madison

Zero Day

Ryan Naraine and Dancho Danchev
Home / News & Blogs / Zero Day

Apple QuickTime flaws puts Windows users at risk

By | September 15, 2010, 2:04pm PDT

Summary: The QuickTime 7.6.8 update patches vulnerabilities that could be exploited in drive-by downloads (via rigged Web sites) and via booby-trapped image files.

Apple has released a critical QuickTime media player update to fix a pair of gaping security holes that expose Windows users to code execution attacks.

The QuickTime 7.6.8 update, available for Windows 7, Windows Vista and Windows XP users, patches vulnerabilities that could be exploited in drive-by downloads (via rigged Web sites) and via booby-trapped image files.

The skinny:follow Ryan Naraine on twitter

  • An input validation issue exists in the QuickTime ActiveX control. An optional parameter ‘_Marshaled_pUnk’ may be passed to the ActiveX control to specify an arbitrary integer that is later treated as a pointer. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed by ignoring the ‘_Marshaled_pUnk’ parameter. This issue does not affect Mac OS X systems.
  • A path searching issue exists in QuickTime Picture Viewer. If an attacker places a maliciously crafted DLL in the same directory as an image file, opening the image file with QuickTime Picture Viewer may lead to arbitrary code execution. This issue is addressed by removing the current working directory from the DLL search path. This issue does not affect Mac OS X systems.
More information in this Apple advisory.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Apple QuickTime, Flaw, Apple Inc., Apple QuickTime Flaw, Microsoft Windows, Digital Music, Digital Media, Operating Systems, Software, Personal Technology, Consumer Electronics, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a security evangelist. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Talkback Most Recent of 27 Talkback(s)

  • RE: Apple QuickTime flaws puts Windows users at risk
    Every week there is a new flaw in Quicktime being reported. Apple just doesn't know how to write software for Microsoft Windows.
    ZDNet Gravatar
    Loverock Davidson
    15th Sep 2010
  • RE: Apple QuickTime flaws puts Windows users at risk
    @Loverock Davidson

    I'm sure you have a software portfolio that you've written for Windows so that Apple can see how "it's done". If not, talk is cheap.

    Vulnerabilities exist on all platforms, period, 'nuff said.

    -M
    ZDNet Gravatar
    betelgeuse68
    15th Sep 2010
  • RE: Apple QuickTime flaws puts Windows users at risk
    @betelgeuse68
    In fairness, you don't need to be an automotive engineer to know that your brakes are failing. Apple has a bad track record of writing pretty bad software for Windows. iTunes is a complete dog of an application with a huge memory footprint, a large download size, and in at least one instance (anecdotal) has corrupted a user's MBR. You can get a lot more functionality without the headache using MediaMonkey, or foobar. In the instance of QuickTime, VLC works much better.
    ZDNet Gravatar
    coprenicuz
    15th Sep 2010
  • RE: Apple QuickTime flaws puts Windows users at risk
    @Loverock Davidson
    Every week we read about other vendors with their OS and program issues as well.

    As you would say, "it is patched nothing to see here, folks move on".

    As software becomes more complex more issues will surface; all vendors have the same issues. Anyone can be a Monday morning quarterback spouting nonsense. You should attempt to offer something helpful.
    ZDNet Gravatar
    BubbaJones_
    15th Sep 2010
  • RE: Apple QuickTime flaws puts Windows users at risk
    @Loverock Davidson

    "I gotta say, I like seeing the exploiters behind the times though. They can't make an exploit until after they get some details and after" Apple "fixes the issues. Always one step behind."
    ZDNet Gravatar
    msalzberg
    16th Sep 2010
  • RE: Apple QuickTime flaws puts Windows users at risk
    Neither does MicroSoft it seems.
    ZDNet Gravatar
    john_gillespie@...
    16th Sep 2010
  • RE: Apple QuickTime flaws puts Windows users at risk
    @Loverock Davidson Well they are not alone neither does Adobe or anyone else.
    ZDNet Gravatar
    mrlinux
    16th Sep 2010
  • Quicktime on Windows is a Misnomer... should be Quittime!
    @Loverock Davidson Soooooo.... Sloooooow opening and still has the same interface from 1984 vintage Apple. It's like Volkswagen; you always knew what they were, just not the year. Oh... the tail lights are a half inch larger on newest ones and those could be for 10yrs. Some say Quicktime versions are like Chinese People's Army. You can't tell 'em apart year to year version to version!!! haha... updates to fix flaws it's always had never seem to come. But yet Apple wants more for a premium version that is still messed up and even with the nagware removed! .....but Apple will still tell you it's the Special Windows Version! lol..
    ZDNet Gravatar
    i2fun@...
    18th Sep 2010
  • Funny, just recently there was a cry for "More Apple software for Windows",
    when what is really needed is simply better Apple software for Windows.
    ZDNet Gravatar
    SonofaSailor
    15th Sep 2010
  • To be fair
    @SonofaSailor
    The article stated that the two attack vectors were thru active x and dll code segments .. Both components of MS Windows operating systems. If Apple codes application to run under Windows, a fair chance exists that active x and dll code segments would be required .. Which might result in possible attack vector opportunities.
    ZDNet Gravatar
    kenosha77a
    15th Sep 2010
  • RE: Apple QuickTime flaws puts Windows users at risk
    @kenosha7777

    Just demonstrated your ignorance I'm afraid.
    ZDNet Gravatar
    tonymcs@...
    15th Sep 2010
  • RE: Apple QuickTime flaws puts Windows users at risk
    Just demonstrated your ignorance I'm afraid.

    @tonymcs@...

    How so? Care to back that up? Or is this a typical non-statement from you?
    ZDNet Gravatar
    ahh so
    17th Sep 2010
  • Good luck with that.
    @SonofaSailor

    All you'll get out of Apple is them trying to sell you a Mac and some ******** as to why they can't write good better software for Windows.
    ZDNet Gravatar
    Cylon Centurion
    15th Sep 2010
  • Aaaaah Quicktime
    It's been a thorn in the side of Windows users for years, as well as a fertile site for exploits. It was even more a pain in Win 3.1.

    Just say NO. Windows Media Player, Sliverlight, Flash and VLC can cover all your media needs as there's nothing useful encoded in Quicktime that doesn't exist in another format. Anyway I thought we were moving towars H264 video and you certainly don't need Apple's media player, which seems to be built out of chewing gum and string


    What is worrying is the ?_Marshaled_pUnk? parameter - sounds more like a programmer back door than anything else wink
    ZDNet Gravatar
    tonymcs@...
    15th Sep 2010
  • RE: Apple QuickTime flaws puts Windows users at risk
    Did you know that MS bought the company that wrote the base codex for QT and that MS used that same code for WMP?
    ZDNet Gravatar
    john_gillespie@...
    16th Sep 2010
View More Comments

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
Click Here

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources