Apple Patches Seven Security Issues, QuickTime Still Vulnerable - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Software // Enterprise Applications
03:12 PM
Connect Directly

Apple Patches Seven Security Issues, QuickTime Still Vulnerable

Security officials with US-CERT recommend uninstalling QuickTime and blocking the Real-Time Streaming Protocol until a fix is made available.

Updates released by Apple on Tuesday include security fixes for its iPod Touch, iPhone, and QuickTime media software, but QuickTime remains vulnerable to a recently disclosed Real-Time Streaming Protocol (RTSP) exploit.

"The noteworthy areas of this are the QuickTime fixes," said Andrew Storms, director of security operations at NCircle, a network security company. "Probably more interesting than what they fixed is the fact that these weren't previously known vulnerabilities. ... They fixed three things we didn't know about but didn't fix the thing everybody wished would get fixed."

QuickTime 7.4 addresses four issues that affect Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista, and Windows XP SP2. The vulnerabilities are related to possible memory corruption arising from the way QuickTime handles Sorenson 3 video files, Image Descriptor atoms, PICT files, and Macintosh Resource records in movie files.

"The QuickTime updates address four vulnerabilities, all of which could permit arbitrary code execution," Storms said in an e-mail. "In addition, in each vulnerability pertains to file parsing/handling bugs, and this is a problem that both Apple and Microsoft have been battling for a number of years. These types of vulnerabilities continue a trend away from older network-style attacks and toward client-side attacks utilizing multimedia delivery methods for malware."

"Apple QuickTime contains a buffer overflow vulnerability in the way QuickTime handles RTSP response messages," US-CERT said in a vulnerability note published last week, adding that maliciously crafted response messages can crash the QuickTime Player, giving the attacker control over the victim's system.

In order to exploit the vulnerability, a QuickTime user needs to be convinced to open a malicious RTSP stream. Apple Mac OS X and Microsoft Windows versions of QuickTime are affected, according to US-CERT. Among other precautions, US-CERT recommends uninstalling QuickTime and blocking the rtsp:// protocol until a fix is made available.

Apple also patched three vulnerabilities affecting its iPod Touch and iPhone. Two of the fixes address browser flaws (one in Safari and one in WebKit, Safari's browser engine) and the third repairs a flaw in the iPhone's Passcode Lock, which could have allowed an attacker in physical possession of a locked iPhone to bypass the lock.

According to Storms, Apple fixed a similar vulnerability in Mac OS X 10.2 that allowed users to bypass the screen lock.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Why 2021 May Turn Out to be a Great Year for Tech Startups
John Edwards, Technology Journalist & Author,  2/24/2021
How GIS Data Can Help Fix Vaccine Distribution
Jessica Davis, Senior Editor, Enterprise Apps,  2/17/2021
11 Ways DevOps Is Evolving
Lisa Morgan, Freelance Writer,  2/18/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll