Scott clued you in yesterday to Apple’s release of QuickTime 7.1.6, which adds a couple of new features, including support for Final Cut Studio 2 and the addition of timecode and closed captioning display in QuickTime (could an answer to Kate’s (and my own) prayers be on the way?).
But the big news was, of course, the fix for the bug in QuickTime for Java that raised all the hubbub at CanSecWest. Here’s what Apple had to say on the security content of QuickTime 7.1.6:
An implementation issue exists in QuickTime for Java, which may allow reading or writing out of the bounds of the allocated heap. By enticing a user to visit a web page containing a maliciously-crafted Java applet, an attacker can trigger the issue which may lead to arbitrary code execution. This update addresses the issue by performing additional bounds checking when creating QTPointerRef objects. Credit to Dino Dai Zovi working with TippingPoint and the Zero Day Initiative for reporting this issue.Hey, look, credit where credit’s due. And a quick turnaround on the patch (just ten days from exploit to patch). Man, Apple is totally not serious about security, right? Whadya say to that, Mr. Maynor?
Don't forget Messrs Kevin Finisterre and LMH :)