Apple QuickTime, iTunes Flaw Enables Malicious Attack
September 18, 2008 6:36 PM ET
Apple's QuickTime and iTunes are afflicted with another critical bug that can open up the door for attackers to execute malicious code and crash affected Web browsers running the media software.
The discovery of the new heap overflow vulnerability comes a week after Apple updated QuickTime, the media software used to play music and stream videos on both Mac OS X and Windows, to version 7.5.5. Apple also recently updated iTunes to version 8.0.
Security company Intego said that the QuickTime tag fails to properly handle long strings of data, resulting in a heap overflow flaw in both QuickTime Player and iTunes, as well as other Mac OS X programs that stream media via the QuickTime plug-in, such as Mail. The error also affects Web browsers Apple Safari, Microsoft Internet Explorer or Mozilla Firefox. Consequently, such long strings will crash any Web browser running the QuickTime software, Intego says.
An attacker could also add a QuickTime media file to a Web page that could execute arbitrary code and launch a malicious attack used to compromise affected systems with minimal user interaction. An attacker could crash any Web browser running the QuickTime plug-in by enticing a user to view an infected media file.
A blogger known as "securefrog," published a proof of concept exploit code on the Website Milw0rm that could allegedly be executed on users systems for such attacks.
The most recent QuickTime vulnerability is one in a long line of serious errors, particularly in its real time streaming protocol, that have left users susceptible to remote code execution attacks.
The discovery of the heap overflow flaw also follows after numerous rounds of recent security updates. Apple issued its latest QuickTime update 7.5.5 last week, which repaired a total of nine vulnerabilities, many of which allowed attackers to launch malicious code remotely after enticing users to open infected media files.
Additionally, Apple also released a major patch load Monday for its Mac 0S X 10.5.5 operating system, repairing a total of 34 vulnerabilities, nine of which enable remote code execution.
Apple did not immediately respond to requests for comment from ChannelWeb.
|
Cybersecurity Experts: What They Know Could Scare You A recent report based on interviews with security experts in government, business and academia finds more than half in agreement that a worldwide arms race is taking place in cyberspace. |
|
10 Security Predictions For 2012 CRN looks into its crystal ball and sees Android, hactivisim and cyber-espionage as some of the top 10 security threats in 2012. |
|
10 Biggest Security Breaches Of 2011 The Top 10 Security Breaches of 2011 show hackers were relentless in their pursuit of profit, compromising computer systems of universities, video-game makers and the largest banks. |
 More
Slide Shows |
- Complete Security and Your Bottom Line: Sophos, Value and the Channel
- Tough Threats, Tougher Security: How You Can Leverage New Solutions To Combat A “Targeted Attack” Landscape
- Dark Clouds Ahead: Why the Mid-Market Needs To Ramp Up Cloud Security and How You Can Help Them Get There
- Remote Management and IT Security: Building Profits While Reducing Costs
