Categories: MacSecurityWorkspace

Apple Plugs Security Holes in QuickTime

A new version of QuickTime plugs security holes that leave users open to remote code execution attacks by hackers.

In Version 7.6, Apple covered seven such flaws that could be exploited by malicious media files or other techniques. The upgrade is available for Mac OS X v10.4.9 – v10.4.11 and Mac OS X v10.5 or later, as well as for Microsoft Windows Vista and Windows XP SP2 and SP3.

Several of the bugs involve heap buffer overflows. One lies in QuickTime’s handling of RTSP (Real Time Streaming Protocol) URLs. According to the advisory, accessing a rogue RTSP URL may lead to a crash or arbitrary code execution.

Another lies in how QuickTime processes AVI movie files that could also lead to either a crash or remote code execution. The update fixes the issue through improved bounds checking.

Two other heap buffer overflow bugs exist in QuickTime’s handling of THKD atoms in QuickTime Virtual Reality movie files and its handling of JPEG atoms in QuickTime movie files. The final heap buffer overflow is due to a signedness issue involving the use of Cinepak encoded movie files that can be exploited by rogue movie files.

Other security flaws in the update are a buffer overflow that exists in the handling of MPEG-2 video files with MP3 audio content, as well as a memory corruption issue that can be exploited by malicious H.263 encoded movie files.

QuickTime is no stranger to malware authors. Andrew Storms, director of security for nCircle, expects malware targeting these flaws to surface as drive-by attacks.

“Any user watching Internet videos with QuickTime could easily become infected with a single click,” Storms said. “You don’t have to look any further than yesterday’s huge Internet audience watching [President Barack Obama’s] inauguration online to get a sense of the potential impact of these vulnerabilities. Web video has huge potential for every malware author.”

Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

Share
Published by
Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

Recent Posts

Spyware Maker NSO Group Found Liable In US Court

Landmark ruling finds NSO Group liable on hacking charges in US federal court, after Pegasus…

1 day ago

Microsoft Diversifying 365 Copilot Away From OpenAI

Microsoft reportedly adding internal and third-party AI models to enterprise 365 Copilot offering as it…

1 day ago

Albania Bans TikTok For One Year After Stabbing

Albania to ban access to TikTok for one year after schoolboy stabbed to death, as…

1 day ago

Foldable Shipments Slow In China Amidst Global Growth Pains

Shipments of foldable smartphones show dramatic slowdown in world's biggest smartphone market amidst broader growth…

1 day ago

Google Proposes Remedies After Antitrust Defeat

Google proposes modest remedies to restore search competition, while decrying government overreach and planning appeal

1 day ago

Sega Considers Starting Own Game Subscription Service

Sega 'evaluating' starting its own game subscription service, as on-demand business model makes headway in…

1 day ago