Skip the navigation

Apple patches QuickTime, fixes bugs in iTunes

The new version also unlocked full-screen video in the app

July 11, 2007 12:00 PM ET

Computerworld - Apple Inc. today patched eight vulnerabilities in the Mac OS X and Windows versions of QuickTime, and updated the iTunes software co-released with the iPhone to fix a bug that deleted purchased tracks and had convinced some users to revert to older software rather than hassle with clumsy work-arounds.

The new QuickTime also unlocked full-screen video, a feature that previously was available only in the $29.99 QuickTime Pro premium edition.

All eight of the QuickTime flaws could be ranked "critical," since in every case, Apple said they could lead to "remote code execution" -- phrasing that generally garners the highest threat rating by vendors that rank vulnerabilities. Apple, however, does not rate or prioritize the bugs it discloses or the patches it releases.

Two of the vulnerabilities are related to memory corruption problems in handling movie files, two others are integer overflow bugs, and four were blamed on design errors in QuickTime's implementation of Java, said Apple in the associated security advisory. That final foursome would most likely be exploited by enticing users to Web sites where they would be served up malicious Java applets, Apple added.

Two of the bugs were credited to Tom Ferris, a security researcher who specializes in rooting through Apple's code. In April 2006, Ferris publicized several zero-day vulnerabilities in Mac OS X and the Safari browser; a month later, he noted that Apple had failed to fix all the flaws in a subsequent security update.

QuickTime 7.2 also updates the H.264 video codec.

Meanwhile, iTunes also received an update today. The new Version 7.3.1 doesn't include any security fixes, said Apple, but instead "addresses a minor problem with iTunes 7.3 accessing the iTunes Library."

Numerous users who posted complaints to Apple's support forums might not agree with the characterization of problems in iTunes 7.3 as "minor." Almost immediately after Apple updated iTunes on June 29 to account for the iPhone, users began reporting seeing the error message "iTunes Library file cannot be saved, an unknown error occurred (-50)" only to have iTunes then crash.

"I lost two full albums," said a user identified as "Gil Jawetz." (Jawetz later told Computerworld that he did not actually lose music files, only that his library file became corrupted.) Others outlined work-arounds that required users to save their libraries, delete a pair of iTunes files, then re-import the saved libraries.

Still others just gave up. "I've thrown in the towel....iTunes just crashed on me...so I've gone back to 7.2," wrote "dee_r" on July 2. Other users complained that iTunes had a new problem sorting tracks by artist and album, and that their sometimes massive collections were now askew. Today's update to 7.3.1 also reportedly fixed that bug.

QuickTime 7.2 can be downloaded from the Apple site in versions for Mac OS X and Windows, as can iTunes. Alternately, users can call on the programs' built-in updaters.

Read more about Security in Computerworld's Security Topic Center.



Our Commenting Policies