Apple drops QuickTime patch

Apple drops QuickTime patch

Summary: Apple on Wednesday dropped a patch for QuickTime to fix a arbitrary code execution vulnerability.Relative to other recent QuickTime patches this one was small--only one vulnerability that could lead to an "unexpected application termination or arbitrary code execution" if a user visits a malicious Web site.

SHARE:

Apple on Wednesday dropped a patch for QuickTime to fix a arbitrary code execution vulnerability.

Relative to other recent QuickTime patches this one was small--only one vulnerability that could lead to an "unexpected application termination or arbitrary code execution" if a user visits a malicious Web site.

QuickTime 7.4.1 covers the following vulnerability (CVE-2008-0234). Here's Apple's description.

A heap buffer overflow exists in QuickTime's handling of HTTP responses when RTSP tunneling is enabled. By enticing a user to visit a maliciously crafted webpage, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking.

This flaw has been around for about a month.

Topics: Apple, Hardware, Mobility, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

7 comments
Log in or register to join the discussion
  • thanks for letting us know

    I kind of thought Ryan would report this early, given his displeasure with the fault.

    But in any case, nice to have Quicktime, and safe again.
    Narr vi
    • Why do you believe QT is safe again?

      Do you honestly believe there will never be another patch to close yet another remote execution vulnerability in QT? Make no mistake, QT is [b]not[/b] safe.
      NonZealot
      • Neither is Windows

        So I'm not sure your point here...oh, yeah it's to bash Apple. Better hold off on your Vista SP1 patch. You may just hose your whole system...have a nice day. ;)
        Kid Icarus-21097050858087920245213802267493
      • non-z, it's a matter of proportion

        I am confident that much software, particularly that accepts many formats, has issues still to be found.

        I find Quicktime generally a powerful and elegant piece of software. Like many other systems, it was implemented before threats of this kind were serious. It was known how to avoid the vulnerability in the early 1980's, so everyone bears a part of fault.

        How simple is it, after all, to bounds check incoming data, which would eliminate 99% of the problems? Unix for example has internally protected the kernel for security this way for decades.

        First you have to teach programmers it's relevant. Most companies didn't do that. Ergo...
        Narr vi
        • oh yes

          To answer your original question, I just doubt that there's so much more of consequence to be found in Quicktime. For the time being, anyway.
          Narr vi
  • so you stopped using ActiveX

    because of the endless security problems
    http://blogs.zdnet.com/security/?p=850

    but for some reason the endless patching of QT means nothing? Good they got around to patching it?

    You should stop calling this blog 'zero day'.
    It should be 'zero day only if it is a MS flaw'

    I don't mind biased BS, as long as it is labeled as such.
    mdemuth
    • In the interest of disclosure .....

      ... you should know that Larry is an Apple user. Don't expect him to consider an Apple originated flaw to be the equal of a Windows flaw.
      ShadeTree