Another QuickTime flaw found

Less than three weeks after Apple Computer issued an update to patch four security flaws in its QuickTime media player, a new "critical" problem has been discovered.

The unpatched vulnerability could allow remote execution of code, according to an advisory published Monday by eEye Digital Security. It affects various versions of Apple QuickTime running on all types of operating systems, the company said, but did not specify which versions in particular were at risk.

eEye said it notified Apple of the flaw on Oct. 31, when it outlined vulnerabilities that were not addressed in Apple's update of Oct. 12. And although Apple issued a security advisory Nov. 3 regarding its patch and the four flaws, that advisory did not address the new flaw eEye discovered, said Mike Puterbaugh, eEye's senior product marketing director.

"We don't feel this flaw could result in an Internet worm, as it does require end-user interaction (such as clicking on a link to a malicious Web site or chat session). The affected component is, however, enabled by default," Puterbaugh said.

This newly discovered flaw could allow an attacker to pose as the logged-in user and launch remotely executable code. An intruder, for example, could access and do everything that a user could do on his computer. If the user had administrator rights, the hacker could also access everything that the administrator could.

"The Apple flaw works with their latest version of QuickTime," said Steve Manzuik, eEye product manager. "The only similarity with the earlier flaws is it's in QuickTime."

The new issue affects a different QuickTime function than the four earlier flaws, which included a missing movie attribute that could be interpreted as an extension. The absence of the actual extension is not detected, resulting in a "dereference of a null pointer."

Another of the earlier four flaws included an integer overflow that could be remotely exploited through a specially crafted video file.

eEye has declined to provide more specifics in its security advisories until the vendor has issued a patch. That policy is designed to prevent hackers from reverse engineering the problem to launch an attack while the vendor works to fix the flaw.

Apple's earlier patch, version 7.0.3, addressed vulnerabilities found in QuickTime 6.5.2 and 7.0.1 for the Mac OS X operating system and some versions running on Windows. One of those flaws allowed a malicious attacker to launch a denial-of-service attack, while the other three flaws allowed an attacker to remotely execute code and take over users' computers.

Apple told CNET News.com that it was not prepared to comment at this time. Manzuik said that on Monday Apple acknowledged receipt of eEye's advisory, but gave no indication of when, or if, it plans to patch the flaw.

"It is something they will undoubtedly have to patch," he added.

[n3td3v]

Hehe

These guys call themselves experts? You would think getting a user to click on a link would be the hardest thing in the world to get a single mom, retired couple to do. Have these guys never heard of phishing? It's easy to insert phishing into a virii/worm project to get that "user end interaction" stated in this article. This "flaw" could easily be wormed by a malicious programmer.

[kingofgods]

Apple...Ha

Its funny that when an article comes out about a flaw in a Windows app or OS this talk back section is filled with MS bashers but quiet when its about Apple

[NeverFade]

I am a

I am a Mac guy... I believe they are great machines.

I will say that these flaws, or whatever, are indeed not good news
for Apple.

Hope they get fixed soon.

[NeverFade]

no, there is none. READ YOUR LINK

I am getting tired of this - but you seem so set on showing me
facts that are current, I have to show you that it's not.

You said that the START one is a virus? I'll quote:

Affects: PowerPC Macintoshes and compatibles, typically running
QuickTime v2.0 with the "Enable CD-ROM AutoPlay" option
enabled

Okay - First, Quicktime 2.0? There is not one copy of OSX
running Quicktime 2.0. Not one. OSX Started with Quicktime
5.5 I believe Quicktime now is on 7.x. Enable CD-ROM
autoplay? There is none is in OSX.

[techguy83]

look, i can read it the first time

you do not have to repost it three times.

now, as for viruses. I HAVE seen OS X systems with viruses found on them. They have affected the system. They have done such as knocking out internet access. that is something tha I have recorded audio proof of at work. I am not the only one either.

Granted, I didnt read all of the page. I skimmed. But, you can't argue with proof that OS X systems have found viruses on them in scans. Even if that virus was written for a program the mac user runs.

[techguy83]

most likely to happen as Apple gets more popular

1. Spyware/adware specifically for apple.
2. viruses specifically for apple.
3. more and more flaws in apple software and OS found quicker.

People all try to say virus/spyware writers do it for fame. NO. They do it for Money. Selling information stolen by a worm/virus/spyware on a windows box is worth a hell of a lot more than bothering to hit 5% of the world market for the same reason.

[techguy83]

About the vista comment

Want to know why there are viruses written for it already? Its because the viruses writers know that the home users will use this OS when it is released.

Face it, what home users are going to use will have viruses written for it. Everyone knows that as soon as the OS is out of beta home users will use a version of it. It will ship with the new pcs. Dell, Gateway, HP, etc will throw the OS on their systems and let the home users have at it.

Cal me a liar about the audio proof if ya want. But, proof is proof.

Its basically like this: ANY windows OS, beta or not, is going to have its flaws exposed because until windows is no longer the main OS of the world, people will use its flaws and holes to make money.

MAC OSX? Not a major player in the world market, thus not worth a virus/spyware writer's time.

Fame is way overrated.

[SystemsJunky]

There are no

Viruses written for Vista. Just concepts of how to exploit WPF, Avalon and Indigo. Release is a year away and .Net 3.0 will be out by then, Coding will change several times. No there are NONE for An OS that isnt released yet. Plus. Virus will have a rough time on Vista. Virus writers will have a rough time getting things to work. Trust me. Vista will be a very secure OS. It has to be, or MS will crater.

[laroberts]

APPLE HAVE A FLAW! NO!!! NONONO!!!

Whats this... Apple have a flaw? Can it be? But Apple and its users are so.... perfect. Is this possible? LMAO.... I really do Apple gets a little popular again so that it will start getting targeted for every bug and virus under the sun. Bill Gates is miles ahead of Apple and it will stay that way. Apple just needs to stick to its teenagers who like Ipods and leave the OS stuff to the big boys.

[steviesteveo]

Like you?

Go on big boy, make me an OS.

Are you just silly or do you really think a world leading company just has teenagers for customers? Believe it or not, a great deal of content (music, movies, graphics etc) is created by professionals on apple computers with plenty of money and you'd think that kind of demographic would be ideal targets for virus writers (lots of money, fast comput, fast always on internet)

In fact, this is completely not the case, all we have are some pretty impotent proof of concept malware which is like saying "i have made a sharp object, if and only if you come near enough, i can stick it in you and cause harm, but only if you want me to"