Apple QuickTime flaws haunt Windows users

Apple QuickTime flaws haunt Windows users

Summary: Apple fixes 14 security holes that could be remotely exploitable via rigged movie files. Some of the vulnerabilities only affect Windows sytems.

SHARE:

Apple has shipped a high-priority QuickTime update to fix at least 14 security holes that expose computer users to hacker attacks.

The QuickTime 7.7 update, available for both Windows and Mac OS X, addresses flaws that could be exploited via rigged image, audio and movie files.

According to an advisory from Apple, some of the flaws could lead to remote code execution attacks if a user is tricked into clicking on a bobby-trapped web site or into opening a special media file.

Some of the more serious issues:

  • A buffer overflow existed in QuickTime's handling of pict files. Viewing a maliciously crafted pict file may lead to an unexpected application termination or arbitrary code execution. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8. This issue does not affect Mac OS X v10.7 systems.follow Ryan Naraine on twitter
  • Multiple memory corruption issues existed in QuickTime's handling of JPEG2000 images. Viewing a maliciously crafted JPEG2000 image with QuickTime may lead to an unexpected application termination or arbitrary code execution. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.7. This issue does not affect Mac OS X v10.7 systems.
  • An integer overflow existed in QuickTime's handling of RIFF WAV files. Playing a maliciously crafted WAV file may lead to an unexpected application termination or arbitrary code execution. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8. This issue does not affect Mac OS X v10.7 systems.
  • A memory corruption issue existed in QuickTime's handling of sample tables in QuickTime movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8. This issue does not affect Mac OS X v10.7 systems.
  • An integer overflow existed in QuickTime's handling of audio channels in movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8. This issue does not affect Mac OS X v10.7 systems.
  • A buffer overflow existed in QuickTime's handling of JPEG files. Viewing a maliciously crafted JPEG file may lead to an unexpected application termination or arbitrary code execution. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8.
  • A heap buffer overflow existed in QuickTime's handling of GIF images. Viewing a maliciously crafted GIF image may lead to an unexpected application termination or arbitrary code execution. This issue does not affect Mac OS X systems.
  • Multiple stack buffer overflows existed in the handling of H.264 encoded movie files. Viewing a maliciously crafted H.264 movie file may lead to an unexpected application termination or arbitrary code execution. These issues do not affect Mac OS X systems.
  • A stack buffer overflow existed in the QuickTime ActiveX control's handling of QTL files. Visiting a maliciously crafted website using Internet Explorer may lead to an unexpected application termination or arbitrary code execution. This issue does not affect Mac OS X systems.
  • A heap buffer overflow existed in the handling of STSC atoms in QuickTime movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This issue does not affect Mac OS X v10.7 systems.
  • A heap buffer overflow existed in the handling of STSS atoms in QuickTime movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This issue does not affect Mac OS X v10.7 systems.
  • A heap buffer overflow existed in the handling of STSZ atoms in QuickTime movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This issue does not affect Mac OS X v10.7 systems.
  • A heap buffer overflow existed in the handling of STTS atoms in QuickTime movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This issue does not affect Mac OS X v10.7 systems.

Topics: Windows, Apple, Hardware, Operating Systems, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

28 comments
Log in or register to join the discussion
  • RE: Apple QuickTime flaws haunt Windows users

    Nothing haunting me here. Got rid of Quicktime years ago. Seriously, what service still uses Quicktime? It's been ages since I've come across a webpage that requires it.

    It's time for Apple to just get rid of that garbage.
    The one and only, Cylon Centurion
    • RE: Apple QuickTime flaws haunt Windows users

      @Cylon Centurion

      Uh iTunes on windows still requires it and macs still come with it and also the apple website I believe still uses it
      Viper589
      • RE: Apple QuickTime flaws haunt Windows users

        @Knix96

        That is one of the reasons why iTunes remains on my **** list.
        The one and only, Cylon Centurion
      • RE: Apple QuickTime flaws haunt Windows users

        @Knix96 Apple has no incentive to fix iTunes for windows. As long as it remains popular and a way to foist malware onto Windows users, it will continue to make Windows look bad.
        snoop0x7b
      • RE: Apple QuickTime flaws haunt Windows users

        @Knix96
        iTunes....10x worse than QT. If there are any more memory leaks in iTunes it will end up on my keyboard. Its probably the worst piece of spyware on the planet. Seriously, I uninstall it and my firewall catches other components trying to talk to the mother ship that is apple HQ. what the heck. So glad that junk is no longer on my machine.
        rengek
      • RE: Apple QuickTime flaws haunt Windows users

        [i]That is one of the reasons why iTunes remains on my **** list.[/i]

        Then why worry about it. You don't use it so it doesn't affect you.
        ScorpioBlue
    • RE: Apple QuickTime flaws haunt Windows users

      @Cylon Centurion

      Yes most of us discovered Apple's limited software development ability some time ago, when they got rid of Quicktime from their Windows boxes. Who knows, it may have been deliberate ;-) Next to Java as the most useless software on a Windows computer.
      tonymcs@...
      • RE: Apple QuickTime flaws haunt Windows users

        @tonymcs@...

        Java is only useful for playing Minecraft. Otherwise, no one needs that too.
        The one and only, Cylon Centurion
      • RE: Apple QuickTime flaws haunt Windows users

        @Cylon Centurion<br><br>A lot of software development the DOD does is in Java. Not the best choice in my opinion but it makes it easier for the developers to push out software that works (sort of) on any OS.
        PollyProteus
      • RE: Apple QuickTime flaws haunt Windows users

        @tonymcs@...

        Part of the problem with Java is a lot of people just do it wrong. People assume that because Java has a garbage collector they don't need to worry about cleaning up references to objects... They say you don't have to worry about memory leaks in Java, but that's just a lie. If you keep around a reference to an object that you're not using, the garbage collector doesn't know you're not using it because there's still a reference. Another thing people do is they mix Swing and AWT in highly inappropriate ways that result in window positionings being off, transparent graphics not showing up right, menus appearing behind windows in some cases... The list goes on. I think the biggest detriment to Java's good name are hackish programmers.

        The other thing is Java applets suck because they have the browser around them. Webstart is a lot better because it gives you a way to distribute applications over the web and have them behave like desktop applications. We distribute some of our internal business applications as JNLP (webstart) rather than activeX because they work across multiple platforms and still give you a native application feel. Webstart is a lot more compelling than activeX, and if Sun had just built webstart in the first place rather than Applets, Java would be a lot better off.
        snoop0x7b
      • RE: Apple QuickTime flaws haunt Windows users

        [i]Java is only useful for playing Minecraft. Otherwise, no one needs that too.[/i]

        Ho ho. I still do have a couple of programs that uses it. Along with .NET.

        I dump both of 'em if there a better alternative.
        ScorpioBlue
    • RE: Apple QuickTime flaws haunt Windows users

      @Cylon Centurion
      Almost ever patch is for a buffer overflow! With all of the patches in the past, in every OS created, you would think by now, these software developers would make it a point to check for this kind of error! And they get paid for this!
      linux for me
  • RE: Apple QuickTime flaws haunt Windows users

    I wouldn't be surprised in the least if apple purposely left holes in windows software to make themselves look better.
    Nate_K
    • RE: Apple QuickTime flaws haunt Windows users

      @Nate_K - I've been saying that for years about Apple. It also wouldn't surprise me to find that anti-virus companies (norton/symantec and a few others) actually encourage virus and malware writers to do their thing just so those A/V companies can continue to have a cash cow.
      PollyProteus
      • RE: Apple QuickTime flaws haunt Windows users

        @PollyProteus Except, you know, a lot of the newer malware makes Antivirus useless.
        Aerowind
  • One user turned out to be someone's cat.

    Phew,

    security advice has now been delivered by mail to all three users.
    albionstreet
  • RE: Apple QuickTime flaws haunt Windows users

    I say this without proof, so it is just my opinion. But if you are Apple, why would you care if you put unsecure software on a competitors OS that errodes peoples confidence in the competitors OS (since they will never know that the malware got on the computer because of Apples software).

    I have always used Windows and that is why I do not use Apples products on my computers that stay remarkably malware free. Not saying that it is the reason they are malware free, but that it could be.
    rmark@...
    • RE: Apple QuickTime flaws haunt Windows users

      @rmark@...<br>Funny I have iTunes and Quicktime on my 4 Windows boxes (3 of which I stream to theater systems and televisions) and MacBook Pro, and I never get viruses either. I guess Security Essentials and proper web surfing etiquette are really all that are necessary to stay out of virus and malware Hell. I just wish Media Center 7 could stream to my Macbook Pro like my Xbox and other PCs. I'd be on the patio watching high def cable.
      partman1969@...
      • RE: Apple QuickTime flaws haunt Windows users

        @partman1969@...
        We Windows users come in two flavors. Those who are certain that they haven't been exploited, those who are certain that they are safe from exploits, and those who are almost certainly wrong.

        (Apple software in the Windows environment not withstanding)

        As an aside, the Apple site still references ver 7.6.9 as the version for download.
        ghastly
    • RE: Apple QuickTime flaws haunt Windows users

      @rmark@... same with me, no Apple stuff in my Windows ecosystem. Its not required, and seems to be purposefully made to look Windows bad
      ninjacut