Apple patches (CanSecWest) QuickTime hole

Apple patches (CanSecWest) QuickTime hole

Summary: Apple has released QuickTime 7.1.6 to patch the code execution hole discovered by Dino Dai Zovi and exposed during the CanSecWest MacBook hijack contest.


Apple has released QuickTime 7.1.6 to patch the code execution hole discovered by Dino Dai Zovi and exposed during the CanSecWest MacBook hijack contest

The fix comes less than two weeks after the security conference in Vancouver where Dai Zovi teamed up with hacker Shane Macaulay to take control of a 15-inch MacBook Pro machine.

The QuickTime update is available for Mac OS X v10.3.9, Mac OS X v10.4.9, Windows XP SP2 and Windows 2000 SP4.

Apple described the flaw as an implementation issue in QuickTime for Java that may allow reading or writing out of the bounds of the allocated heap.

By enticing a user to visit a web page containing a maliciously crafted Java applet, an attacker can trigger the issue which may lead to arbitrary code execution.

The new version of QuickTime will perform  additional bounds checking when creating QTPointerRef objects.

Dai Zovi and TippingPoint's Zero Day Initiative, the company that bought the rights to the flaw information, are prominently credited in Apple's advisory.

Separately, Apple re-released its Security Update 2007-004 to correct two problems that cropped up in AirPort and FTP Server.

Topic: Apple

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Ah great, another 19 MB download

    and yet another chance for them to try to get me to install the QuickTime + iTunes bundle.

    Ugh. Can't they just patch the one file that has the flaw?
    • updates

      For windows, yes you are forced to DL the whole thing. Although you can get quicktime without iTunes. For OSX, as I recall its a patch, and much smaller. Unless this update is different (not on a mac atm to check).
    • Just installed the update

      I just installed the update to QuickTime 7.1.6 and is was a svelte 45.1 mb. The
      update was done through software update


      oh well, at least it's patched (on the OS X side) - still haven't looked for the
      windows patch yet.

      Surely some malcontent will try and use the size of the patch to infer something
      or another.

      (The size could be a side effect of the software being decoupled from the OS, or at
      least being only loosely coupled. i.e. not tightly integrated)
  • OSX hack?

    When the report of this attack on the Macbook came out, there were a lot of people out here saying how OSX was hacked. But now, looking at the information from Apple, it appears that this was an issue on Windows systems as well. So, in truth, OSX has not been violated by this attack, simply QuickTime (yes, I know it is an Apple product).
    • Do you also know that Quicktime is a ....

      .... part of every OSX load? You are splitting hairs!
      • Duh?

        Yes, I know that. I also know that it can be removed. I also know that it can be installed on Windows systems and is by a lot of vendors by default. I also know that the millions of people who use iTunes have it installed on their Windows systems. Therefore, the issue was a Windows security threat just like it was an OSX threat.

        That is all I am saying. To think that this threat was only happening on OSX was completely untrue.
        • Jeesh`

          And it can as easily be removed from Windows.

          What's your point? Is this a QuickTime flaw or what?
          Confused by religion
    • lol

  • Wow. Fixed already! (NT)

    • But how long has it been there?

      Not how long have they known, but how long has it been there and should it have been caught long before the report?
      Confused by religion
      • So what, it's fixed,

        Who cares?

        Who cares about how long any exploits were around, in the past, on any OS. Get over it.
        Kid Icarus-21097050858087920245213802267493
        • Is it?

          Have a 100% of the people with QuickTime loaded updated their systems? The announcement of a patch being available is not indicative of the problem being fixed.
          • DOn't be silly

            of course 100% of the user have not installed the patch, just like 100% of windows users haven't installed SP2.

            5 years from now, both situations will still be true.

            Pick any software. You will never be able to say that 100% of users have done any patch or update.

            But, just like when windows patches are published, the fix exists and users can apply it.

            And, just like windows (linux, etc.) users can choose not to install it.

            It's a silly argument, to throw about the 100% figure.
          • Not any more silly then saying ....

            ... the problem is fixed. Follow the whole thread before you toss in your $ 0.02 worth. You won't look like such a zealot.
          • hit wrong reply button

            I evidently replied to the story instead of you message - see below...
          • Still not sure what your point is.

            Let's see,

            Exploit found, patch released, problem solved, you complain...

            Are you just sour because it took Apple less than two weeks to come out with their patch, are you?

            Sounds like it.
            Kid Icarus-21097050858087920245213802267493
      • Well...

        It appears to have been only noticed as part of the "challenge." To misquote LoveRock or No_Ax (I care less which), it's patched, it's no problem, it would have only possibly have affected a small minority of people who are silly enough to go to dubious websites. It's not a problem, it never was.

        That being said, I think it was a genuine problem and I'm glad it has been fixed.
        • It is good that it is fixed

          Anytime a problem is found and fixed for any OS, that is a positive thing.

          It's no different than when MS makes a fix. The product has gotten better. (Even if you hate OS X, it is an improvement for the users - in this case the fix also affects windows users too)

          I'm one of those affected on both platforms (Windows and OS X) and welcome the fix.
        • no public exploits

          Actually, no. It wouldn't have impacted any users since there were no known exploits in the wild. I would expect to see some very soon now that more technical details have been released about the vulnerability since the patch is out. But before the release of the patch, even visiting dubious websites wasn't worsened by this vulnerability (though they certainly may have been exploiting others!)
          • Not true.

            Exploit code on the Internet was reported before the patch was issued.