Apple Computer Tuesday updated its QuickTime media player to fix eight critical security vulnerabilities that leave both the player and the company's popular iTunes software open to attack.
The bugs in QuickTime, Apple revealed in a security advisory, are in how the player parses a number of image file formats, including .gif, .tif, and .tga, as well as in other media file formats. Attackers who craft special files, and deliver those files to unsuspecting users, could trigger integer or heap buffer overflows, crash the computer and/or run code of their own choosing.
In response, Apple has posted QuickTime 7.0.4 for Mac OS X 10.3.9 and later, and Windows 2000 and XP. The update can be downloaded and installed via Software Update for Mac OS X users, or from this page for Windows users.
Some of the flaws fixed Tuesday hark back to mid-November, when security company eEye Digital warned of several bad bugs in QuickTime. eEye's alert, meanwhile, followed by a month the October update of QuickTime to 7.0.3 to fix even earlier problems.
On Tuesday, eEye urged enterprises in particular to publicize the update to their users. "Most IT departments probably saw Apple's security update and thought 'that's a consumer application, I don't have to worry about security policies for that,'" said Marc Maiffret, co-founder of eEye and its chief hacking officer, in a statement. "Those IT departments would be mistaken. There are few people that have not seen a co-worker with an iPod wandering the halls of their organization, and those iPods probably mean iTunes is on your network."