Apple Issues Patches For QuickTime Player Flaws
The patches cover a number of vulnerabilities, including a streaming media vulnerability, for which an exploit was discovered circulating in the wild last month.
The new QuickTime 7.3.1, released Thursday afternoon, repairs problems in the way the program handles media content. The new patch, available for both Mac and Windows, addresses a widely reported buffer overflow error in the Real-Time Streaming Protocol, which allows viewers to watch video or listen to music at the same time it is being downloaded. The update ensures that the buffer is adequately sized to contain the data.
The RTSP error was first disclosed to the public Nov. 23 by Polish researcher Krystian Kloskowski, who pointed specifically to QuickTime vulnerabilities running on Windows XP SP2 and Windows Vista. Since then, other analysts have confirmed that Mac users weren't entirely off the hook. Symantec announced a week later that the exploit affected QuickTime running on Macs, warning that attackers could hijack users' machines by enticing them to view a maliciously crafted RTSP movie.
"This protocol on QuickTime that got broken, the bad guys were able to issue vulnerability proof of concept exploit code. They decided to do some other things, like phishing, bots, etc," said Jamz Yaneza, research project manager for Trend Micro. "Once you have control over that part of a computer, it can do almost anything."
Apple also announced fixes for a few other issues, including an unspecified number of vulnerabilities in the QuickTime Flash media handler. The update will allow the Flash media handler in QuickTime to be disabled "except for a limited number of existing QuickTime movies that are known to be safe," according to a security advisory on the company's Web site
All of the exploits patched Thursday could result in the execution of arbitrary code that could allow an attacker to completely take over an affected system.
"A single exploit would not be the entirety of the attack," said Dave Perry, Trend Micro director of global education. "What we're seeing is an amalgam. They can't just rely on one vulnerability. "
Security experts assert that this latest round of patches doesn't put an end to QuickTime vulnerabilities. In fact, additional bugs will likely open the door for subsequent multilayered attacks to emerge in the future as various Apple media platforms become more ubiquitous, they say.
"It seems that there's been a bunch of different attacks of streaming technology," said Yaneza. "These technologies are coming together. Both of them allow for embedding links into files. To me, that was a dangerous thing for them to doIt allowed for the bad guys to actually change that link and reroute it to a malicious location instead of the clean video file."
Copies of QuickTime can be updated using the Mac OS X's built-in Software Update feature. Windows XP and Vista users can either download the patched version of the Apple Web site or use the Windows-only update tool.
"This item on QuickTime is not the first and I think it's not going to be the last," Yaneza added.