QuickTime and iTunes DoS exploit released

A serious new flaw was disclosed on Thursday that affects the latest versions of Apple's QuickTime and iTunes applications.

The National Vulnerability Database entry CVE-2008-4116 describes a heap-based buffer overflow vulnerability within Apple's QuickTime 7.5.5 and iTunes 8.0 programs.

To infect a computer, a maliciously coded long-type attribute within a QuickTime tag might be placed on a Web page, or within a .mp4 or .mov file. This could allow remote attackers to crash the applications (known as a denial of service) or possibly execute arbitrary code on a compromised computer.

The announcement comes one week after Apple patched nine security flaws in its media player and fixed Windows Vista problems within its recently updated online music service.

At the moment, there is no recommended workaround or patch available for the code exploit.

Apple did not reply to a request for comment.

[cb3431]

Hang on a minute! I thought Apple was perfect and flawless? Have the commercials been lying to me? Let me see if I have all of this correct. If I use Safari my computer is in danger? If I chose to view a QuickTime video then my computer is in danger? If I use iTunes then my computer is in danger? What does that leave?

[ballmerisanape]

What does it leave?

It just means that you have to be careful when you are surfing porn on the internet... just like always.

From the article posted above...

"To infect a computer, a maliciously coded long-type attribute within a QuickTime tag might be placed on a Web page, or within a .mp4 or .mov file. This could allow remote attackers to crash the applications (known as a denial of service) or possibly execute arbitrary code on a compromised computer."

[ittesi259]

Oh shut up already. Reasonable computer users (the majorit of us Apple users) are never shocked by this as nobody is perfect. Sure there are some flaws in some Apple applications....but a patch will be out in the less then 18 months that Microsoft is well documented taking on some of there stuff. Its not always about perfect creation...but also response to issues.

I've said my piece....feel free to light that flamethrower again.

[jandler]

Who took the longest to fix the DNS problem?

[ferretboy88]

If this was an Microsoft flaw article the Apple fans would be out in force. Quicktime blows.

[ballmerisanape]

It would be helpful to state if this affects Windows and Apple computers....since the software is run on both platforms.

[goodspeed8701]

apple has a worm living in it. its so suprising that apple dont discover this holes by their self there are hips of secret apple is keeping away from us. idont trust them. they always claim what they are not and why is it that quicktime is always a risk. or shoukd i call it quicktrojan

[firi]

Security is a process not a destination, all systems have a flaw, but the main flaw is the user in most cases.

[Thomas, David]

In a nutshell,
An unusually long data, in the attribute of a quicktime tag, can cause QuickTime to not work. This means any programs trying to use Quicktime will not render the file, and will possibly terminate. To my knowledge, this just means that particular file cannot be played.

This isn't a denial of service. Suddenly we are getting real loose about what things mean. Denial of service means you will not be able to use Quicktime at all if "infected", and by the way, this isn't an infection either. I'm starting to get a little pissed about the loose terms being flippantly tossed around.

This is a bug in the log of Quicktime that terminates on this tag. End of story.

[ittesi259]

Wouldn't this more be considered a buffer overflow problem?

[jandler]

I agree this is not a denial of service. Cnet should really hire some better editor. If you don't believe me, read this
http://en.wikipedia.org/wiki/Denial-of-service_attack

Nevertheless, the "possibly [to] execute arbitrary code on a compromised computer" is a serious matter. It's bug with serious ramification

David, your knowledge is lacking. What part of "buffer overflow", "browser crash", "execute arbitrary code", or "provides administrator access" don't you get. You fail at your attempt to downplay this. And where in the exploit or official report does it use the term "infect" at all? Blame Cnet for that, but that doesn't make the threat any less real. And, for your information, it's not "a bug in the log of Quicktime", it's the parser. Fail fail FAIL!

[Bigglazierfoot]

Hello everyone, how are you this fine day?
My comment pretains to all the virus, hacker, phishing and any other illlegal computer activity. As a society of law and order we must take action against the computer criminals with through investigations, harsh punishment, extreamly harsh! If a few individuals were made an example out of, this illeagle activity would be greatly reduced. For example, the individual who broke into Sarah Palin's email accout should be sentenced to no less than 2 years of picking up trash along an interstate highway 16 hours a day 7 days a week. That would give that 18 year old collage student some much needed time to learn to think a little more clearly. Thank you all stay safe in the virtual world.

[ferretboy88]

I say. Good show jolly old chap. +1

[fdunn3]

It is a software buffer overflow issue any overflow has the possibility of being exploited to run code no exploit exists *yet* for this issue. SANS has this as CRITICAL and while I agree unchecked overflows are a "potential" vector to initiate a run code exploit not even M1LW0RM (the finder of the flaw) has expressed any means to exploit it.

SANS, until it is a "run remote code" Please don't be alarmist and throw a CRITICAL label against a hack that will simply crash the application.

[mjkidd]

From an IT security perspective QuickTime is a complete disaster. Oh sure, people criticize Windows security, but it is after all a complete OS with many features like the .NET framework and a web browser that go beyond a bare OS; and Microsoft has certainly been trying harder in the last three years. But QuickTime - it's just a multimedia player - and yet there is an update every couple of months, addressing a half dozen security holes each time. Every IT department must hate QuickTime. Apple should either get serious about this application or just abandon it completely.

If all the QuickTime programmers were lined up and every third one was fired, it would send the right message.

[fdunn3]

LOL

[ferretboy88]

And don't they charge you for quicktime pro? How nice. Where is the decider to tell us the Earth is flat.

[ferretboy88]

QUICKTIME IS THE BIGGEST SWISS CHEESE EVER. REMOVE IT NOW. ONLY 800 FLAWS IN THE LAST FEW YEARS.

[maneeshpan1]

Do these flaws affect QuickTime and iTunes only on Windows? Or are Mac users with the latest versions of QuickTime (QuickTime 7.5.5) and iTunes 8.0 also affected?

Regardless, hopefully Apple will issue a patch to fix these problems soon.