Apple QuickTime, iTunes Flaw Enables Malicious Attack


The discovery of the new heap overflow vulnerability comes a week after Apple updated QuickTime, the media software used to play music and stream videos on both Mac OS X and Windows, to version 7.5.5. Apple also recently updated iTunes to version 8.0.

Security company Intego said that the QuickTime tag fails to properly handle long strings of data, resulting in a heap overflow flaw in both QuickTime Player and iTunes, as well as other Mac OS X programs that stream media via the QuickTime plug-in, such as Mail. The error also affects Web browsers Apple Safari, Microsoft Internet Explorer or Mozilla Firefox. Consequently, such long strings will crash any Web browser running the QuickTime software, Intego says.

An attacker could also add a QuickTime media file to a Web page that could execute arbitrary code and launch a malicious attack used to compromise affected systems with minimal user interaction. An attacker could crash any Web browser running the QuickTime plug-in by enticing a user to view an infected media file.

A blogger known as "securefrog," published a proof of concept exploit code on the Website Milw0rm that could allegedly be executed on users systems for such attacks.

Sponsored post

The most recent QuickTime vulnerability is one in a long line of serious errors, particularly in its real time streaming protocol, that have left users susceptible to remote code execution attacks.

The discovery of the heap overflow flaw also follows after numerous rounds of recent security updates. Apple issued its latest QuickTime update 7.5.5 last week, which repaired a total of nine vulnerabilities, many of which allowed attackers to launch malicious code remotely after enticing users to open infected media files.

Additionally, Apple also released a major patch load Monday for its Mac 0S X 10.5.5 operating system, repairing a total of 34 vulnerabilities, nine of which enable remote code execution.

Apple did not immediately respond to requests for comment from ChannelWeb.