New QuickTime bugs crawl into the open

Windows version, patched last week to quash a different bug, is affected

A security researcher today revealed new and unpatched bugs in the Windows version of Apple Inc.'s QuickTime, just a week after the company plugged a hole known for nearly a month.

Laurent Gaffie posted details of vulnerabilities in five functions of a QuickTime ActiveX control to the Full Disclosure security mailing list yesterday, along with proof-of-concept exploit code. Gaffie said the attack code works against the newest edition, 7.4.1, which Apple issued only last week to patch a flaw in the player's handling of the Real-Time Streaming Protocol (RTSP).

Because the vulnerabilities are in an ActiveX control, the Microsoft technology most commonly used in Internet Explorer (IE) plug-ins, only Windows users are at risk. QuickTime is very common on that platform, however, since it is installed alongside Apple's popular iTunes music software.

Symantec Corp. warned that in-the-wild attacks would probably pop up shortly. "Historically, QuickTime vulnerabilities are actively exploited shortly after they are publicly disclosed," the company said in an alert to customers of its DeepSight threat network. "We expect to see functional exploit code and active targeting of these issues shortly."

An attack could hijack the PC or crash IE, Symantec added. "Attackers can exploit these issues to execute arbitrary code within the context of the application that invoked the ActiveX control (typically Internet Explorer) and failed exploit attempts will result in a denial-of-service condition," the warning continued.

Gaffie's revelations added to QuickTime's problems and marked yet more vulnerabilities in ActiveX controls. Apple's media player was patched 34 times last year and is on a pace to best that during 2008.

Meanwhile, ActiveX has been plagued with a series of bug disclosures recently, starting with several that affected a plug-in distributed to members of the Facebook and social networking sites. The situation was serious enough last week to prompt the U. S. Computer Emergency Readiness Team, or US-CERT, to recommend that users disable all ActiveX controls.

Apple last patched QuickTime on Feb. 6 when it released 7.4.1, which fixed a vulnerability in RTSP that Italian researcher Luigi Auriemma had made public about a month earlier. After QuickTime 7.4.1 hit Apple's download site, Auriemma confirmed that the fix had plugged the hole.

Apple did not respond to questions about whether it would confirm the vulnerabilities in QuickTime's ActiveX control and when it would fix the flaws.

Copyright © 2008 IDG Communications, Inc.

Shop Tech Products at Amazon