Software // Enterprise Applications
12:04 PM
Connect Directly
Repost This

Apple Patches Year-Old Windows QuickTime Vulnerability

The flaw, which affects Windows XP and Windows Vista machines, opens up a backdoor that could enable a hacker to break into Firefox.

Apple has taken another swing at fixing a troublesome spate of QuickTime vulnerabilities.

The company released an update for the Windows version of QuickTime media player on Wednesday afternoon to patch what Apple calls a "command injection issue" in the way the media player handles URLs. The flaw, which affects Windows XP and Windows Vista, was first disclosed in September of 2006 by Petko D. Petkov, a penetration tester.

Petkov noted in a blog post this September that he reported two QuickTime bugs in the early fall of 2006. Only one, however, was patched. To bring attention to the year-old vulnerability, Petkov posted several proof-of-concept exploits on his blog last month.

At the time, the researcher wrote in his blog, Gnucitizen, that he posted a demonstration of how the bug could be used to hack into Firefox to make a point. "The first vulnerability was fixed, but the second one was completely ignored," he wrote. "I tried to bring the spotlight on the second vulnerability one more time over here, yet nobody listened. So, I decided to post a demonstration of how a Low risk issue can be turned into a very easy to perform HIGH risk attack."

Petkov also reported that the flaw was a particular problem for the Mozilla Foundation's open-source Firefox browser.

Mozilla soon confirmed that the year-old unpatched QuickTime vulnerability opens up a backdoor that could enable a hacker to break into Firefox. Then just six days after the proof-of-concept code was released, Mozilla updated Firefox to fix the problem. "This will protect Firefox users from the public critical security vulnerability until a patch is available from Apple," wrote Window Snyder, Mozilla's top security executive, in her blog.

Now, nearly a month after the proof-of-concept code was posted, Apple has released a fix for the vulnerability.

Apple noted in an online advisory that by enticing a user to open a specially crafted QTL file, an attacker be able to execute malicious code on the machine. The company reported that it fixed the problem by improving URL handling.

The issue does not affect computers running Mac OS X even if they have a Firefox browser, according to Apple.

Apple has issued at least four separate patch updates for QuickTime in the last several months.

QuickTime is Apple's multimedia technology for dealing with video, sound, animation, text, and music. The technology is widely used. The highly popular iPod uses the iTunes media player, which people run on their PCs and Macs. ITunes, in turn, uses QuickTime.

Comment  | 
Print  | 
More Insights
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Elite 100 - 2014
Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators.
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.