Apple (finally) fixes year-old QuickTime flaw

Apple (finally) fixes year-old QuickTime flaw

Summary: Apple has taken another stab at fixing a one-year-old QuickTime vulnerability that exposed Windows XP and Windows Vista to code execution attacks.

TOPICS: Mobility, Apple, Hardware

Apple (finally) fixes year-old QuickTime flawApple has taken another stab at fixing a one-year-old QuickTime vulnerability that exposed Windows XP and Windows Vista to code execution attacks.

The flaw, which allows malicious manipulation of QuickTime Media Link (.qtl) files, is described by apple as a "command injection issue" in the way the media player handles URLs.

"By enticing a user to open a specially crafted file, an attacker may cause an application to be launched with controlled command line arguments, which may lead to arbitrary code execution. This update addresses the issue through improved handling of URLs," Apple said in an advisory released today.

This bug does not affect Mac OS X systems.

[ SEE: Unpatched QuickTime-to-Firefox flaw dings IE too ]

This is Apple's second attempt at fixing this vulnerability. Earlier this year, after it was discussed in the Month of Apple Bugs project (MOAB #3), Apple shipped QuickTime 7.1.5 with a fix that turned out to be inadequate.

Earlier this month, security researches Petko D. Petkov and Aviv Raff published proof-of-concept exploits to show that QuickTime still had a major protocol handling problem.

Six days after the release of Petkov's proof-of-concept, which affected users of Firefox, Mozilla shipped a new version of its flagship browser to block code execution attacks from QuickTime.

Topics: Mobility, Apple, Hardware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Question: what's wrong with fixing bugs from multiple applications?atio

    Obviously Apple's delay in fixing this bug caused Firefox to patch their software, but
    now both Firefox and Quicktime handle the problem.

    Isn't it better not to make assumptions about other's applications and fix the bug in
    your application? If every developer followed this rule, then we'd all be more secure.
  • I fixed this some time ago...

    ...when I uninstalled QT from my system. The constant nagging to install iTunes convinced me that it was time. I hadn't used it it quite some time anyway.
    • Did you uninstall Windows too? NT

      • LMAO - - - NT

        <no text>
        brian ansorge
  • RE: Apple (finally) fixes year-old QuickTime flaw

    Easy solution. Eliminate QT.
    • Better more permanent solution

      Stop using Microsoft Windows.
      tracy anne
      • How about FireFox?

        Should we also uninstall FireFox? This wasn't a Windows issue, just a FF issue. QT has become a security risk regardless of OS, and FF isn't much better.
  • RE: Apple (finally) fixes year-old QuickTime flaw

    So it's only a problem on Windows machines, and yet it's
    exclusively an Apple flaw. And the fact that it makes both XP and
    Vista machines vulnerable has nothing to do with (continued) bad
    MS code. And the fact that the Windows browsers you use to
    access and execute these files allows them through is also Apple's

    I'm not saying QT is perfect, or even doesn't have responsibilities
    here. I'm saying this is a multi-tiered problem whose roots are in
    basic Windows code. Last I heard, OS X has safeguards to prevent
    unauthorized executions, and keeps the admin separate from the
    rest of the OS to stop malicious code from accessing necessary

    So it must be all QT's fault.
    • It seems that I recall...

      ...when they had the Mac hacker challenge awhile back that it was QT that allowed the hackers to "own" the Mac, and all within a few minutes. To answer your question, yes, this is an Apple problem, and, no, OSX is not secure, just obscure. The difference with Windows is that we can easily solve the problem by uninstalling QT.