You are here: silicon.com > Software > Security Strategy

Security Strategy

Apple patches QuickTime flaw at last

Not-so-quick fix...

Tags: patch, quicktime, flaw, apple

Printer Friendly Email Story RSS

By Joris Evers

Published: 24 January 2007 08:40 GMT

Apple has released a fix for a serious security hole in its QuickTime media player software.

The patch comes 23 days after details of the flaw, along with detailed attack code, were publicly released. The publication kicked off the "Month of the Apple Bugs" project, which has been publishing a new Apple software bug each day in January.

The QuickTime vulnerability relates to how the media player software handles the Real Time Streaming Protocol, or RTSP, according to an Apple alert. An attacker could exploit the flaw and commandeer a vulnerable system by placing a special RTSP string in a QuickTime file and tricking a user into opening that file, Apple said.

According to the Apple alert: "A buffer overflow exists in QuickTime's handling of RTSP URLs. By enticing a user to access a maliciously crafted RTSP URL, an attacker can trigger the buffer overflow, which may lead to arbitrary code execution." The update addresses the issue by performing additional validation of RTSP links, Apple said.

Security-monitoring companies Secunia and the French Security Incidence Response Team, or FrSirt, have rated the QuickTime problem as "highly critical" and "critical", respectively. Still, experts have not seen widespread exploitation of the problem.

One of the bug hunters behind the Month of Apple Bugs said he is stunned by the time it took Apple to fix the flaw. The pseudonymous LMH said in an interview via instant message: "Twenty-two days for a remote issue that leads to code execution right away is sort of insane. There was already an exploit and it was being abused in targeted attacks."

The vulnerability affects QuickTime 7.1.3 on Mac OS X and Windows. Several other vulnerabilities in Apple software have been disclosed as part of the Month of Apple Bugs, including in QuickTime. Apple has not yet released fixes for those issues.

Apple has said it is aware of the project but has chosen not to comment beyond a standard statement that it takes security very seriously and has "a great track record of addressing potential vulnerabilities before they can affect users". It added: "We always welcome feedback on how to improve security on the Mac."

The Apple patch can be downloaded and installed via the Software Update feature in Mac OS X, or from Apple Downloads.

Joris Evers writes for CNET News.com

Add Comment Add comment  Printer Friendly Print story with   Email Story Email story  
In
Applications

Operating Systems

SOA/Web Services

Malware

Security Strategy


Reader Comments

Is the Windows Quicktime update available? Has ...
Richard

Click here to see all

Related Links

Warning over "critical" QuickTime hole

MySpace to Apple: Fix QuickTime fast

MySpace worm goes phishing

Mac OS X gets security fix

Apple struggles to fix critical glitch

iTunes: Now it does video

  1. Zones
  2. Management
  3. Networks
  4. Software
  5. IT Services
  6. Hardware
  1. Verticals
  2. Public Sector
  3. Financial Services
  4. Retail & Leisure

Peter Cochrane Peter Cochrane's Blog: Is convergence a fiction? Or could it finally be happening…

Clive Longbottom Quocirca's Straight Talking: A game of two halves Microsoft Virtualisation scores while its SOA bores...

Prison tech: Mobiles blocked and bodies scanned

NHS data handling: Calls for independent audits

ID cards: 'Political' move, claim airport workers

Viacom vs Google: YouTube privacy fears

Google Talk finds a home on iPhone

ePassport upgrade scaled back


  • Jobs
SYSTEMS ADMINISTRATOR - APPLE MAC & OS X DESKTOP SUPPORT - Cambridge, South East

SYSTEMS ADMINISTRATOR - APPLE MAC & OS X DESKTOP SUPPORT - Cambridge, South East The European Bioinformatics Institute (EBI) is a non-profit academic ...

Systems Support Analyst

Novell NetWare, Linux, and Apple Mac OS - Experience of remote computer systems management Desirable Requirements Include: - Knowledge of Novell ...

Security Consultant Ethical Hacking / Penetration Testing - London

Responsibilities: - Deliver security assessment services including network scanning, vulnerability testing, penetration testing, search engine ...

CIO50 2008
The silicon.com CIO50 2008 profiles the most influential and innovative tech chiefs in the UK across all industries and organisation size, from the biggest FTSE100 companies to high growth dot-com start ups and the public sector. The list was voted on by the UK CIO community and a panel of experts. Find out more in our latest special report.

College classrooms go high-tech

Travis Perkins builds its tech future

Thin clients switch on digitally excluded

MSDN Webcast: Demystifying Office Business Applications for the Developer (Level...

Understanding SOA and Business Mashups: Automate. Coordinate. Collaborate. No coding...

Tips and Tricks for Office 2007

MSDN Webcast: Demystifying Office Business Applications for the Business Analyst...

Stories from the web...


Peter Cochrane's Video Blog: Power outrage

Business agility through flexible IT

What are you really saying?


Microsoft readies online apps for business

EU law to end file-sharers time online?

Privacy concerns over Google Street View

Get a Lively life, with Google avatars

Are banks going soft on e-crime?




Quick Sitemap Links: