ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Apple QuickTime flaws haunt Windows users

By | August 3, 2011, 7:21pm PDT

Summary: Apple fixes 14 security holes that could be remotely exploitable via rigged movie files. Some of the vulnerabilities only affect Windows sytems.

Apple has shipped a high-priority QuickTime update to fix at least 14 security holes that expose computer users to hacker attacks.

The QuickTime 7.7 update, available for both Windows and Mac OS X, addresses flaws that could be exploited via rigged image, audio and movie files.

According to an advisory from Apple, some of the flaws could lead to remote code execution attacks if a user is tricked into clicking on a bobby-trapped web site or into opening a special media file.

Some of the more serious issues:

  • A buffer overflow existed in QuickTime’s handling of pict files. Viewing a maliciously crafted pict file may lead to an unexpected application termination or arbitrary code execution. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8. This issue does not affect Mac OS X v10.7 systems.follow Ryan Naraine on twitter
  • Multiple memory corruption issues existed in QuickTime’s handling of JPEG2000 images. Viewing a maliciously crafted JPEG2000 image with QuickTime may lead to an unexpected application termination or arbitrary code execution. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.7. This issue does not affect Mac OS X v10.7 systems.
  • An integer overflow existed in QuickTime’s handling of RIFF WAV files. Playing a maliciously crafted WAV file may lead to an unexpected application termination or arbitrary code execution. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8. This issue does not affect Mac OS X v10.7 systems.
  • A memory corruption issue existed in QuickTime’s handling of sample tables in QuickTime movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8. This issue does not affect Mac OS X v10.7 systems.
  • An integer overflow existed in QuickTime’s handling of audio channels in movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8. This issue does not affect Mac OS X v10.7 systems.
  • A buffer overflow existed in QuickTime’s handling of JPEG files. Viewing a maliciously crafted JPEG file may lead to an unexpected application termination or arbitrary code execution. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8.
  • A heap buffer overflow existed in QuickTime’s handling of GIF images. Viewing a maliciously crafted GIF image may lead to an unexpected application termination or arbitrary code execution. This issue does not affect Mac OS X systems.
  • Multiple stack buffer overflows existed in the handling of H.264 encoded movie files. Viewing a maliciously crafted H.264 movie file may lead to an unexpected application termination or arbitrary code execution. These issues do not affect Mac OS X systems.
  • A stack buffer overflow existed in the QuickTime ActiveX control’s handling of QTL files. Visiting a maliciously crafted website using Internet Explorer may lead to an unexpected application termination or arbitrary code execution. This issue does not affect Mac OS X systems.
  • A heap buffer overflow existed in the handling of STSC atoms in QuickTime movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This issue does not affect Mac OS X v10.7 systems.
  • A heap buffer overflow existed in the handling of STSS atoms in QuickTime movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This issue does not affect Mac OS X v10.7 systems.
  • A heap buffer overflow existed in the handling of STSZ atoms in QuickTime movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This issue does not affect Mac OS X v10.7 systems.
  • A heap buffer overflow existed in the handling of STTS atoms in QuickTime movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This issue does not affect Mac OS X v10.7 systems.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Apple Macintosh, Apple QuickTime, Flaw, Movie, Microsoft Windows, Issue, Arbitrary Code Execution, Buffer-overflow, Movie File, Application Termination, Apple Mac OS X, Apple Mac OS, Operating Systems, Software, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
29
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Apple QuickTime flaws haunt Windows users
lovedong 13th Sep
wow!!! beautiful!!! replica watches
View in thread
0 Votes
+ -
RE: Apple QuickTime flaws haunt Windows users
Cylon Centurion 3rd Aug
Nothing haunting me here. Got rid of Quicktime years ago. Seriously, what service still uses Quicktime? It's been ages since I've come across a webpage that requires it.

It's time for Apple to just get rid of that garbage.
0 Votes
+ -
RE: Apple QuickTime flaws haunt Windows users
Viper589 3rd Aug
@Cylon Centurion

Uh iTunes on windows still requires it and macs still come with it and also the apple website I believe still uses it
0 Votes
+ -
RE: Apple QuickTime flaws haunt Windows users
Cylon Centurion 4th Aug
@Knix96

That is one of the reasons why iTunes remains on my **** list.
0 Votes
+ -
RE: Apple QuickTime flaws haunt Windows users
snoop0x7b 4th Aug
@Knix96 Apple has no incentive to fix iTunes for windows. As long as it remains popular and a way to foist malware onto Windows users, it will continue to make Windows look bad.
0 Votes
+ -
RE: Apple QuickTime flaws haunt Windows users
rengek 4th Aug
@Knix96
iTunes....10x worse than QT. If there are any more memory leaks in iTunes it will end up on my keyboard. Its probably the worst piece of spyware on the planet. Seriously, I uninstall it and my firewall catches other components trying to talk to the mother ship that is apple HQ. what the heck. So glad that junk is no longer on my machine.
0 Votes
+ -
RE: Apple QuickTime flaws haunt Windows users
ScorpioBlue 6th Aug
That is one of the reasons why iTunes remains on my **** list.

Then why worry about it. You don't use it so it doesn't affect you.
0 Votes
+ -
RE: Apple QuickTime flaws haunt Windows users
tonymcs@... 3rd Aug
@Cylon Centurion

Yes most of us discovered Apple's limited software development ability some time ago, when they got rid of Quicktime from their Windows boxes. Who knows, it may have been deliberate wink Next to Java as the most useless software on a Windows computer.
0 Votes
+ -
RE: Apple QuickTime flaws haunt Windows users
Cylon Centurion 4th Aug
@tonymcs@...

Java is only useful for playing Minecraft. Otherwise, no one needs that too.
0 Votes
+ -
RE: Apple QuickTime flaws haunt Windows users
PollyProteus Updated - 4th Aug
@Cylon Centurion

A lot of software development the DOD does is in Java. Not the best choice in my opinion but it makes it easier for the developers to push out software that works (sort of) on any OS.
0 Votes
+ -
RE: Apple QuickTime flaws haunt Windows users
snoop0x7b 4th Aug
@tonymcs@...

Part of the problem with Java is a lot of people just do it wrong. People assume that because Java has a garbage collector they don't need to worry about cleaning up references to objects... They say you don't have to worry about memory leaks in Java, but that's just a lie. If you keep around a reference to an object that you're not using, the garbage collector doesn't know you're not using it because there's still a reference. Another thing people do is they mix Swing and AWT in highly inappropriate ways that result in window positionings being off, transparent graphics not showing up right, menus appearing behind windows in some cases... The list goes on. I think the biggest detriment to Java's good name are hackish programmers.

The other thing is Java applets suck because they have the browser around them. Webstart is a lot better because it gives you a way to distribute applications over the web and have them behave like desktop applications. We distribute some of our internal business applications as JNLP (webstart) rather than activeX because they work across multiple platforms and still give you a native application feel. Webstart is a lot more compelling than activeX, and if Sun had just built webstart in the first place rather than Applets, Java would be a lot better off.
0 Votes
+ -
RE: Apple QuickTime flaws haunt Windows users
ScorpioBlue 6th Aug
Java is only useful for playing Minecraft. Otherwise, no one needs that too.

Ho ho. I still do have a couple of programs that uses it. Along with .NET.

I dump both of 'em if there a better alternative.
0 Votes
+ -
RE: Apple QuickTime flaws haunt Windows users
linux for me 5th Aug
@Cylon Centurion
Almost ever patch is for a buffer overflow! With all of the patches in the past, in every OS created, you would think by now, these software developers would make it a point to check for this kind of error! And they get paid for this!
0 Votes
+ -
RE: Apple QuickTime flaws haunt Windows users
lovedong 13th Sep
wow!!! beautiful!!! replica watches
0 Votes
+ -
RE: Apple QuickTime flaws haunt Windows users
Nate_K 4th Aug
I wouldn't be surprised in the least if apple purposely left holes in windows software to make themselves look better.
0 Votes
+ -
RE: Apple QuickTime flaws haunt Windows users
PollyProteus 4th Aug
@Nate_K - I've been saying that for years about Apple. It also wouldn't surprise me to find that anti-virus companies (norton/symantec and a few others) actually encourage virus and malware writers to do their thing just so those A/V companies can continue to have a cash cow.
0 Votes
+ -
RE: Apple QuickTime flaws haunt Windows users
Aerowind 4th Aug
@PollyProteus Except, you know, a lot of the newer malware makes Antivirus useless.
0 Votes
+ -
One user turned out to be someone's cat.
albionstreet 4th Aug
Phew,

security advice has now been delivered by mail to all three users.
0 Votes
+ -
RE: Apple QuickTime flaws haunt Windows users
rmark@... 4th Aug
I say this without proof, so it is just my opinion. But if you are Apple, why would you care if you put unsecure software on a competitors OS that errodes peoples confidence in the competitors OS (since they will never know that the malware got on the computer because of Apples software).

I have always used Windows and that is why I do not use Apples products on my computers that stay remarkably malware free. Not saying that it is the reason they are malware free, but that it could be.
0 Votes
+ -
RE: Apple QuickTime flaws haunt Windows users
partman1969@... Updated - 4th Aug
@rmark@...
Funny I have iTunes and Quicktime on my 4 Windows boxes (3 of which I stream to theater systems and televisions) and MacBook Pro, and I never get viruses either. I guess Security Essentials and proper web surfing etiquette are really all that are necessary to stay out of virus and malware Hell. I just wish Media Center 7 could stream to my Macbook Pro like my Xbox and other PCs. I'd be on the patio watching high def cable.
0 Votes
+ -
RE: Apple QuickTime flaws haunt Windows users
ghastly 4th Aug
@partman1969@...
We Windows users come in two flavors. Those who are certain that they haven't been exploited, those who are certain that they are safe from exploits, and those who are almost certainly wrong.

(Apple software in the Windows environment not withstanding)

As an aside, the Apple site still references ver 7.6.9 as the version for download.
0 Votes
+ -
RE: Apple QuickTime flaws haunt Windows users
ninjacut 4th Aug
@rmark@... same with me, no Apple stuff in my Windows ecosystem. Its not required, and seems to be purposefully made to look Windows bad
0 Votes
+ -
RE: Apple QuickTime flaws haunt Windows users
snoop0x7b 4th Aug
@rmark@... Exactly.
0 Votes
+ -
RE: Apple QuickTime flaws haunt Windows users
cardinal4 4th Aug
Doesn't Apple get it? Plugins are evil~.... =D
0 Votes
+ -
RE: Apple QuickTime flaws haunt Windows users
partman1969@... 4th Aug
@cardinal4
I'll second that. Adobe Flash, comes to mind.
0 Votes
+ -
RE: Apple QuickTime flaws haunt Windows users
Samic 4th Aug
@cardinal4 Quicktime on Windows is even worse than Flash Player on Mac - Slow, unstable, and full of holes
0 Votes
+ -
RE: Apple QuickTime flaws haunt Windows users
partman1969@... 5th Aug
@Samic
Flash Player works fine on Mac computers. Only iOS devices lack the codec package, however no matter what operating system you use Flash is still a resource hog.
0 Votes
+ -
No biggie
rengek 4th Aug
I stopped using that gigantic bloatware quicktime years ago. There are so many more players that work better and with a much smaller footprint and wider format compatibility. QT feels like dos.

I like how apple users will blame windows for this. But yet when it comes to flash, its not the OS's fault but the software. hmmmm. But that should not surprise any non ifanatic.
0 Votes
+ -
RE: Apple QuickTime flaws haunt Windows users
BMaytum Updated - 4th Aug
I'd like to get QuickTime 7.7 (but only because Apple has forced me to use iTunes + QT to use my iPod) BUT..... the Apple download website ATM only offers up the OLD version 7.6.9 ( http://www.apple.com/quicktime/download/ and http://support.apple.com/kb/DL837), even though this ZDNet blog and Apple itself ( http://support.apple.com/kb/HT1222) have announced the new version 7.7. Way to go/fail Apple..........
0 Votes
+ -
Tip for Windows users
BMaytum Updated - 4th Aug
A bit off-topic but worth mentioning here:
IF you (like me) are stuck having to install iTunes (+ mandatory QuickTime) under Windows e.g. to access & manage your iPod, but you don't need to synch or stream to any i-Thinggy, be sure to read Ed Bott's excellent blog from Sept. 2010 http://www.zdnet.com/blog/bott/the-unofficial-guide-to-installing-itunes-10-without-bloatware/2390?tag=mantle_skin;content . It'll show you how to avoid all the unnecessary bloatware that is packed into the iTunes+QuicTime installer.

Thanks Ed!

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix