Apple Patches Seven Security Issues, QuickTime Still Vulnerable
Security officials with US-CERT recommend uninstalling QuickTime and blocking the Real-Time Streaming Protocol until a fix is made available.
Updates released by Apple on Tuesday include security fixes for its iPod Touch, iPhone, and QuickTime media software, but QuickTime remains vulnerable to a recently disclosed Real-Time Streaming Protocol (RTSP) exploit.
"The noteworthy areas of this are the QuickTime fixes," said Andrew Storms, director of security operations at NCircle, a network security company. "Probably more interesting than what they fixed is the fact that these weren't previously known vulnerabilities. ... They fixed three things we didn't know about but didn't fix the thing everybody wished would get fixed."
QuickTime 7.4 addresses four issues that affect Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista, and Windows XP SP2. The vulnerabilities are related to possible memory corruption arising from the way QuickTime handles Sorenson 3 video files, Image Descriptor atoms, PICT files, and Macintosh Resource records in movie files.
"The QuickTime updates address four vulnerabilities, all of which could permit arbitrary code execution," Storms said in an e-mail. "In addition, in each vulnerability pertains to file parsing/handling bugs, and this is a problem that both Apple and Microsoft have been battling for a number of years. These types of vulnerabilities continue a trend away from older network-style attacks and toward client-side attacks utilizing multimedia delivery methods for malware."
"Apple QuickTime contains a buffer overflow vulnerability in the way QuickTime handles RTSP response messages," US-CERT said in a vulnerability note published last week, adding that maliciously crafted response messages can crash the QuickTime Player, giving the attacker control over the victim's system.
In order to exploit the vulnerability, a QuickTime user needs to be convinced to open a malicious RTSP stream. Apple Mac OS X and Microsoft Windows versions of QuickTime are affected, according to US-CERT. Among other precautions, US-CERT recommends uninstalling QuickTime and blocking the rtsp:// protocol until a fix is made available.
Apple also patched three vulnerabilities affecting its iPod Touch and iPhone. Two of the fixes address browser flaws (one in Safari and one in WebKit, Safari's browser engine) and the third repairs a flaw in the iPhone's Passcode Lock, which could have allowed an attacker in physical possession of a locked iPhone to bypass the lock.
According to Storms, Apple fixed a similar vulnerability in Mac OS X 10.2 that allowed users to bypass the screen lock.
[Interop ITX 2017] State Of DevOps ReportThe DevOps movement brings application development and infrastructure operations together to increase efficiency and deploy applications more quickly. But embracing DevOps means making significant cultural, organizational, and technological changes. This research report will examine how and why IT organizations are adopting DevOps methodologies, the effects on their staff and processes, and the tools they are utilizing for the best results.
2017 State of IT ReportIn today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.