Apple QuickTime
A researcher has posted proof-of-concept for a vulnerability in Apple's QuickTime

QuickTime flaw adds to Apple's woes

Exploit especially dangerous for Firefox users

Written by Shaun Nichols in California

vnunet.com, 27 Nov 2007

Apple has been presented with yet another security headache by an independent researcher.

Krystian Kloskowski has posted a proof-of-concept exploit for a vulnerability in Apple's QuickTime multimedia software.

The researcher said that a successful attack could enable the remote execution of malicious code.

The exploit targets a flaw in the way QuickTime handles information for streaming media files.

Malformed data could be hidden within a streaming media file to trigger a buffer overflow error, which could allow the attacker to access the system with the privileges of the current user.

Even an unsuccessful attack could crash the QuickTime player, according to Kloskowski.

The exploit exists only as a proof-of-concept sample to verify the existence of the flaw. There have been no reports of any attacks targeting the vulnerability.

Many users will be comforted to know that their choice of browser could prevent the attack. Researchers at Symantec have found that Internet Explorer 6 and 7 do not allow the exploit to run.

The latest beta of Safari for Windows is also protected, but Mozilla's Firefox browser remains vulnerable to the attack.

"Firefox users are more susceptible because Firefox farms off the request directly to the QuickTime player as a separate process outside its control," wrote Symantec researcher Elia Florio in a company blog.

"As a result, the current version of the exploit works perfectly against Firefox if users have chosen QuickTime as the default player for multimedia formats."

Florio warned that attackers may adjust the exploit to work in other browsers, and advised users to adjust their firewalls to block outbound traffic from TCP 554 and avoid following untrusted links.

This latest vulnerability comes at a difficult time for Apple on the security front. Researchers blasted the company earlier this month for shortcomings in the firewall on the new MacOS X Leopard operating system.

Apple issued a fix, but a few days later researchers found that the company had left open a flaw in Leopard's Mail application that had been previously patched.

Meanwhile, a Trojan targeting Mac users has continued to flourish on fake codec sites.

See also:

reader comments

related articles

Leopard

Mac Mail flaw resurfaces in Leopard

Flaw allows code to masquerade as images 21 Nov 2007

 

Apple fixes Leopard firewall

New update addresses security issues 16 Nov 2007

Brits turned off by iPhone price

Clever gadget, but way too expensive 26 Nov 2007

iPhone Road Test: Conclusion

The ups and downs of Apple's iPhone 23 Nov 2007

Special Report: Apple iPhone

All the latest news on Apple's iPhone 18 Dec 2007

Security

vnunet.com analysis: Browser wars changing security game

Variety and competition bring new protections and new threats 18 Jun 2008

Security

Major security firms caught napping

F-Secure and Trend Micro forced to patch flaws in their own software 24 Oct 2008

Apple patches critical Safari holes

Four flaws addressed in latest update 17 Apr 2008

latest news

Novell to shuffle EMEA executive pack

Linux vendor shifts partner programme responsibilities to marketing organisation 09 Jan 2009

Ballmer highlights aims for New Year

Ballmer announces Windows 7 beta and future alliances designed to improve information sharing 08 Jan 2009

Active Storage completes UK Jigsaw

Jigsaw unveiled as Raid vendor's first non-US Platinum partner as it launches in Europe 08 Jan 2009

More news

poll

Challenging times ahead?

Challenging times ahead?

Do you think there will be a lot of channel job cuts in 2009?

Previous poll results

Paul Anderson, Trend Micro

Vendor Q&A: Paul Anderson, Trend Micro

During this Q&A session Paul Anderson, UK country manager of Trend Micro talks about the changing threat landscape and how Trend is working with resellers in 2009

Sara Yirrell and Rick Wallis

Vendor Q&A: Rick Wallis, NEC Computers

In this exclusive vendor Q&A, Rick Wallis, UK sales director at NEC Computers talks to CRN editor Sara Yirrell about his firm’s plans for the channel.

More CRN TV

events

Channel Expo 2009 logo

Channel Expo 2009

The UK's top reseller exhibition will return to the NEC on 20 May 2009

CRN Fight Night 2009

The channel's only white-collar boxing event is back

More Events

Newsletter signup

Sign up for our range of FREE newsletters:

Existing User

Newsletter user login:

Advertisement

White papers

Search white papers

Top categories

Primary Navigation