'Critical' Apple QuickTime Bug Affects iPod Users - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


'Critical' Apple QuickTime Bug Affects iPod Users

The flaw affects all Java-enabled browsers, including Microsoft's Internet Explorer, Mozilla's Firefox, and Apple's Safari.

A "highly critical" vulnerability has been reported in Apple QuickTime that opens up the millions of people who use iPods to attack.

The vulnerability, which is caused by an error in the way Apple QuickTime handles Java, can be exploited if a user visits a malicious Web site, running a Java-enabled browser. Researchers said that includes Microsoft's Internet Explorer, along with Mozilla's Firefox and Apple's Safari browser. The bug also affects Windows Vista through Internet Explorer 7.

The bug enables a hacker to execute code remotely. Security software firms Secunia and TippingPoint called the bug "highly critical." There have been no reports yet of the bug being exploited.

A spokesperson for Apple wasn't immediately available to comment on the findings.

Earlier this month, Apple announced that it had sold its 100 millionth iPod.

"It's very critical because of the cross-platform, multibrowser nature of it," said Terri Forslof, manager of security response with security company TippingPoint, in an interview. "I would say the attack surface is infinite. You can get the same privileges as the user who is logged on. There is an obvious potential for widespread attack."

Secunia, a security company known for tracking vulnerabilities, issued an advisory noting that the bug affects any platform supporting QuickTime. Secunia researches said the bug affects the Mac OS X system using Firefox and Safari.

Forslof said TippingPoint reported to Apple this week that the bug also affects Internet Explorer. She added that the flaw also would affect Windows Vista through IE7.

"Initially, the proof of concept code provided by the researcher, Dino Dai Zovi, only worked against the Safari and Firefox browsers," said Forslof. "We strongly believe at this point that any Java-enabled browser, which has the vulnerable QuickTime Java extension installed, is affected by this issue."

QuickTime is Apple's multimedia technology. The iPod uses the iTunes media player, which uses QuickTime. Forslof noted that if there is a way for iPod users to get around using QuickTime, it's not prevalent.

The bug was discovered by Dino Dai Zovi during the recent CanSecWest conference.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
2021 State of ITOps and SecOps Report
2021 State of ITOps and SecOps Report
This new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

IT Leadership: 10 Ways to Unleash Enterprise Innovation
Lisa Morgan, Freelance Writer,  6/8/2021
Preparing for the Upcoming Quantum Computing Revolution
John Edwards, Technology Journalist & Author,  6/3/2021
How SolarWinds Changed Cybersecurity Leadership's Priorities
Jessica Davis, Senior Editor, Enterprise Apps,  5/26/2021
Register for InformationWeek Newsletters
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll