Software // Enterprise Applications
News
1/16/2008
03:12 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Apple Patches Seven Security Issues, QuickTime Still Vulnerable

Security officials with US-CERT recommend uninstalling QuickTime and blocking the Real-Time Streaming Protocol until a fix is made available.

Updates released by Apple on Tuesday include security fixes for its iPod Touch, iPhone, and QuickTime media software, but QuickTime remains vulnerable to a recently disclosed Real-Time Streaming Protocol (RTSP) exploit.

"The noteworthy areas of this are the QuickTime fixes," said Andrew Storms, director of security operations at NCircle, a network security company. "Probably more interesting than what they fixed is the fact that these weren't previously known vulnerabilities. ... They fixed three things we didn't know about but didn't fix the thing everybody wished would get fixed."

QuickTime 7.4 addresses four issues that affect Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista, and Windows XP SP2. The vulnerabilities are related to possible memory corruption arising from the way QuickTime handles Sorenson 3 video files, Image Descriptor atoms, PICT files, and Macintosh Resource records in movie files.

"The QuickTime updates address four vulnerabilities, all of which could permit arbitrary code execution," Storms said in an e-mail. "In addition, in each vulnerability pertains to file parsing/handling bugs, and this is a problem that both Apple and Microsoft have been battling for a number of years. These types of vulnerabilities continue a trend away from older network-style attacks and toward client-side attacks utilizing multimedia delivery methods for malware."

"Apple QuickTime contains a buffer overflow vulnerability in the way QuickTime handles RTSP response messages," US-CERT said in a vulnerability note published last week, adding that maliciously crafted response messages can crash the QuickTime Player, giving the attacker control over the victim's system.

In order to exploit the vulnerability, a QuickTime user needs to be convinced to open a malicious RTSP stream. Apple Mac OS X and Microsoft Windows versions of QuickTime are affected, according to US-CERT. Among other precautions, US-CERT recommends uninstalling QuickTime and blocking the rtsp:// protocol until a fix is made available.

Apple also patched three vulnerabilities affecting its iPod Touch and iPhone. Two of the fixes address browser flaws (one in Safari and one in WebKit, Safari's browser engine) and the third repairs a flaw in the iPhone's Passcode Lock, which could have allowed an attacker in physical possession of a locked iPhone to bypass the lock.

According to Storms, Apple fixed a similar vulnerability in Mac OS X 10.2 that allowed users to bypass the screen lock.

Comment  | 
Print  | 
More Insights
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Government Oct. 20, 2014
Energy and weather agencies are busting long-held barriers to analyzing big data. Can the feds now get other government agencies into the movement?
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and trends on InformationWeek.com
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.