Apple's First 2009 Patch Batch Fixes 7 QuickTime Flaws

http://voices.washingtonpost.com/securityfix/2009/01/apples_first_2009_patch_batch.html?wprss=securityfix

Apple today released a security update for its QuickTime media player. The new version, QuickTime 7.6, is available for both Mac and Windows systems.

This release fixes at least seven security vulnerabilities. All seven are serious enough that Apple says they could be used to run software of the attacker's choice on a vulnerable system simply by convincing the user to view a specially-crafted movie or streaming media file.

It's important for QuickTime users (particularly Windows users) not to let too much grass grow under their feet before applying this update. Because it is so widely installed (and probably so infrequently updated), QuickTime has drawn the attention of hackers who write and sell automated exploit toolkits. These are software kits that attackers typically stitch into the fabric of hacked Web sites. When a user visits such a site, the toolkit checks to see which if the browser plug-ins may still be vulnerable to know security flaws, serves up an exploit for the first one it finds, and then silently uses that exploit to install malicious software on the visitor's PC.

According to Microsoft's most recent "Security Intelligence Report," a QuickTime flaw was the third- and fourth-most-attacked Web browser vulnerability for Windows XP and Windows Vista systems, respectively, during the first half of 2008 (See chart pulled from the report).

Mac users can grab the update from Software Update or from Apple Downloads. Windows users can use the download site or the bundled Apple Software Update program.

By Brian Krebs |  January 21, 2009; 3:38 PM ET From the Bunker , Latest Warnings , Misc. , New Patches , Safety Tips

Many thanks for the warning!