January 23, 2007 2:40 PM PST

Apple plugs zero-day QuickTime flaw

Apple on Tuesday released a fix for a serious security hole in its QuickTime media player software.

The patch comes 23 days after details of the flaw, along with detailed attack code, were publicly released. The publication kicked off the "Month of the Apple Bugs" project, which has been publishing a new Apple software bug each day in January.

The QuickTime vulnerability relates to how the media player software handles the Real Time Streaming Protocol, or RTSP, according to an Apple alert. An attacker could exploit the flaw and commandeer a vulnerable system by placing a special RTSP string in a QuickTime file and tricking a user into opening that file, Apple said.

"A buffer overflow exists in QuickTime's handling of RTSP URLs," according to the Apple alert. "By enticing a user to access a maliciously-crafted RTSP URL, an attacker can trigger the buffer overflow, which may lead to arbitrary code execution." The update addresses the issue by performing additional validation of RTSP links, Apple said.

Security-monitoring companies Secunia and the French Security Incidence Response Team, or FrSIRT, have rated the QuickTime problem as "highly critical" and "critical," respectively. Still, experts have not seen widespread exploitation of the problem.

One of the bug hunters behind the Month of Apple Bugs said he is stunned by the time it took Apple to fix the flaw. "Twenty two days for a remote issue that leads to code execution right away is sort of insane," the pseudonymous LMH said in an interview via instant message. "There was already an exploit and it was being abused in targeted attacks."

The vulnerability affects QuickTime 7.1.3 on Mac OS X and Windows. Several other vulnerabilities in Apple software have been disclosed as part of the Month of Apple Bugs, including in QuickTime. Apple has not yet released fixes for those issues.

Apple has said that it is aware of the project, but has chosen not to comment beyond a standard statement that it takes security very seriously and has "a great track record of addressing potential vulnerabilities before they can affect users. We always welcome feedback on how to improve security on the Mac."

The Apple patch can be downloaded and installed via the Software Update feature in Mac OS X, or from Apple Downloads.

See more CNET content tagged:
Apple QuickTime, Apple Computer, flaw, vulnerability, buffer-overflow

11 comments

Join the conversation!
Add your comment
OMG!!!!!!!!!!!!!
When will Apple users learn and buy a Windows PC like 95% of computer users! Steve Jobs and his evil empire does not care about you....its all about his back shares and the quarter of a billion dollars he made:):):)

Let the flaming begin!!!!!
Posted by Lindy01 (443 comments )
Reply Link Flag
RE: OMG!!!!!!!!!!!!
There once was a person who people thought was stupid...

They then opened their mouth and removed all doubt.
Posted by JimUrban (8 comments )
Link Flag
Windows
Do you seriously believe that windows would be better if it had no
competition?
Posted by and09890 (7 comments )
Reply Link Flag
Competition
I think that having a healthy and vigourous competitor like Apple is
crucial to the long term strategic goals of Microsoft. Having Apple
as a viable alternative keeps the regulators off of Microsoft. Even
better, the switch to the Intel platform, which enabled Boot Camp
and Parallels to do their thing, basically opens up the entire
desktop and laptop market to MSFT. They don't care what hardware
you run which puts them at a significant market advantage over
Apple - which is essentially a hardware company that happens to
sell an OS.
Posted by rapier1 (2722 comments )
Link Flag
Happy to hear that Apple becomes more customer friendly
I am happy for the computer industry that Apple will be stopping arrogance like "all our products are rated 5-start", "you don't need help with a Mac" or "my sh.t does not smell". They used to publish critical security updates secretly under innocent names. A few years ago they published the critical buffer overflow in the words "with this update your browser can handle the URLs more efficiently".
Bugs even severe ones are part of the process. Just accept it and try to make it better. Whichever company it is...
Posted by Shef Seattle (26 comments )
Reply Link Flag
Happy to hear that Apple becomes more customer friendly
I am happy for the computer industry that Apple will be stopping arrogance like "all our products are rated 5-start", "you don't need help with a Mac" or "my sh.t does not smell". They used to publish critical security updates secretly under innocent names. A few years ago they published the critical buffer overflow in the words "with this update your browser can handle the URLs more efficiently".
Bugs even severe ones are part of the process. Just accept it and try to make it better. Whichever company it is...
Posted by Shef Seattle (26 comments )
Reply Link Flag
i can't believe they waited 22 days!!!!!
<a class="jive-link-external" href="http://www.google.com/search?client=safari&#38;rls=en&#38;q=flaws+in" target="_newWindow">http://www.google.com/search?client=safari&#38;rls=en&#38;q=flaws+in</a>
+windows+not+patched&#38;ie=UTF-8&#38;oe=UTF-8
Posted by scweezil (171 comments )
Reply Link Flag
Okay, so where does a .DMG file go?
I'm not a multiplatform guru, so I was expecting a zip or EXE file for my WinXP machine--does the dgmg file go in the Quicktime folder in Program Files? Go ahead and flame....I can take it. Just so long as a correct answr accompanies the high-BTU comments.
Posted by cnetbubba (2 comments )
Reply Link Flag
Dmg files
DMG files dont go into any folders they are disk images .. a bit
like you would know of bz2 files in some other *nixes. Most of
users choose to expand them onto the desktop.

DMG are nice and easy since they are considered a volume by
the machine .. you can see them in terminal as a subfolder of /
Volumes/ part of your partition. Zip files etc are not considered
disks they are just another folder.

As to the quicktime flaw .. this is a bit laughable .. ok first to get
exposed to this flaw you have to be using a streaming service
that service has to be infected to begin with and you would have
to enable trust on that service for the flaw to run at all ...

General recommandation : dont use rstp from people you do not
trust... there are very very few people using that technology save
Apple.

A more worrysome bug is the Acrobat javascript vulnerability , i
would recommend to turn off all javascript execution in this
software and or use preview as your primary PDF reader.
Posted by MacHeads (70 comments )
Link Flag
Where's The Windows Patch?
How come when I run the software update check in my Quicktime 7.1.3.100 dated 9/1/2006 it says I have the most up to date version? The update link provided by CNET only shows a patch to the Mac version of Quicktime (dmg file).
Posted by Stating (869 comments )
Reply Link Flag
An apple a day keeps the worms away?
I'm not an Apple user, but at least they do patch more regularly than Microsoft.

For that matter... with the exception of Oracle... I think everybody else has a much better track record than Microsoft!

Walt
Posted by wbenton (522 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.