Apple Patches QuickTime Crash and Code Execution Flaws

Apple pushed out a new version of QuickTime that patched nine vulnerabilities, including a handful of denial of service and code execution bugs.

Apple on Thursday pushed out a new version of QuickTime for Windows that patched nine vulnerabilities, including a handful reported Aug. 13 by Cisco Talos and Fortinet researchers.

All five flaws, if exploited, could lead to a crash of the media player or code execution in some cases, Apple said in its advisory. Two other vulnerabilities reported by Cisco and Fortinet also expose QuickTime to remote code execution attacks; CVE-2015-5785 and -5786 are memory corruption errors in QuickTime versions prior to 7.7.8 running on Windows machines, Fortinet’s FortiGuard Labs and Cisco’s Ryan Pentney and Richard Johnson said.

“A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user’s system,” according to a SecurityTracker advisory.

The QuickTime update comes a week after a giant patch update for Mac OS X, OS X Server and iOS that addressed dozens of vulnerabilities, including a critical privilege escalation issue in the DYLD dynamic linker that was disclosed a month earlier. All of yesterday’s patches were released on OS X last week.

Apple said it improved memory handling to address the denial-of-service and code execution vulnerabilities in yesterday’s update. The five DoS vulnerabilities reported by Cisco affect QuickTime versions 7.7.5 and 7.7.6 running on Windows 7 32-bit machines.

According to Cisco:

  • CVE-2015-3788 is described as an invalid URL Atom size flaw where an attacker who controls the size of a URL atom in a .mov media file can lead to an out of bounds read and a crash of the application.
  • CVE-2015-3789 is exploited when an attack has control of the entries and description table in a 3GPP .mov file.
  • CVE-2015-3790 is triggered when an attacker controls the size of a mvhd atom, and can cause an out-of-bounds read and crash.
  • CVE-2015-3791 is a flaw that enables an attacker to control the elementary video header start codes or type descriptor length in an esds atom in a .mov file.
  • CVE-2015-3792 enables an attacker to control the content of the mdat section in a .mov file, leading to a crash.

Apple still has not patched kernel-level vulnerabilities in Mac OS X that were disclosed last weekend by a researcher in Italy. Two vulnerabilities leading to privilege escalation and security feature bypasses, along with proof of concept code, were reported to Apple hours before they were publicly disclosed by Luca Todesco.

The vulnerabilities lie in the Yosemite and Mavericks versions of OS X, but have been patched in beta versions of OS X 10.11, also known as El Capitan, Todesco said.

Suggested articles