Apple patches QuickTime, fixes bugs in iTunes
The new version also unlocked full-screen video in the app
Computerworld - Apple Inc. today patched eight vulnerabilities in the Mac OS X and Windows versions of QuickTime, and updated the iTunes software co-released with the iPhone to fix a bug that deleted purchased tracks and had convinced some users to revert to older software rather than hassle with clumsy work-arounds.
The new QuickTime also unlocked full-screen video, a feature that previously was available only in the $29.99 QuickTime Pro premium edition.
All eight of the QuickTime flaws could be ranked "critical," since in every case, Apple said they could lead to "remote code execution" -- phrasing that generally garners the highest threat rating by vendors that rank vulnerabilities. Apple, however, does not rate or prioritize the bugs it discloses or the patches it releases.
Two of the vulnerabilities are related to memory corruption problems in handling movie files, two others are integer overflow bugs, and four were blamed on design errors in QuickTime's implementation of Java, said Apple in the associated security advisory. That final foursome would most likely be exploited by enticing users to Web sites where they would be served up malicious Java applets, Apple added.
Two of the bugs were credited to Tom Ferris, a security researcher who specializes in rooting through Apple's code. In April 2006, Ferris publicized several zero-day vulnerabilities in Mac OS X and the Safari browser; a month later, he noted that Apple had failed to fix all the flaws in a subsequent security update.
QuickTime 7.2 also updates the H.264 video codec.
Meanwhile, iTunes also received an update today. The new Version 7.3.1 doesn't include any security fixes, said Apple, but instead "addresses a minor problem with iTunes 7.3 accessing the iTunes Library."
Numerous users who posted complaints to Apple's support forums might not agree with the characterization of problems in iTunes 7.3 as "minor." Almost immediately after Apple updated iTunes on June 29 to account for the iPhone, users began reporting seeing the error message "iTunes Library file cannot be saved, an unknown error occurred (-50)" only to have iTunes then crash.
"I lost two full albums," said a user identified as "Gil Jawetz." (Jawetz later told Computerworld that he did not actually lose music files, only that his library file became corrupted.) Others outlined work-arounds that required users to save their libraries, delete a pair of iTunes files, then re-import the saved libraries.
Still others just gave up. "I've thrown in the towel....iTunes just crashed on me...so I've gone back to 7.2," wrote "dee_r" on July 2. Other users complained that iTunes had a new problem sorting tracks by artist and album, and that their sometimes massive collections were now askew. Today's update to 7.3.1 also reportedly fixed that bug.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts