Apple QuickTime Bug Could Be Days Away, Experts Warn

Researchers say hackers could be a few days away from finding the vulnerable code, and then exploits and malicious sites could be built within a week.
Security researchers say it's likely that hackers will be able to exploit the Apple QuickTime bug within about a week.

The bug, which has been rated "highly critical" by two different security companies, could open up the millions of people who use an iPod to attacks on their desktops and laptops. QuickTime is Apple's multimedia technology. The iPod uses the iTunes media player, which people run on their PCs and Macs. ITunes, in turn, uses QuickTime.

Earlier this month, Apple announced it had sold its 100 millionth iPod.

The vulnerability is caused by an error in the way Apple QuickTime handles Java. It can be exploited if a user visits a malicious Web site, running a Java-enabled browser. Researchers said that includes Microsoft's Internet Explorer, along with Mozilla's Firefox and Apple's Safari browser. The bug also affects Windows Vista through Internet Explorer 7.

Dmitri Alperovitch, principal research scientist at Secure Computing, said the bug also could be exploited through e-mail, either through links to malicious Web sites or by using HTML code in the e-mail that will trigger QuickTime to launch.

The bug enables a hacker to execute code remotely. Security software firms Secunia and TippingPoint called the bug "highly critical." There have been no reports yet of the bug being exploited.

"We don't believe the underground right now knows all the details," said Alperovitch in an interview with InformationWeek. "It will take them a few days to get the details. It will probably be at least three or four days before they figure out how to take advantage of this."

Oliver Friedrichs, a director in Symantec's Security Response team, said there is talk on the Internet that a hacker might have intercepted the wireless traffic around the CanSecWest conference where the bug was first disclosed. Researcher Dino Dai Zovi used the bug to compromise a Mac Book over a wireless network. If a hacker did intercept that transmission, he would have the exploit code.

"All of this is really just conjecture, though," said Friedricks in an interview. "We know there is a vulnerability and no patch available. Beyond that, it's all speculation... We're likely still days if not a week or so from somebody finding the vulnerability. Given the fact that people know to look at the interaction between Java and QuickTime, it's likely they'll find something in the next several days."

A spokesman for Apple said they are investigating, but would only add that "Apple takes security very seriously." He would not give any estimate on how soon a patch could be released.

Alperovitch noted, however, that even if a patch comes out before the exploit hits, a large number of users could still be at risk because it takes weeks, months and sometimes even years for uses to get their systems patched. "I've seen computers that have 50 to 60 pieces of malware because of all the unpatched vulnerabilities in them," he added. "People either aren't aware or don't bother with it. Home users are typically the most unprotected."

Editor's Choice
Brian T. Horowitz, Contributing Reporter
Samuel Greengard, Contributing Reporter
Nathan Eddy, Freelance Writer
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
Cynthia Harvey, Freelance Journalist, InformationWeek
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing