Apple's QuickTime under fire - again

Stephen Withers
Friday, 19 September 2008 04:40

Your IT - Home IT

Ever received an email with an embedded movie or sound clip? QuickTime almost certainly played it for you.

QuickTime is even used in the Finder. Ever used the preview feature in Quick Look or in a Get Info window? That's QuickTime at work again.

The sample exploit provided by securfrog only causes a crash, and so is more likely to be a nuisance than anything else. But until the flaw is fixed, the possibility of a more dangerous exploit will remain.

Furthermore, securfrog points out that QuickTime parses headers contained in a file sent to it for processing even if the headers do not correspond to the file's type: "so you can put some xml in a mp4, mov,etc and open it with quicktime or you can do the same in some html page [sic]".

The pervasiveness of QuickTime means that suggestions from some quarters that the QuickTime browser plugin should be disabled until Apple releases a patch will have limited effectiveness.

While it would stop a malicious file embedded in a web page from triggering a crash, there are so many other situations that QuickTime is used with downloaded content that it would at best be a band-aid solution.

Furthermore, the loss of functionality would be so severe that it would not be a viable strategy for many users.

Code used to handle media files has proved a fertile hunting ground for security researchers, with Apple, Microsoft and other vendors having released multiple updates to handle such flaws once they are uncovered.