Apple slaps more bandaids on QuickTime

Apple slaps more bandaids on QuickTime

Summary: Apple has shipped a new QuickTime version to plug at least three more security vulnerabilities that put Mac OS X and Windows users at risk of code execution attacks.

TOPICS: Hardware, Apple, Mobility

Apple ships another batch of QuickTime patchesApple has shipped a new QuickTime version to plug at least three more security vulnerabilities that put Mac OS X and Windows users at risk of code execution attacks.

The QuickTime 7.3.1 update addresses the QuickTime RTSP (Real Time Streaming Protocol) Content-Type header flaw that was first released on security mailing lists on November 26.    Exploit code for this vulnerability -- which dings Mac and Windows machines -- is publicly available.

From Apple's advisory:

A buffer overflow exists in QuickTime's handling of Real Time Streaming Protocol (RTSP) headers. By enticing a user to view a maliciously crafted RTSP movie, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue by ensuring that the destination buffer is sized to contain the data.

[ SEE: Latest QuickTime bug leaves XP, Vista vulnerable ]

The latest update also patches a high-risk vulnerability that allows hackers to manipulate QTL files to crash QuickTime or launch malware attacks.

The third issue --  multiple vulnerabilities in QuickTime's Flash media handler -- could also lead to arbitrary code execution.  With this update, Apple disables the Flash media handler in QuickTime except for a limited number of existing QuickTime movies that are known to be safe.

Not counting silent (undocumented) fixes, Apple has patched at least 35 security holes in QuickTime this year.

ALSO SEE: Apple QuickTime under siege and QuickTime high on list of most vulnerable Windows apps

Topics: Hardware, Apple, Mobility

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • You're being just a little unfair, aren't you?

    'slaps a bandaid' - actually, this fix set looks pretty well thought out, doesn't it, given it was arranged, built, and tested in a week?

    This new (and necessary) security craze has followed a driver: appearance of a much more sophisticated hacker element now that organised crime has become deeply involved. Others than Apple have had to tighten up what was until then perfectly adequate software. I was just looking for something from Adobe today, and was reminded by the list of very substantial security upgrades to Flash.

    Yes, Adobe acted more proactively. Apple is having their time now, on this cross-platform product, which by nature has what you boys are calling a 'large attack surface', because it handles many formats.

    Is it worth the 'charge' to make nasty headlines about their accomplishments?

    Narr vi
    • No he is not being unfair and yes the headlines are deserved

      Any company that is distributing desktop applications with the ambition of having the software on every machine out there deserves to be slapped and slapped hard for every severe security risk they inflict on their users. Especially when we're talking about code execution attacks. That's just inexcusable in this day and age.
      Michael Kelly
      • You are right about being fair, but his lack...

        of professionalism is showing badly.
        • If he were a reporter I would agree

          However since he is a blogger, which is akin to being a commentator, sharing his personal opinion is very much a part of what he is supposed to do. Obviously Ryan is getting aggravated with Apple on this issue, and given QuickTime's recent history I can understand that.
          Michael Kelly
          • Well I could agree about the BLOG....

            But his BLOG is on a Technology News site, not someone's personal site. While I also agree Quicktime has been plagued with more security flaws than most applications, still no reason for the poor title, He his slipping into the George Ou style.
          • Read the description of the fix.

            It is a bandaid! Disabling a feature is not a fix.
          • What would Andy Rooney say?

            This whole thread made me think of his style of comments at the end of a 60 Minutes episode. I think bandaid is a pretty accurate description, and maybe going too easy on them. Since the 'solution' was to disable, I think it is more of a tourniquet.
        • This is the fault of hackers

          It is unprofessional to blame Apple for things that malware authors are doing. Apple never expected that to happen so how can they be blamed for it? If Ryan could prove that Apple [b]purposely[/b] added these holes and then told the hackers where to look, then yes, Apple would be to blame, but that didn't happen here. Apple is just trying to give users the best DRM free product. Contrast that with Micro$ux's Zune and the difference is obvious. Oh, and didn't IE have some security holes in it? Yeah, why is it that Ryan [b]always[/b] blames Apple for Quicktime flaws when Micro$ux has so many holes in IE?
          • Well, let's see; I didn't know Micro$ux owned...

            ... or distributed Quicktime. Perhap$ I'm wrong here, but the last time I checked, Micro$ux put out Windows MediaPlayer, which - in versions 10 & 11 really is cool (I know, the way I generally ba$h $ome thing$ M$ - you might think I'm converted). I have never had anything but frustration with Qt, but it wasn't because M$x had anything to do with it; just that I get upset when anything I want to use won't work.

            ... so, yeah; I think the problem is Quicktime and Apple; not Micro$ux. I also think anything "i" is a general item to suspect. I tried iTunes, but found that I cannot simply switch the music files from one external HDD to another and drag and drop them back into iTunes without waiting for iTunes to "digest" the lengths and volume of each and every piece before it can properly play them with crossfading and balanced volume. Micro$ux does it immediately - on-the-fly. Can't beat that!
      • What's good for the goose...

        You are correct. I'd like to see some equally snide headlines about Microsoft patching
        their OS, Applications, browser, legal status, etc.
    • Ohhh, so it's the "More sophisticated hackers' fault," not Apple's

      It has nothing to do with the fact that QuickTime is showing itself to be the swiss cheese equivalent of the levies in New Orleans.
      How come in that catastrophe everyone blamed (and rightly so) the shoddy construction, the Army Corps of Engineers, the local New Orleans Goverment, etc etc. Saying "oh that hurricane was just too strong, so it's ok that the whole city went down the toilet" would obviously be a moronic thing to say, wouldn't it?

      I will agree that there is more impetus to be a more sophisticated hacker in this day and age, but that should NEVER excuse developers to let this kind of thing happen. And you, as a consumer, are a freaking MORON for being such an apologist on their behalf.
  • When it's Microsoft, it's a Security Update...

    When it's Apple, it's a "BandAid".

    I read no further once I saw that headline.
    • If you did read further

      you would have seen that Apple disabled the Flash media handler in QuickTime. They are, at least temporarily (if not permanently), removing a key feature to remove a threat. If that's not a BandAid rather than a Security Update, then how would you describe it?
      Michael Kelly
      • My suggestion

        I think the professional term would be "workaround."

        By the way, the word used in the title is a trademark but I don't have any where to
        go with that factlet.

        QuickTime is a problematic bit of code. Mr. Naraine (were he responsible for his
        headlines) may have gotten tired of the "Apple fixes ${count} vulnerabilities in
        QuickTime" once a month (or so) perennial. I use Apple stuff: it may be an apt

        I Better go download the patches.
      • I don't care....

        When I see a headline like this, I fully do not expect solid reporting so I don't bother.
        • Putting a sharper point on it...

          When I see ZDNET report ANYTHING about Apple, I don't expect solid reporting.
          Most if not all the "authors" (I won't insult the industry by calling them journalists)
          have disclaimers that clearly state they either write about Windows or Microsoft for
          a living, or write FOR Microsoft for a living.

          And you expect honest reporting from these guys? Not a chance.

          I still don't see the equivalent "Apple centric" site that bashes Windows like this. As
          I've said before, we're just too busy being productive :)

          As for Flash, I never used QTime for Flash, I use the Flash Player. Duh! And thanks
          to Flip4Mac I don;t even have to use the clunky Windows Media Player to view THAT

          Gotta go. Play times over...
          • MacWorld? MacUser?. I can name quite alot

            of places that bash anything non-Mac (Microsoft the most) to the point of being idiotic

            Admitt it: If (and [i]when[/i], as it does happen often) the headline read "Microsoft slaps bandaid on Media player" the Apple crowd would (and has) been all over it, so why get upset when the same is applied to Apple?

            Rose colored glasses?
          • Care to find me an instance?

            PLEASE show me proof of what you're saying. I've shown MY proof. Every Friday, right
            here on ZDNET. <sheesh!>
          • Sure!

            How about:


            In fact a search for "bandaid" and "microsoft" of ZDnet came up with a series of hits!

            ZDNet is just here to feed the paranoia of both the OSX user and the Vista user to get them pumped up enough to post here. They post things in a controversial way to get you to respond and thus stay on a page long enough to satisfy an advertiser.

            Its the computing version of Maury Povich or Jerry Springer.

            So we can have the Apple guys talk about how there are never any security vulnerabilities in their OS or apps, and that they never can ever get infected. And the Vista guys to talk about how cool Aero or their game library and how it makes life worth living.

            And above it all, noone holds Apple nor Microsoft to account for the things that really matter.
      • Don't like BandAid? How about Q/Tip (moyle)???

        Does that work better for you? I mean, if you cut off a working end; what is that???