Apple nukes QuickTime for Java, plugs more code execution holes

Apple nukes QuickTime for Java, plugs more code execution holes

Summary: Less that a week after its QuickTime media player made the top-ten list of most vulnerable Windows applications, Apple shipped QuickTime 7.3 to patch a total of seven vulnerabilities that could lead to code execution attacks.

SHARE:

Apple nukes QuickTime for Java, plugs 7 more vulnerabilitiesLess than a week after its QuickTime media player made the top-ten list of most vulnerable Windows applications, Apple shipped QuickTime 7.3 to patch a total of at least seven vulnerabilities that could lead to code execution attacks.

The update, available for both Mac and Windows (XP and Vista) users, also includes the removal of QuickTime for Java, a move that significantly reduces the attack surface on the company's flagship digital media player.

Apple also shipped a new version of iTunes but there is no security content associated with that release.

According to an advisory from Cupertino, QuickTime 7.3 provides fixes for seven potentially serious flaws that could open up Mac and Windows machines to denial-of-service, privilege escalation or drive-by malware attacks.

[ SEE: Yahoo Messenger, QuickTime top list of most vulnerable Windows apps ]

The skinny on the flaws/fixes:

CVE-2007-2395: A memory corruption issue exists in QuickTime's handling of image description atoms. By enticing a user to open a maliciously crafted movie file, an attacker may cause an unexpected application termination or arbitrary code execution.

CVE-2007-3750: A heap buffer overflow exists in QuickTime Player's handling of Sample Table Sample Descriptor (STSD) atoms. By enticing a user to open a maliciously crafted movie file, an attacker may cause an unexpected application termination or arbitrary code execution.

CVE-2007-3751: Multiple vulnerabilities exist in QuickTime for Java, which may allow untrusted Java applets to obtain elevated privileges. By enticing a user to visit a web page containing a maliciously crafted Java applet, an attacker may cause the disclosure of sensitive information and arbitrary code execution with elevated privileges. This update addresses the issues by making QuickTime for Java no longer accessible to untrusted Java applets.

CVE-2007-4672: A stack buffer overflow exists in PICT image processing. By enticing a user to open a maliciously crafted image, an attacker may cause an unexpected application termination or arbitrary code execution.

CVE-2007-4676: A heap buffer overflow exists in PICT image processing. By enticing a user to open a maliciously crafted image, an attacker may cause an unexpected application termination or arbitrary code execution.

CVE-2007-4675: A heap buffer overflow exists in QuickTime's handling of panorama sample atoms in QTVR (QuickTime Virtual Reality) movie files. By enticing a user to view a maliciously crafted QTVR file, an attacker may cause an unexpected application termination or arbitrary code execution.

CVE-2007-4677: A heap buffer overflow exists in the parsing of the color table atom when opening a movie file. By enticing a user to open a maliciously crafted movie file, an attacker may cause an unexpected application termination or arbitrary code execution.

Topics: Open Source, Apple, Hardware, Mobility, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

12 comments
Log in or register to join the discussion
  • But is it too late

    Yikes!
    Some of those vulnerabilities are over 6 months old.
    Plus, there is still a critical Java exploit unpatched as well...
    tb01
  • The Java support will be sorely missed - NOT!!!

    JAVA = POS
    jackbond
    • Java well established for enterprise solutions.

      Java may not be very useful in your browser, but it's very well established for enterprise solutions. I cay say this because I've been in this industry (enterprise software) for about 15 years now, and this what you see today.
      kraterz
      • That doesnt mean it is good software.

        Java it is always popping up with new vulnerabilities. It seems every time I run a vulnerability scan I have to download and extract a new msi to push and then create a new start/shutdown script to ensure the old old version is removed and when you upgrade to a new version you may break the app that is dependent on it (unless it uses a bundled version).

        Add to that the whole 1.3, 1.4, 1.5 and now 1.6 codepaths - it is a mess.

        I have seen software with far less vulnerabilities get removed from distribution trees because of poor programing practices and excessive security advisories.
        Suicida|
    • Maybe not for you

      Just because you don't use Java doesn't mean millions of other people don't use java. I personally don't use QuickTime so it doesn't matter to me.

      Java is huge in the enterprise space and in the micro-device space. I'll bet your cell phone is java-enabled.

      Java used to be crap, but it's excellent now.
      davidsarmstrong
      • Java is horrible

        Take 1.5 which has 23 advisories since 2003 compare that to .NET 1.1 which has had 7 in the same time frame.

        I never thought I would point to Microsoft in regards to secure code but there you go.

        The worst thing about java vulnerabilities is that most people just upgrade and never remove the vulnerable versions.

        I don't mean to hate on Java I love that I can have a web app that will work on Linux, Windows, BSD and OSX; but I agree with Apple's decision, no need to integrate software with as horrible security record as java into your product and introduce additional attack vectors.
        Suicida|
        • .Net and Security

          First, MS is known for not issuing a security advisory until they have a fix. It's closed source so you will never know it has a hole until is has been exploited. The source to Java is open (always has been) so most java advisories have no known exploits.

          Believing that ANY MS code is secure displays a certain amount of wishful thinking, IMHO.
          davidsarmstrong
  • Apple's Quicktime is the problem, not Java

    And considering that Java is the most-used programming language (21%) and that .net is in a backwater (4%) - source: http://www.tiobe.com/tpci.htm - it's not surprising that it gets more attention from the hackers.
    javarunner
  • Java is popular because it is excellent

    1.2, 1.3, 1.4 to java 6 is the evolution path. Each version was used more than three years by millions of organisations. It provides an easy , flexible and safe programming language.

    Which OS, which development platform has no vulnerabilities. Java has the best track record in this. Vulnerabilities are handled in a open way and quickly fixed.
    Van Der
  • No Java love here.

    Look Java is a beautiful object oriented language.

    That being said, Java was Scott McNealys attempt to displace Windows as on the desktop. And it failed, mostly due to lack of bandwidth and poor performance of the JVM. As a sysadmin I have had way to many problems with the JVM; incompatibilities breaking enterprise apps (ADP), breaking servers (APC power chute), and installing that stupid toolbar every time it updates (seems like every month).

    If a software provider tells me he has a Java based app, I move him to the bottom of the list. I run a Windows shop with Windows desktops. Give me a .net app, or at least one optimized for windows. Why would I want a compromise?
    pmcgrath@...
  • Am I missing something?

    In CVE-2007-3751:
    > This update addresses the issues by making
    > QuickTime for Java no longer accessible to untrusted
    > Java applets.

    So is qt for java "nuked" for everybody, including trusted
    applets and SE apps, or just for untrusted applets?
    Robert Kohlenberger
  • Java is not the choice for consumer app... yet

    Although hopefully one day it will.

    AFAIK, no problem in Java backward compatibility. Must be something I missed.

    Java is great, for lot of other stuff, except of course, consumer apps. Can't deny that.
    fadzlan@...