10.7.4 and does not affect older systems. A final five errors do not list any OS X references, leaving it unclear if they aren’t relevant to Mac systems or will soon be addresses with a Mac-specific QuickTime 7 fix. The details of the fixes will eventually be posted to Apple’s security technote.
