Apple, Adobe address security flaws in QuickTime, Flash

Both companies on Tuesday released rather significant security updates addressing a wide range of security holes in their products.

11 issues are fixed in Apple's update for QuickTime, version 7.4.5. The updates affect both Mac OS X and Windows, although not all security fixes are for both operating systems.

Among the updates for Windows are unexpected application termination or arbitrary code execution issues with opening maliciously crafted PICT image and movie files. The PICT image issue encompasses two separate vulnerabilities: one involves QuickTime's handling of error messages, while the other is due to parsing of the Clip oncode, which could result in a heap buffer overflow.

The rest of the issues are found in both operating systems, and include the following: an issue where untrusted Java applets may obtain elevated privileges; information disclosure due to the downloading of movie files; and application terminations or code executions due to maliciously crafted movie, VR movie or PICT files.

More information on these updates can be found on the Apple website.

Adobe fixed seven issues in its own update to Flash, which dealt with flaws which could give an attacker control of a user's system. The company said a malicious SWF file needs to be loaded in order for the attacker to exploit the vulnerabilities.

The issues affect Adobe Flash Player 9.0.115.0 and earlier, and 8.0.39.0 and earlier, Adobe said. It is recommended that users upgrade immediately to the new version of the player in order to protect themselves.

More information on Adobe's fixes for Flash can be found in its security bulletin on the matter.