Ten of the 12 flaws could lead to unexpected application termination or arbitrary code execution, warned Apple. Another flaw could lead to disclosure of memory contents.
In addition, Apple fixed a cross-site scripting issue in QuickTime’s “Save the Web” export. “The template HTML files generated by this feature referenced a script file from a non-encrypted origin. An attacker in a privileged network position may be able to inject malicious scripts in the local domain if the user views a template file locally. This issue is addressed by removing the reference to an online script”, Apple explained.
Most of the flaws involve memory or buffer overflow issues, whereby viewing a malicious movie file could result in an exploit.
The QuickTime update is available for Windows 7, Vista, XP, and later versions.
Apple noted that many of these holes have already been corrected in Mac OS X 10.7.2 Lion and Mac OS X 10.6.8 Snow Leopard systems. A majority of the vulnerabilities were discovered by members of TippingPoint's Zero Day Initiative (ZDI).
The ZDI is a program for rewarding security researchers for responsibly disclosing vulnerabilities. According to TippingPoint, the main goals of the ZDI are to extend the company’s DVLabs research team by leveraging the methodologies, expertise, and time of others; encourage the reporting of zero day vulnerabilities responsibly to the affected vendors by financially rewarding researchers; and protect customers through the TippingPoint intrusion prevention systems while the affected vendor is working on a patch.