Apple QuickTime under siege

Apple QuickTime under siege

Summary: Not counting silent (undocumented) fixes, Apple has patched at least 32 security flaws affecting QuickTime in 2007. Last year, the QuickTime patch count was 28. Five was documented in 2005. There's no real end in sight...

SHARE:

Not counting silent (undocumented) fixes, Apple has patched at least 32 security flaws affecting QuickTime in 2007.   Last year, the QuickTime patch count was 28.   Five were documented in 2005.

Judging by the public release of details -- and exploit code -- for zero-day flaws affecting the company's flagship media player, it looks like the number will rise again in 2008.

Take a quick peek at Milw0rm.com, a popular security research site that hosts proof-of-concept exploit code. At the moment, there are four different remote exploits for unpatched QuickTime vulnerabilities.

Apple QuickTime under siege

Lower down the page,  there are two more proof-of-concepts for denial-of-service holes.   These affect both Windows and Mac OS X users, increasing the likelihood that in-the-wild attacks against unpatched QuickTime holes will soon appear.

[ SEE: Latest QuickTime bug leaves XP, Vista vulnerable ]

The latest zero-day, a stack buffer overflow vulnerability in the way QuickTime handles the RTSP (Real Time Streaming Protocol) Content-Type header, is among the more serious flaws affecting QuickTime this year.

It affects most versions of QuickTime prior to and including 7.3 running on all supported Apple Mac OS X and Microsoft Windows platforms. Since QuickTime is a component of Apple iTunes, iTunes installations are also affected by this vulnerability.

A US-CERT advisory spells out the risks:

An attacker could exploit this vulnerability by convincing a user to access a specially crafted HTML document such as a Web page or e-mail message. The HTML document could use a variety of techniques to cause QuickTime to load a specially crafted RTSP stream. Common Web browsers, including Microsoft Internet Explorer, Mozilla Firefox, and Apple Safari can be used to pass RTSP streams to QuickTime, exploit the vulnerability, and execute arbitrary code.

This vulnerability could allow a remote, unauthenticated attacker to execute arbitrary code or commands and cause a denial-of-service condition.

The sharp rise in QuickTime flaw discoveries has set tongues wagging in security research circles and calls into question Apple's code review process.

[ SEE: QuickTime high on list of most vulnerable Windows apps ]

"QuickTime is the new IE and Apple is the new Microsoft," said a researcher who works closely with both companies on vulnerability reports.

Those comparisons aren't far-fetched.  QuickTime, like Internet Explorer, is ubiquitous on Windows and often run in an unpatched state for long periods -- on both home and business computers.   Apple, like Microsoft, has attracted scorn among some flaw finders for its slow response to serious issues -- and publicly documented squabbles with researchers.

Now there are calls for Apple to beef up its anti-exploitation protection mechanisms.   Former Gartner analyst Rich Mogull, now an indie consultant at Securosis.com, offers the following advice:

This situation highlights why it's so important for Apple to finish some of the security improvements they started implementing in Leopard. Both library randomization and sandboxing can help prevent exploits of vulnerabilities like this. If Apple were to add outbound blocking to the application firewall, it would let us block these kinds of attacks without having to know anything about ports and protocols. Apple is clearly on the right path, and I look forward to future updates that will keep me protected even when a new, unpatched vulnerability is in the wild.

Better yet, Apple might want to (gasp!) borrow a page from Microsoft's playbook and implement an entire SDL (Security Development Lifecycle) process to cut down on flaws and reduce the attack surface when zero-days emerge.

Topics: Security, Apple, Hardware, Mobility

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

82 comments
Log in or register to join the discussion
  • Apple finally has enough market to become a target

    Face it, Apple has not had to concern itself much with security due to the fact their market share was so low the hackers didn't bother with their products.

    I suppose there is a silver lining in the knowledge that they have gained enough market that hackers are willing to spend the effort to go after them.
    No_Ax_to_Grind
    • well

      Since QT is installed on many Windows boxes as well, it makes sense for the hackers to try to break that software. That way they can hit both OS X and Windows.
      Badgered
      • Don't you think its a case

        of all the OS's becoming more secure and the hackers are now looking at finding the applications with the most bugs and security holes in it? I do...
        No_Ax_to_Grind
        • Then they should be looking at Word and Acrobat

          Word files and Acrobat files are like vessels and it's easy to embed malicious software.
          The easiest way to take over computers is by trojans. The easiest way to pass trojans
          is by playing to peoples weaknesses like porn or game cheats or serial number
          generators. Quicktime and Windows Media Player are targets because people open
          JPGs, MP3s and movies without thinking of being attacked, and like PDFs and Word
          documents these files can be vessels.
          MacGeek2121
        • Then they should still be looking at Windows apps! - NT

          NT
          raycote
          • yet here we are...

            [i][b]Then they should still be looking at Windows apps![/b][/i]

            Yet here we are discussing the attacks on an Apple product. It's easy enough to point the finger at MS since they have been under attack for so long. But holes appear to be in Apple's code as well. To ignore that fact is irresponsible.
            Badgered
          • Widows Defender

            Is under siege, two updates a week, WOW ! !
            hbashman@...
          • so much for a reasonable discussion, 'eh? (nt)

            .
            Badgered
          • What makes you think they're not?

            That common Windows apps - MS Office, Adobe Reader, Norton,
            McAphee, etc ARE popular vectors for Windows attack is not
            really the subject raised by this article. What makes this a
            little bit interesting is Apple apps coming under the gun -
            which besides being worth knowing, is a chance to yet again
            stir the MS vs Apple/Mac vs Linux pot - which so many of these
            threads dissolve uselessly into. The article itself plays to
            this - shouldn't we be happier that patches are coming,
            regardless of what OS or software company is involved, (mostly)
            before real-world exploits?
            rx7racer
        • Yes, it could be

          but then an application that runs on both Windows and OS X would seem to me to be a more inviting target than one that only ran on one OS.
          Badgered
        • That's pretty much it...

          OS's, Windows, Linux, and even Mac, have had to become a lot
          tighter as the attacks they are subjected to become more
          sophisticated (and more likely to be driven by identity and
          other data theft rather than simply creating mayhem). It's also
          pretty fair to say that in many respects Apple is probably
          sitting in a similar position now as Microsoft was circa
          2003-ish: while OS X and Unix-based OS's generally have a
          better security approach and coding than did Windows XP at that
          point, it is likely they have enjoyed a certain amount of
          complacency owing to starting off more secure than Windows, and
          being a lower profile target due to small market share.
          Increased market share, combined with the fact that Windows,
          and Windows users, are much improved in terms of security and
          awareness of security issues, means the free ride seems to be
          ending - the criminal hackers are turning to other common apps,
          like the QuickTime/iTunes bundle - an especially good target,
          since it's popular on both the most common desktop OS's. And
          while OSX may share the strong security approach common to Unix
          derivatives (and no OS is without flaws), Quicktime is a much
          older app - if Apple is anything like MS in terms of code
          re-use (which is likely the case, clean-sheet work is rare),
          there's likely code in it that has a long history, and predates
          the more recent era of OS-X, and heightened security awareness
          generally.
          Hopefully Apple's "re-education" in terms of secure coding for
          all it's products can be smoother and faster than MS's, but
          some of the denial and disputes with security researchers so
          far don't bode well. It's a shame that partisanship can blind
          people, and corporations, from learning from others
          well-publicized mistakes.
          rx7racer
        • Finally get to use...

          one of my favorite lines from a movie. "That's because you are stupid." (The Mask of Zorro, 1998).
          jasonp@...
    • Are you nuts?????

      Quicktime has had hundreds of millions of users for years. Many games have
      always required Quicktime and iTunes is on every computer that use iPods. Do you
      know how many million iPods have been sold? There were a 100 million downloads
      of Quicktime way back years before iPods and iTunes revolutionized the music
      business. Don't tell me that back in 2000 or so, nobody used Quicktime. It's been
      around and has been very popular forever. Quicktime is older than WMP.

      The reason hackers are going after Quicktime is that there are more of them and
      these morons who publish zero day exploits after the software has been patched
      encourage hacking on every software. Every software made today has to be patched
      for security. There are people in other countries who think they are getting over on
      the evil Americans by writing destructive software, and most obviously phishing.
      MacGeek2121
      • Clearly, you don't understand.

        Quicktime has been around for a really long time. iTunes is just the latest incarnation forcing quicktime down the throats of users. My sony PSP media manager requires me to load quicktime. Sony media sites on the web (ie. Spiderman 3) require quicktime. Apple has successfully wormed their way into your computer by cutting deals with movie producers and others. Quicktime will not leave the domain of computers anytime soon because Apple sued to prevent other media applications from using their codec. This in turn forced anyone wanting to view a quicktime file to use Quicktime. Quicktime is not the end all be all solution. In fact, unless you purchase the full version from Apple the free version is severly neuterd. And continued to be limited as the years go on. (One of my pet peeves on this is the inablilty to go full screen. I paid for a nice monitor to use the entire monitor not just a 3 inch by 4 inch window.) Apple needs to and must make quicktime secure and free up the functional issues. As it turns out the memory hogging quicktime is only loaded on one of my computers that I use to convert files to mp4. I constantly fight quicktime because it hijacks file types and attempts to load itself as a memory resident program. No I do not own an Apple computer. Nor do I intend to spend that kind of money. I consider the Apple computers to be overpriced and under supported. I do have my woes with my windows computers, but, ease of use and availability of supporting software make up for it. Apple users dog me if you want but I know quicktime has failed you in the past as it has me. (by the way linux/bsd/unix users, grow up and learn from Apple and Microsoft; maybe if you weren't so self absorbed in beating the man you could produce a competing product with some standards)
        top100developers
        • You don't understand either...

          The reason QT "has been around for a really long time" is because it usually works
          well. If it did not, it would be dead by now. MS forces an install of IE and Windows
          Media Player on PCs, at least you have a choice on PCs with QT. WM has had just
          as many security problems as QT.
          QT is not a codec, it's a media architecture...and has lately moved to open-
          standand non-discriminatory licensed MPEG4, H.264 and AAC codecs. QT Player
          plays open-standard MPEG4 files, while WM does not.
          The latest free QT Player plays full screen, and opens more file types than any
          other media player
          http://www.apple.com/quicktime/player/specs.html
          Not sure what the "neuterd (sp.)" comes from.
          You should get your facts straight before you go ranting.
          keel
          • You've obviously never heard of the "N" versions of windows?

            Those that come without WMP? It's a choice, so enough of that ranting on about people being forced into anything. <br>
            Microsoft was forced into creating a WMPless OS and it was a collosal waste of time. Nobody buys it. Why would they? <br>
            Enough of the Microsoft owns everyone's soul already. It's not only completely outdated but it's a slap in the face of everyone that uses Windows to great advantage and knowledge. <br>
            Your dislike of it has nothing at all to do with QT having serious weaknesses, as it's repeatedly had over the years. <br>
            If QT, Safari and iTunes are examples of how well Apple writes software, then I'll never touch OS X. I realize Apple doesn't really write much OS X code and rather licenses, borrows or steals a multitude of existing technology to paste together with duct tape and glue. <br>
            And take a look at how Apple operates before you start talking falsely about MS forcing anything. What does the default install of iTunes give you? Yep, QT. Many people have no need for QT on their machines but Apple doesn't make it easy to exclude it on install of iTunes. Then you either uninstall it or find the preferences and services for it to shut down, since by default Apple updates your registry to have the service running at startup. Why would I want something that consume 50MB of RAM running on my PC everytime i start it up? <br>
            Many users load iTunes at work or on personal PC and only to get tunes onto the iPod. They have no time nor interest of using QT on their PC.
            <br>
            I bought my Wife an iPod but did not allow QT to be installed and have iTunes services disabled. Even set to manual, they are started. What kind of twisted trick is that? ;)
            Anyway, all disabled. Too insecure. Office has no running services on my machine gobbling up massive resources like the average iPod user would have w/o even thinking or knowing about it in most cases. Then Windows takes the blame for being slow.
            <br>
            xuniL_z
          • Irony, thy name is hypocrite

            Not even going to get started on the fact that QTime ubiquity has nothing to do with "working well" and everything to do with iTunes and the Apple deals with the movie industry making QTime THE format for trailers (you wouldnt accept that unless QTime was a MSFT product).

            Also not going to get into the fact that WM will play ANYTHING for which a CODEC has been installed and not just what MSFT deems you should be allowed to play. "Open" QT architecture somehow is totally not extensible and can only support what Apple bakes in. Odd right?

            But I WILL jump on the irony of you presuming to tell someone to "get their facts straight" when you make two glaring factual errors in your little rant.

            One - How can QT POSSIBLY support "more formats than anything else" when WMP will play ANYTHING for which there is an installable CODEC? The WMP architecture is extensible. Your own link to Apple demonstrates that QTP doesnt even play DivX! Nor does it play, hello???, MPEG OR MPEG2.

            Two - QT simply has MORE exploits reported on CERT than WMP by a pretty good margin. So WMP has not had "just as many problems" as QT.

            Put your koolaid down for a bit; I think it's spiked.
            mlambert890@...
          • lol

            go VLC media player!!!
            LinuxOwns
          • I was gonna reply to keel's littlt rant..

            but you pretty much said it all. LOL
            tikigawd
      • um, no...

        Sorry to poop on your mac-love there but it has not had hundreds of millions of users, simply downloads.

        What happens after people download Quicktime is that after a week or two of getting annoyed by the spy/crap-ware that IS Quicktime people uninstall it off of their systems until they need it again to view or hear something.

        Quicktime never gained any real traction on people's computers until Apple SHOVED it down EVERYONE's THROATS in order to use their new iPods. Great for Apple but unfortunately the software never got the attention it deserved for either code quality or security so what you have here today is a ubiqutous application on the desktop of all those who purchased an iPod that is being harvested by cyber criminals. Quite sad really.

        Apple should go ask Microsoft for help. I'm sure they'd be willing if they'd put out a new Mac vs. PC ad about it :)
        BFD