Apple Fixes 'Highly Critical' QuickTime Bug - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Software // Enterprise Applications

Apple Fixes 'Highly Critical' QuickTime Bug

Now that a fix is out for the vulnerability, researchers say they expect hackers will use it to reverse-engineer the flaw and quickly create an exploit.

Apple released a new version of QuickTime that fixes a "highly critical" vulnerability, but now that the fix is out, security researchers say, an exploit is likely to follow close on its heels.

The version update, which is for both the Mac OS X and Windows, plugs a hole that could open up the millions of people who use an iPod to attacks on their desktops and laptops. QuickTime is Apple's multimedia technology. The iPod uses the iTunes media player, which people run on their PCs and Macs. ITunes, in turn, uses QuickTime.

The U.S.-CERT gave the vulnerability a 10 out of 10 points in its risk-rating scale. Researchers are recommending that users get the update as soon as possible.

The vulnerability is caused by an error in the way Apple QuickTime handles Java. The Apple update advisory noted that the flaw may allow reading or writing out of the bounds of the allocated heap. The bug can be exploited if a user visits a malicious Web site while running a Java-enabled browser. Researchers said that includes Microsoft's Internet Explorer, along with Mozilla's Firefox and Apple's Safari browser. The bug also affects Windows Vista through Internet Explorer 7.

Dmitri Alperovitch, principal research scientist at Secure Computing, said the bug also could be exploited through e-mail, either through links to malicious Web sites or by using HTML code in the e-mail that will trigger QuickTime to launch.

According to Apple's advisory, the QuickTime Version 7.1.6 update addresses the flaw by performing additional bounds checking when creating QTPointerRef objects.

"No exploits have yet come out for this but I would expect some in the next day or two," said Dmitri Alperovitch, a principal research scientist at Secure Computing, in an interview with InformationWeek. "By comparing the code in the patch to the vulnerable version, they can identify the flawed code. I wouldn't expect many users in the next day or two to upgrade, so there will still be a huge population that's vulnerable so exploit writers will have a huge field to target."

Terri Forslof, manager of security response with security company TippingPoint, said in an interview that she's impressed Apple could build, test, and release a fix for the flaw so quickly. According to the Zero Day Initiative, the flaw was reported to Apple on April 23, just a little more than a week before the update was released to the public on May 1.

"They really stepped up, turned the screws down and got that thing out the door," said Forslof. "Responding so quickly to this shows that they really do take security seriously. They communicated with us the whole time."

Forslof also said researchers at TippingPoint are on watch for an exploit to be released. "Because it is QuickTime and it is so ubiquitous, I'd say there's a lot of interest in figuring this out and exploiting it."

The new QuickTime version will be delivered automatically through Software Update, but users also can manually download and install it from this Web site.

Apple credited researchers Dino Dai Zovi for working with TippingPoint and the Zero Day Initiative for reporting this issue.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Commentary
CIOs Face Decisions on Remote Work for Post-Pandemic Future
Joao-Pierre S. Ruth, Senior Writer,  2/19/2021
Slideshows
11 Ways DevOps Is Evolving
Lisa Morgan, Freelance Writer,  2/18/2021
News
CRM Trends 2021: How the Pandemic Altered Customer Behavior Forever
Jessica Davis, Senior Editor, Enterprise Apps,  2/18/2021
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Slideshows
Flash Poll