Big security fixes for QuickTime, Flash Player

Apple and Adobe have warned that attackers could exploit serious security holes in QuickTime and Flash Player to run malicious code on targeted machines. But the vendors have updated the popular multimedia applications to fix the flaws.

Apple said in an advisory that QuickTime versions prior to 7.1.3 are susceptible to multiple flaws caused by the application's failure to properly bounds check and sanitise user-supplied data.

Specifically, the problems are that:

• An integer or buffer overflow may be triggered by malicious H.264 movie files.
• An integer or buffer overflow may be triggered by malicious QuickTime movie files.
• A heap-based buffer overflow may be triggered by malicious FLC movie files. (This issue affects the 'COLOR64' chunk in FLIC format files.)
• An integer or buffer overflow may be triggered by malicious FlashPix files.
• An exception can occur that can leave an uninitialised object when handling malicious FlashPix files.
• A buffer overflow may be triggered by a malicious SGI image file.

"An attacker can exploit these issues to execute arbitrary code in the context of the victim user running the vulnerable application," Apple said in its advisory. "Successful exploits may facilitate a remote compromise of affected computers."

One reason the threat is serious is that proof-of-concept exploit code is available for the FLC file heap-based buffer overflow flaw, Symantec said in an email to customers of its DeepSight Threat Management Service.

Apple has released QuickTime version 7.1.3 to address the vulnerabilities.

Meanwhile, Adobe said in an advisory that Flash Player is susceptible to multiple remote code execution vulnerabilities because the application "fails to properly bounds check user-supplied input before copying it into insufficiently-sized memory buffers."

Adobe said attackers could exploit the problem by creating a media file with large, dynamically-generated string data and submitting it to be processed by the media player. "This will cause the application to overwrite system memory at an explicit location," Adobe said in its advisory. "Because of this, race conditions, heap overflow and stack overflow vulnerabilities may be possible [and would] allow remote attackers to execute arbitrary machine code in the context of the user running the application."

The flaws affect Flash Player 8.0.24.0 and prior, Adobe Flash Professional 8, Flash Basic, Adobe Flash MX and 2004 Adobe Flex 1.5. Adobe recommends users upgrade to version 9.0.16.0.