Apple fixes more QuickTime media flaws
With the patch, Apple disables most Flash-handling functionality
Computerworld - Apple Inc. patched several bugs in QuickTime on Thursday, including a three-week-old streaming media vulnerability for which exploit code has been in circulation since the end of November.
At least one security researcher took Apple to task for its slow response and lack of information before today. "In classic Apple style, security researchers have been shouting the warning about this, and Apple has sat quietly, leaving many people wondering when an update might be available," said Andrew Storms, director of security operations at nCircle Inc. "[Then] without any advance notification, we have an update [this afternoon]. There will undoubtedly be some people working late this week to not only catch up from the big Microsoft 'Patch Tuesday' release, but now also to update Apple QuickTime."
Unveiled Thursday afternoon, QuickTime 7.3.1 patches problems in how the program handles three types of media content. The most anticipated fix, however, plugged the Real-Time Streaming Protocol hole first disclosed Nov. 23 by Polish researcher Krystian Kloskowski.
Although the proof-of-concept exploits released by Kloskowski and another researcher who used the alias InTeL fingered only QuickTime running on Windows XP SP2 and Windows Vista as vulnerable, within days other analysts confirmed that the Mac QuickTime was also buggy. By Nov. 29, Symantec Corp. was warning clients that Mac exploit code had been published, raising the stakes even higher.
Apple today also patched other media-related vulnerabilities, including a buffer overflow bug in the QuickTime movie file format and an unspecified number of flaws in QuickTime's handling of Flash files. To fix the Flash vulnerabilities, Apple disabled QuickTime's media handler for all Flash content "except for a limited number of existing QuickTime movies that are known to be safe," according to a security advisory the company posted.
The Flash strategy was almost identical to the tack Apple took with Java a month ago when it last patched QuickTime. Then, Apple essentially gave up on Java; rather than patch QuickTime yet again, it simply killed most of its Java-handling skills.
Exploits against any of the vulnerabilities patched today could result in what Apple calls "arbitrary code execution," meaning an attacker can inject malware or hijack the system. Apple does not rank its software mistakes, but other vendors, such as Microsoft Corp., usually label such vulnerabilities as critical.
Existing copies of QuickTime can be updated to 7.3.1 using Mac OS X's built-in Software Update feature, while Windows XP and Vista users can either download the patched version from the Apple Web site or use the Windows-only update tool.
Today's update marks the seventh security revision to QuickTime this year. Including the newest flaws, Apple has patched at least 34 vulnerabilities in the player since Jan. 1.
Read more about Security in Computerworld's Security Topic Center.
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- Best Practices for Securing Hadoop Historically, Apache Hadoop has provided limited security capabilities. To protect sensitive data being stored and analyzed in Hadoop, security architects should use a...
- Top Tips for Securing Big Data Environments: Why Big Data Doesn't Have to Mean Big Security Challenges Organizations must come to terms with the security challenges they introduce. As big data environments ingest more data, organizations will face significant risks...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!