Feeds

Apple plugs two QuickTime holes

Second security patch in less than a week

Beginner's guide to SSL certificates

Apple has plugged two holes in its QuickTime media player that could create serious security problems for people tricked into visiting malicious websites. The release, which is available for both Windows and Mac platforms, is Apple's second security patch in less than a week.

The most serious of the two vulnerabilities involves QuickTime's implementation of Java, which could allow for the manipulation of objects outside what should be allowed by the allocated heap.

"By enticing a user to visit a web page containing a maliciously crafted Java applet, an attacker can trigger the issue which may lead to arbitrary code execution," Apple said in this advisory.

Apple gave credit to John McDonald, Paul Griswold, and Tom Cross of IBM Internet Security Systems X-Force and Dyon Balding of Secunia Research for reporting the flaw.

The other vulnerability also resides in the way QuickTime works with Java and could allow a maliciously crafted applet to read a web browser's memory. That could allow an attacker access to potentially sensitive information, Apple said.

If it seems like Apple security team has been working overtime, it's because it has. On Thursday, the maker of the increasingly popular iMac and iBook released its fifth mega patch in as many months. This fixed more than a dozen security vulnerabilities in OS X. Less than three weeks earlier, Apple patched another hole in QuickTime that could also allow a booby-trapped website to execute malicious code on unwitting Mac users.

QuickTime has emerged as one of the more vulnerable Apple packages, with at least four security updates this year. QuickTime's susceptibility is due in part to its ability to run on both Windows and OS X and its wide use (and occasional abuse) on sites such MySpace.

Apple's update is here. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
NOKIA - Not FINNished yet! BEHOLD the somewhat DULL MYSTERY DEVICE!
N1 mini-'slab to plop into crowded pond next year
Heyyy! NICE e-bracelet you've got there ... SHAME if someone were to SUBPOENA it
Court pops open cans of worms and whup-ass in Fitbit case
SLURP! Flick your TONGUE around our LOLLIPOP – Google
Android 5 is coming – IF you're lucky enough to have the right gadget
Fujitsu CTO: We'll be 3D-printing tech execs in 15 years
Fleshy techie disses network neutrality, helmet-less motorcyclists
Space Commanders rebel as Elite:Dangerous kills offline mode
Frontier cops an epic kicking in its own forums ahead of December revival
VINYL is BACK and you can thank Sonos for that
The format that wouldn’t die is officially in remission
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The Heartbleed Bug: how to protect your business with Symantec
What happens when the next Heartbleed (or worse) comes along, and what can you do to weather another chapter in an all-too-familiar string of debilitating attacks?
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.