Apple Patches Year-Old Windows QuickTime Vulnerability - InformationWeek
Software // Enterprise Applications
12:04 PM
How To Turn Your Data Into Dollars
Mar 29, 2017
Organizations are swamped with data in the form of web traffic, ERP systems, CRM systems, point of ...Read More>>

Apple Patches Year-Old Windows QuickTime Vulnerability

The flaw, which affects Windows XP and Windows Vista machines, opens up a backdoor that could enable a hacker to break into Firefox.

Apple has taken another swing at fixing a troublesome spate of QuickTime vulnerabilities.

The company released an update for the Windows version of QuickTime media player on Wednesday afternoon to patch what Apple calls a "command injection issue" in the way the media player handles URLs. The flaw, which affects Windows XP and Windows Vista, was first disclosed in September of 2006 by Petko D. Petkov, a penetration tester.

Petkov noted in a blog post this September that he reported two QuickTime bugs in the early fall of 2006. Only one, however, was patched. To bring attention to the year-old vulnerability, Petkov posted several proof-of-concept exploits on his blog last month.

At the time, the researcher wrote in his blog, Gnucitizen, that he posted a demonstration of how the bug could be used to hack into Firefox to make a point. "The first vulnerability was fixed, but the second one was completely ignored," he wrote. "I tried to bring the spotlight on the second vulnerability one more time over here, yet nobody listened. So, I decided to post a demonstration of how a Low risk issue can be turned into a very easy to perform HIGH risk attack."

Petkov also reported that the flaw was a particular problem for the Mozilla Foundation's open-source Firefox browser.

Mozilla soon confirmed that the year-old unpatched QuickTime vulnerability opens up a backdoor that could enable a hacker to break into Firefox. Then just six days after the proof-of-concept code was released, Mozilla updated Firefox to fix the problem. "This will protect Firefox users from the public critical security vulnerability until a patch is available from Apple," wrote Window Snyder, Mozilla's top security executive, in her blog.

Now, nearly a month after the proof-of-concept code was posted, Apple has released a fix for the vulnerability.

Apple noted in an online advisory that by enticing a user to open a specially crafted QTL file, an attacker be able to execute malicious code on the machine. The company reported that it fixed the problem by improving URL handling.

The issue does not affect computers running Mac OS X even if they have a Firefox browser, according to Apple.

Apple has issued at least four separate patch updates for QuickTime in the last several months.

QuickTime is Apple's multimedia technology for dealing with video, sound, animation, text, and music. The technology is widely used. The highly popular iPod uses the iTunes media player, which people run on their PCs and Macs. ITunes, in turn, uses QuickTime.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
IT Success = Storage & Data Center Performance
Balancing legacy infrastructure with emerging technologies requires laying a solid foundation that delivers flexibility, scalability, and efficiency. Learn what the most pressing issues are, how to incorporate advances like software-defined storage, and strategies for streamlining the data center.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll