This article is more than 1 year old

Use QuickTime … and become part of the collective

Malformed .MOV files can murder your movies

Two Borg assimilators have discovered five denial of service vulnerabilities in Apple's QuickTime.

The five vulnerabilities (CVE-2015-3788 to 3792) affect the latest version of QuickTime up to the patched 7.7.7 for Windows 7.

Ryan Pentney and Richard Johnson of Cisco's Talos security talon reported the memory corruption holes which manifest due to improper handling of objects in memory.

"An adversary who crafts a specifically formatted .MOV file can cause QuickTime to terminate unexpectedly, creating a local denial of service condition," the pair says in an advisory.

"Apple has released a software update to address these defects in Quicktime and Talos has released coverage for these vulnerabilities."

The holes include denial of service for invalid URL and mvhd atom sizes, and an invalid 3GPP stsd sample description entry size. An esds atom descriptor type length mismatch and mdat corruption round out the denial of service holes.

While Apple die hards may have nothing more than video feeds interrupted, Cupertino has issued a wider spray of patches for bugs ranging up to remote code execution.

Those patches affect many in Apple's fleet of iThings including iOS, OS X Yosemite, Safari, and OS X Server.

For newer iOS devices, Apple is putting out the iOS 8.4.1 software update. The patch applies to iPhone 4S and later, iPod Touch 5th generation and later, and iPad 2 and later. ®

More about


Send us news

Other stories you might like