Apple releases patches for 'critical' iTunes, QuickTime flaws

Apple on Monday has released a collection of 8 security updates for both the OS X and Windows versions of its QuickTime multimedia software and also issued a security update for its digital jukebox software iTunes.

The announced updated, iTunes 7.1 and QuickTime 7.1.5 are launched to fix the eight vulnerabilities rated as "critical" by the French Security Incident Response Team (FrSIRT).

All 8 flaws attack existing versions of QuickTime for Windows Vista, XP and 2000, while seven of the vulnerabilities also affect OS X versions 10.3.9 and later.

The fixes are for 8 flaws, all of which affect current versions of QuickTime for Windows Vista, XP, and 2000. And, seven of the vulnerabilities also affect OS X versions 10.3.9 and later. In addition, the update is recommended for all QuickTime 7 users.

The updated iTunes 7.1 apparently adds additional support for the upcoming release of Apple TV, enabling them to enjoy their favorite iTunes movies, TV shows, music, and more from the comfort of their living room with Apple TV which is compatible with both Mac OS X and Windows.

The device, which was announced by company CEO Steve Jobs during the keynote speech at the 2007 Macworld Expo in San Francisco on January 9, 2007, is due out later this month and would transmit digital media from PC and Macs to television sets.

The updated edition also supports a new full screen Cover Flow and amended sorting options that enable users decide how iTunes should sort their favorite artists, albums, and songs.

On the other hand, the QuickTime security update, version 7.1.5, delivers several bug fixes and it also addresses critical security issues.

The vulnerabilities in QuickTime expose both Macs and Windows PCs to cyber attacks. As soon as the specially-crafted files, including Quicktime movies, PICT, MIDI and QTIF files are launched, an application crash triggers, allowing an attacker to remotely craft a malicious file which, when opened with QuickTime, could give the miscreant full control over the computer running the software.

"If you use QuickTime I would definitely recommend that you install the update as soon as possible," said Bojan Zdrnja, a security researcher from SANS (SysAdmin, Audit, Network, Security). "Some of those security vulnerabilities look nasty."

In addition to the fixes, the QuickTime 7.1.5 also includes some functionality improvements.

This updated edition is the first QuickTime-specific patch issued by Apple since January, when the iPod/Mac maker put out a fix for vulnerability, dubbed a zero-day flaw, introduced as part of the “Month of Apple Bugs” project.

The patches, iTunes 7.1 and QuickTime 7.1.5, are available to download via the software update mechanism in Mac OS X or from Apple's support Website.