Apple's QuickTime under fire - again

Stephen Withers
Friday, 19 September 2008 04:40

Your IT - Home IT

Just after Apple updated its QuickTime media software to version 7.5.5, a fresh vulnerability has been revealed along with a proof-of-concept exploit.

QuickTime is Apple's software component for media playback. It was ported to Windows many years ago to allow developers to use it to create cross-platform multimedia products and web sites.

Apple last week released QuickTime 7.5.5 featuring "changes that increase reliability, improve application compatibility and enhance security."

The security flaws it corrected related to various memory access or corruption issues, or heap buffer, stack buffer or integer overflow issues.

The QuickTime update accompanied iTunes 8.

The new flaw was revealed by a milw0rm.com user going by the name 'securfrog'.

According to securfrog, "The "<? quicktime type= ?>" tag fail to handle long strings, which can lead to a heap overflow in Quicktime/Itunes media player [sic]."

This heap overflow results in a crash, but securfrog suggests "Code execution may be possible." The trick would be to craft an exploit so that the overflow results in the execution of code previously delivered by the attacker.

The problem with QuickTime vulnerabilities is that the software is used so pervasively by Mac OS X. With a few exceptions, programs that need to play audio or video content do so via QuickTime.

Examples include iMovie, iTunes and (naturally) QuickTime Player. And when a user visits a web page containing graphics, movies or audio, the browser most likely calls on QuickTime to handle display or playback.

What other software uses QuickTime? Please read on.