Apple sounds alarm over QuickTime flaws

Apple Computer late Thursday issued an alert about flaws in its QuickTime media player that could allow a malicious attacker to launch a denial-of-service attack or remote code execution.

QuickTime versions 6.5.2 and 7.0.1 for the Mac OS X operating system are affected by the vulnerabilities, as well as some versions for Microsoft Windows, according to a Friday report by security company Secunia, which rated the vulnerabilities "highly critical."

Apple has issued an update, QuickTime 7.0.3, to fix the four flaws. The patch was posted to Apple's Web site on Oct. 12.

One vulnerability can result in a denial-of-service, or DOS, attack against any application loading remotely originated content. The flaw involves a missing movie attribute, which is interpreted as an extension. The absence of the actual extension, however, is not detected, resulting in a "dereference of a null pointer," Apple warned.

Another security hole involves an integer overflow that may be remotely exploited through a specially crafted video file. This could lead to an arbitrary execution of code.

"Three of the vulnerabilities can launch malicious code that allows an attacker to snoop on users," said Thomas Kristensen, Secunia's chief technology officer. "The other vulnerability is a DOS attack that will only work in a few cases and crash the media player when it tries to open a file."

Last June, Apple released QuickTime 7.0.1 to address a security flaw and deliver several improvements to its media player. The update was designed to modify the Quartz Composer plug-in, which previously could allow an attacker to tap into local data and distribute it to an arbitrary Web site.

QUICKTIME security vulnerability... PING!

Note that if you upgraded your Quicktime after October 12th, you are OK...

Secunia is reporting this on November 4, although Apple provided the fix on October 12.

Note, this affects both Macintosh AND Windows versions of Quicktime. UPGRADE NOW!

If you want on or off the Mac Ping List, Freepmail me.

Apple Plugs QuickTime Code Execution Holes
By Ryan Naraine
November 4, 2005

Updated: A new version of the QuickTime media player protects against "highly critical" system access and denial-of-service vulnerabilities.

Multiple security flaws in Apple Computer Inc.'s QuickTime media player could put users at risk of code execution attacks, the company confirmed in an advisory issued late Thursday.

The vulnerabilities, rated "highly critical," could give malicious hackers an open door to take over a vulnerable system or to launch denial-of-service attacks.

Affected software include QuickTime 6.x through 7.x. Apple recommends that QuickTime users upgrade to version 7.0.3 immediately.

In all, the upgrade covers four vulnerabilities. The most dangerous is described as an integer overflow error in the handling of a "Pascal" style string when loading a ".mov" video file. This can result in memory overwrite due to a large memory copy, potentially allowing arbitrary code execution via a specially crafted video file.

Mac OS X update swats five security bugs.

A second integer overflow error also exists in the handling of certain movie attributes when loading a ".mov" video file. This can also result in memory overwrite and potential code execution via a rigged video file.

The patch also corrects a NULL pointer dereferencing error when QuickTime handles certain missing movie attributes from a video file. This can be exploited to crash an application that uses QuickTime when a malicious video file is loaded.

The fourth flaw is a boundary error in the QuickTime PictureViewer when decompressing PICT data. This may be exploited to cause a memory overwrite, potentially allowing arbitrary code execution via a specially crafted PICT picture file.

The vulnerabilities were discovered and reported to Apple by private researcher Piotr Bania.

An Apple spokesperson said the new QuickTime versions were issued on Oct. 12, but full details on the vulnerabilities were not posted until late Thursday.

Secunia Warns About Already Patched QuickTime Flaws
by MacObserver Staff, 8:45 AM EST, November 4th, 2005

Secunia issued a warning about four security flaws in QuickTime versions 6.5.2 and 7.0.1 on Friday. The flaws, which could potentially lead to a Denial of Service attack, were patched by Apple with the QuickTime 7.0.3 updater on October 12.

The four vulnerabilities addressed with the QuickTime 7.0.3 update include two integer overflow errors in .mov files, a NULL pointer error in maliciously crafted video files, and a boundary error in certain PICT files when viewed in Classic's QuickTime PictureViewer application. A full description of each flaw is available an Apple Knowledge Base security article.

Users with a version of QuickTime that falls under the advisory can address the issue simply by updating to the new version through Software Update, or by downloading and installing the QuickTime 7.0.3 updater.

The downside is that QuickTime Pro 6 keys don't work in QuickTime 7, requiring the purchase of a new US$29.99 license.

Secunia's warning, dated November 4, is a little ill timed, considering Apple released an update for the noted issues nearly a month ago.

Read it again, Bush... it WAS Quicktime that was vulnerable... for both Windows and Mac OSX...

So what. The bottom line is that having Quicktime on your machine leaves you open to critical vulnerabilities. Spin that however you like.

... and for Macs, merely using Software Update (automatic) the vulnerability was patched.

So I presume you won't criticize MS the next time it releases a security patch and it's distributed over Windows Update, eh? /SARCASM

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.