Apple Fixes 'Highly Critical' QuickTime Bug

Now that a fix is out for the vulnerability, researchers say they expect hackers will use it to reverse-engineer the flaw and quickly create an exploit.
Apple released a new version of QuickTime that fixes a "highly critical" vulnerability, but now that the fix is out, security researchers say, an exploit is likely to follow close on its heels.

The version update, which is for both the Mac OS X and Windows, plugs a hole that could open up the millions of people who use an iPod to attacks on their desktops and laptops. QuickTime is Apple's multimedia technology. The iPod uses the iTunes media player, which people run on their PCs and Macs. ITunes, in turn, uses QuickTime.

The U.S.-CERT gave the vulnerability a 10 out of 10 points in its risk-rating scale. Researchers are recommending that users get the update as soon as possible.

The vulnerability is caused by an error in the way Apple QuickTime handles Java. The Apple update advisory noted that the flaw may allow reading or writing out of the bounds of the allocated heap. The bug can be exploited if a user visits a malicious Web site while running a Java-enabled browser. Researchers said that includes Microsoft's Internet Explorer, along with Mozilla's Firefox and Apple's Safari browser. The bug also affects Windows Vista through Internet Explorer 7.

Dmitri Alperovitch, principal research scientist at Secure Computing, said the bug also could be exploited through e-mail, either through links to malicious Web sites or by using HTML code in the e-mail that will trigger QuickTime to launch.

According to Apple's advisory, the QuickTime Version 7.1.6 update addresses the flaw by performing additional bounds checking when creating QTPointerRef objects.

"No exploits have yet come out for this but I would expect some in the next day or two," said Dmitri Alperovitch, a principal research scientist at Secure Computing, in an interview with InformationWeek. "By comparing the code in the patch to the vulnerable version, they can identify the flawed code. I wouldn't expect many users in the next day or two to upgrade, so there will still be a huge population that's vulnerable so exploit writers will have a huge field to target."

Terri Forslof, manager of security response with security company TippingPoint, said in an interview that she's impressed Apple could build, test, and release a fix for the flaw so quickly. According to the Zero Day Initiative, the flaw was reported to Apple on April 23, just a little more than a week before the update was released to the public on May 1.

"They really stepped up, turned the screws down and got that thing out the door," said Forslof. "Responding so quickly to this shows that they really do take security seriously. They communicated with us the whole time."

Forslof also said researchers at TippingPoint are on watch for an exploit to be released. "Because it is QuickTime and it is so ubiquitous, I'd say there's a lot of interest in figuring this out and exploiting it."

The new QuickTime version will be delivered automatically through Software Update, but users also can manually download and install it from this Web site.

Apple credited researchers Dino Dai Zovi for working with TippingPoint and the Zero Day Initiative for reporting this issue.