Apple patches (CanSecWest) QuickTime hole

Summary: Apple has released QuickTime 7.1.6 to patch the code execution hole discovered by Dino Dai Zovi and exposed during the CanSecWest MacBook hijack contest.

By Ryan Naraine for Zero Day | May 1, 2007 -- 13:32 GMT (06:32 PDT)

Follow @ryanaraine

Apple has released QuickTime 7.1.6 to patch the code execution hole discovered by Dino Dai Zovi and exposed during the CanSecWest MacBook hijack contest.

The fix comes less than two weeks after the security conference in Vancouver where Dai Zovi teamed up with hacker Shane Macaulay to take control of a 15-inch MacBook Pro machine.

The QuickTime update is available for Mac OS X v10.3.9, Mac OS X v10.4.9, Windows XP SP2 and Windows 2000 SP4.

Apple described the flaw as an implementation issue in QuickTime for Java that may allow reading or writing out of the bounds of the allocated heap.

By enticing a user to visit a web page containing a maliciously crafted Java applet, an attacker can trigger the issue which may lead to arbitrary code execution.

The new version of QuickTime will perform additional bounds checking when creating QTPointerRef objects.

Dai Zovi and TippingPoint's Zero Day Initiative, the company that bought the rights to the flaw information, are prominently credited in Apple's advisory.

Separately, Apple re-released its Security Update 2007-004 to correct two problems that cropped up in AirPort and FTP Server.

Topic: Apple

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

27 comments

Log in or register to join the discussion

Ah great, another 19 MB download

and yet another chance for them to try to get me to install the QuickTime + iTunes bundle.

Ugh. Can't they just patch the one file that has the flaw?

PB_z
1 May, 2007 14:07

Reply Vote
- updates
  
  For windows, yes you are forced to DL the whole thing. Although you can get quicktime without iTunes. For OSX, as I recall its a patch, and much smaller. Unless this update is different (not on a mac atm to check).
  
  Stuka
  1 May, 2007 14:52
  
  Reply Vote
- Just installed the update
  
  I just installed the update to QuickTime 7.1.6 and is was a svelte 45.1 mb. The
  update was done through software update
  
  Ouch!
  
  oh well, at least it's patched (on the OS X side) - still haven't looked for the
  windows patch yet.
  
  Surely some malcontent will try and use the size of the patch to infer something
  or another.
  
  (The size could be a side effect of the software being decoupled from the OS, or at
  least being only loosely coupled. i.e. not tightly integrated)
  
  woot!
  2 May, 2007 08:59
  
  Reply Vote
OSX hack?

When the report of this attack on the Macbook came out, there were a lot of people out here saying how OSX was hacked. But now, looking at the information from Apple, it appears that this was an issue on Windows systems as well. So, in truth, OSX has not been violated by this attack, simply QuickTime (yes, I know it is an Apple product).

fizzmaster
1 May, 2007 14:35

Reply Vote
- Do you also know that Quicktime is a ....
  
  .... part of every OSX load? You are splitting hairs!
  
  ShadeTree
  1 May, 2007 14:42
  
  Reply Vote
  - Duh?
    
    Yes, I know that. I also know that it can be removed. I also know that it can be installed on Windows systems and is by a lot of vendors by default. I also know that the millions of people who use iTunes have it installed on their Windows systems. Therefore, the issue was a Windows security threat just like it was an OSX threat.
    
    That is all I am saying. To think that this threat was only happening on OSX was completely untrue.
    
    fizzmaster
    1 May, 2007 14:46
    
    Reply Vote
    - Jeesh`
      
      And it can as easily be removed from Windows.
      
      What's your point? Is this a QuickTime flaw or what?
      
      Confused by religion
      1 May, 2007 14:53
      
      Reply Vote
- lol
  
  Hilarious.
  
  toadlife
  1 May, 2007 15:22
  
  Reply Vote
Wow. Fixed already! (NT)

(NT)

People
1 May, 2007 14:51

Reply Vote
- But how long has it been there?
  
  Not how long have they known, but how long has it been there and should it have been caught long before the report?
  
  Confused by religion
  1 May, 2007 16:13
  
  Reply Vote
  - So what, it's fixed,
    
    Who cares?
    
    Who cares about how long any exploits were around, in the past, on any OS. Get over it.
    
    Kid Icarus-21097050858087920245213802267493
    1 May, 2007 20:30
    
    Reply Vote
    - Is it?
      
      Have a 100% of the people with QuickTime loaded updated their systems? The announcement of a patch being available is not indicative of the problem being fixed.
      
      ShadeTree
      2 May, 2007 05:40
      
      Reply Vote
      - DOn't be silly
        
        of course 100% of the user have not installed the patch, just like 100% of windows users haven't installed SP2.
        
        5 years from now, both situations will still be true.
        
        Pick any software. You will never be able to say that 100% of users have done any patch or update.
        
        But, just like when windows patches are published, the fix exists and users can apply it.
        
        And, just like windows (linux, etc.) users can choose not to install it.
        
        It's a silly argument, to throw about the 100% figure.
        
        woot!
        2 May, 2007 06:57
        
        Reply Vote
      - Not any more silly then saying ....
        
        ... the problem is fixed. Follow the whole thread before you toss in your $ 0.02 worth. You won't look like such a zealot.
        
        ShadeTree
        2 May, 2007 07:36
        
        Reply Vote
      - hit wrong reply button
        
        I evidently replied to the story instead of you message - see below...
        
        woot!
        2 May, 2007 07:55
        
        Reply Vote
      - Still not sure what your point is.
        
        Let's see,
        
        Exploit found, patch released, problem solved, you complain...
        
        Are you just sour because it took Apple less than two weeks to come out with their patch, are you?
        
        Sounds like it.
        
        Kid Icarus-21097050858087920245213802267493
        2 May, 2007 10:15
        
        Reply Vote
  - Well...
    
    It appears to have been only noticed as part of the "challenge." To misquote LoveRock or No_Ax (I care less which), it's patched, it's no problem, it would have only possibly have affected a small minority of people who are silly enough to go to dubious websites. It's not a problem, it never was.
    
    That being said, I think it was a genuine problem and I'm glad it has been fixed.
    
    zkiwi
    2 May, 2007 07:42
    
    Reply Vote
    - It is good that it is fixed
      
      Anytime a problem is found and fixed for any OS, that is a positive thing.
      
      It's no different than when MS makes a fix. The product has gotten better. (Even if you hate OS X, it is an improvement for the users - in this case the fix also affects windows users too)
      
      I'm one of those affected on both platforms (Windows and OS X) and welcome the fix.
      
      woot!
      2 May, 2007 07:53
      
      Reply Vote
    - no public exploits
      
      Actually, no. It wouldn't have impacted any users since there were no known exploits in the wild. I would expect to see some very soon now that more technical details have been released about the vulnerability since the patch is out. But before the release of the patch, even visiting dubious websites wasn't worsened by this vulnerability (though they certainly may have been exploiting others!)
      
      jwiens
      3 May, 2007 06:16
      
      Reply Vote
      - Not true.
        
        Exploit code on the Internet was reported before the patch was issued.
        
        ShadeTree
        3 May, 2007 06:32
        
        Reply Vote