Serious QuickTime bugs bite Windows Vista, Mac OS X

Serious QuickTime bugs bite Windows Vista, Mac OS X

Summary: Multiple flaws in Apple's QuickTime media player could put millions of Windows and Mac users at risk of code execution attacks, Apple confirmed in an advisory issued today.

SHARE:

Multiple flaws in Apple's QuickTime media player could put millions of Windows and Mac users at risk of code execution attacks, Apple confirmed in an advisory issued today.

Apple QuickTimeA mega-update from Cupertino plugs a total of eight code execution vulnerabilities in QuickTime, all affecting Windows Vista, Microsoft's new operating system. The most serious of the flaws could allow an attacker to use audio and video files to take full control of a vulnerable machine.

In all, the new QuickTime 7.1.5  plugs a total of eight holes affecting Mac OS X, Windows 2000, Windows XP and Windows Vista users.  All eight flaws are considered highly critical because of the risk of code execution attacks.

Vulnerability #1 (Windows Vista/XP/2000):  Viewing a maliciously-crafted 3GP file may lead to an application crash or arbitrary code execution. This is caused by an integer overflow in QuickTime's handling of 3GP video files. By enticing a user to open a malicious movie, an attacker can trigger the overflow, which may lead to an application crash or arbitrary code execution. This issue does not affect Mac OS X.

Vulnerability #2 (Mac OS X v10.3.9 and later, Windows Vista/XP/2000): Viewing a maliciously-crafted MIDI file may lead to an application crash or arbitrary code execution because of a heap buffer overflow in QuickTime's handling of MIDI files.  An attacker could exploit this bug by enticing a user to open a malicious MIDI file. This could lead to an application crash or arbitrary code execution.

Vulnerability #3 (Mac OS X v10.3.9 and later, Windows Vista/XP/2000)
: Viewing a maliciously-crafted Quicktime movie file may lead to an application crash or arbitrary code execution. Apple describes this as a heap buffer overflow in the way the media player handles QuickTime movie files.  Code execution attacks are possible, Apple confirmed.

Vulnerability #4 (Mac OS X v10.3.9 and later, Windows Vista/XP/2000): Viewing a maliciously-crafted Quicktime movie file may lead to an application crash or arbitrary code execution because of an integer overflow in QuickTime's handling of UDTA atoms in movie files. This could be exploited to cause denial-of-service or arbitrary code execution attacks.

Vulnerability #5 (Mac OS X v10.3.9 and later, Windows Vista/XP/2000): A heap buffer overflow in QuickTime's handling of PICT files could allow an attacker to launch code execution attacks when rigged PICT files are viewed.

Vulnerability #6 (Mac OS X v10.3.9 and later, Windows Vista/XP/2000): Opening a maliciously-crafted QTIF file may lead to an application crash or arbitrary code execution because of a stack buffer overflow exists in QuickTime's handling of QTIF files. "By enticing a user to access a maliciously-crafted QTIF file, an attacker can trigger the overflow, which may lead to an application crash or arbitrary code execution," Apple warned.

Vulnerability #7 (Mac OS X v10.3.9 and later, Windows Vista/XP/2000): An integer overflow in the way QuickTime handles QTIF files could allow a maliciously crafted QTIF file to be used in code execution attacks.

Vulnerability #8 (Mac OS X v10.3.9 and later, Windows Vista/XP/2000): Opening a maliciously-crafted QTIF file may lead to an application crash or arbitrary code execution because of a heap buffer overflow in the media player's handling of QTIF files.

Apple is strongly recommending that users upgrade to QuickTime 7.1.5 via the Software Update or from the download area in the QuickTime site.

Topics: Windows, Apple, Hardware, Microsoft, Operating Systems

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

113 comments
Log in or register to join the discussion
  • Question for you Ryan -

    Would a user on windows vista (not admin) still be vulnerable to this or would that UAC popup come up first? And if yes, does that mean that users will automatically click yes?
    Confused by religion
    • UAC will pop up if the malware tries to change your system

      UAC will pop up if the code execution tries to change your system. It will not come up if the code tries to nuke your user folders and files because it's normally running with your privileges.
      georgeou
    • Department Of Transportation bites back at Microsoft .

      D.O.T. plans on making the switch to Macs & Linux .

      http://blogs.business2.com/beta/2007/03/us_government_b.html
      I'm Ye, the MS SHILL .
      • sheesh

        How about being accurate in your statments.

        First the article you pointed to is linked to this story:
        http://www.informationweek.com/news/showArticle.jhtml?articleID=197700789

        Which states in the story that :
        Schmidt says the Transportation Department hasn't ruled out upgrading its computers to Windows Vista if all of its concerns about the new operating system -- the business version of which was launched late last year -- can be resolved. "We have more confidence in Microsoft than we would have 10 years ago," says Schmidt. "But it always makes sense to look at the security implications, the value back to the customer, and those kind of issues."

        They are looking at all of their options. Mac, Linux, and Windows Vista.

        If you're going to just bash MS, at least be accurate. There are plenty of honest reasons to get on MS's case, stop making things up.
        Badgered
      • you read wrong they are waiting

        you read wrong they are waiting for the compatibility issues to be taken care of not that they are going to change god and that they are looking at the cost of changing over to mac witch would not work because the main issue would still be there cost of having to replace every computer they have training all employ on a mac and finding software that does the somethings they are doing now

        and i would say on the Linux change they would still have to find some open-source software to do what they do now and train ppl how to use Linux and then with Linux you have the no support deal oh wait yes you do you post a question on a website and hope someone gives you the right answer so i would say i think the dot will after looking at the cost of changing over they will stay with xp and wait till there are patches for there software and updated drivers
        SO.CAL Guy
        • Support for Linux

          If they go the SLED way, support IS NOT a matter of posting a question on a website and hoping!! Have you heard of a company called Novell??

          If they decide to go the RedHat direction there is a company called RedHat which MAKES its LIVING from SUPPORT.

          Ubuntu Linux is owned by a company called Canonical which makes its living, at least from the Ubuntu Linux distribution, from SUPPORT.

          Instead of paying hundreds of dollars per licence for Windows you pay for a support contract with the distribution you get for FREE.
          mdsmedia
        • Yes, he implied wrong but your reasoning is shoddy.

          So, what you are saying is that if they made the jump to Vista, they
          are going to somehow, myseriously, not need training? Heheh, right.
          I'm not saying it is overly difficult but, sorry, those peeps are gonna
          need to be trained too, it is the DOT. It wouldn't be too different than
          learning an alternate OS, especially some of the Linux flavors, some
          are too god-awful close to Windows, IMHO.

          They probably won't be upgrading hardware, most big businesses
          don't, they just replace with new. So you could get comparable mac
          minis for dells thay you may find at the DOT. You already have
          monitors, right? iMacs for the higher end.

          Not too implausible for either Mac or Linux.
          Kid Icarus-21097050858087920245213802267493
    • Even Intel is holding back because of MS Vista .

      http://blogs.business2.com/apple/2007/03/vista_even_inte.html
      I'm Ye, the MS SHILL .
      • well...

        They are holding back on upgrading to Vista until SP1, which is prudent IMO. I don't think Intel is holding anything back "because of MS Vista".

        More importantly, what does that have to do with the post you were replying to, or to the story itself?

        Are you just one of those people who like to bash MS everytime you see the word Vista in a post?
        Badgered
      • he states this but

        he states this but i did not see a link to back it up the i seen the link for the DOT but i have looked at Intel's site and have not seen anything and from all the news Intel is putting out they are moving on unlike a mac Intel works on many formats not just windows Apple is a new comer to the world of a good CPU's one that works on a lot of things one OS is not going to stop Intel from designing besides that site is nothing but an apple hack site i would not go by everything you read there with out links to back it up
        SO.CAL Guy
  • Doesn't Apple test their code?

    This is ridiculous!!!! Makes me [b]very[/b] glad that I have not (and will not) install support for Quicktime on any of my computers. Thank goodness Quicktime isn't installed by default. I would [b]hate[/b] to be one of the ignorant masses who bought a computer with it bundled into the OS. Hmm, I wonder which computers come with Quicktime bundled into the OS? Hmm...
    NonZealot
    • Did you catch the new Maddox update?

      It's right up your alley. ;)
      Michael Kelly
      • HILARIOUS!!!

        Thanks for that. I haven't checked out Maddox in a long time but that entry is perfect!
        NonZealot
    • Thanks!

      I was bitterly disappointed by the lack of religious factions fighting it out over at CNet. Glad ZDNet came to the rescue!
      KTLA
    • Zealotry

      The flaws are patched. No zero-day exploits in the wild, and Apple didn't wait until a
      patch tuesday to get it done. And yet again, the facts demonstrate that people using
      Apple computers and OS X enjoy a more secure and less restrictive computing
      experience out of the box TODAY. Keep dreaming about some mythical utopian
      future when your OS of choice gives you as few hassles. Meanwhile, I will continue to
      enjoy a superior computing experience TODAY, just as I have for the past five years.
      frgough
      • ok...

        I can accept most of your statements, but... "And yet again, the facts demonstrate that people using Apple computers and OS X enjoy a more secure and less restrictive computing experience out of the box TODAY."

        How is Apple less restrictive? I have to run Mac OS X on Apple's hardware. My software choices are more limited than Windows.

        Yes, Windows has restrictions too... but how is Apple "less" restrictive?
        Badgered
        • only OS X?

          I take it you don't have an Intel based Mac? As I'm sure you know, Intel Macs can run multiple operating systems (one more than PCs can, actually ... as PCs cannot run OS X).

          I cherish the zealotry being expressed here. Windows users get sooooo excited and heated at any opportunity to exploit a Mac weakness (the few chances they get). Meanwhile, most Mac users are too busy enjoying their computer to care about the thousands and thousands of weaknesses and annoyances inherent in Windows machines.

          If you like your machine and your operating system, great. Just don't try to make me regret purchasing my MacBook Pro ... you'll be wasting your time, I assure you.
          SirRoundSound
          • What?

            "I take it you don't have an Intel based Mac? As I'm sure you know, Intel Macs can run multiple operating systems (one more than PCs can, actually ... as PCs cannot run OS X)."

            Yes, but that is actually a point for Windows. They don't restrict you to running on only Windows hardware. It is Apple that makes the restriction. Which is fine, if that's how they want to limit the exposure of their OS. After all, it is their company.

            "I cherish the zealotry being expressed here. Windows users get sooooo excited and heated at any opportunity to exploit a Mac weakness (the few chances they get). Meanwhile, most Mac users are too busy enjoying their computer to care about the thousands and thousands of weaknesses and annoyances inherent in Windows machines."

            Please tell me how it somehow makes me a Zealot, when I asked a simple question seeking information on what the previous poster said "Apple computers and OS X enjoy a more secure and less restrictive computing experience", wanting to know what he meant by "less restrictive"?

            "If you like your machine and your operating system, great. Just don't try to make me regret purchasing my MacBook Pro ... you'll be wasting your time, I assure you."

            I don't mind my OS, therefore I have no desire to change. But I can assure you I have no intention of trying to convince anyone of anything. I was just asking a question. I'm sorry if that makes me a Zealot in your eyes... but I think you are mistaken.
            Badgered
          • sorry ... zealot comment not aimed at you

            Sorry for the misunderstanding there. I was referring to the other examples of zealotry going on in this conversation as a whole (I guess I'm used to forums that aren't so specifically threaded). I was not referring to you specifically, though I can see why you would have assumed that. Sorry.
            SirRoundSound
          • That depends.

            [i]"I take it you don't have an Intel based Mac? As I'm sure you know, Intel Macs can run multiple operating systems (one more than PCs can, actually ... as PCs cannot run OS X)."

            Yes, but that is actually a point for Windows. They don't restrict you to running on only Windows hardware. It is Apple that makes the restriction. Which is fine, if that's how they want to limit the exposure of their OS. After all, it is their company.[/i]

            If you want the most flexibility and are willing to give up one-stop support, Windows and PCs are best. But, for the many people who just want a computer that [i]works[/i] out-of-the-box and does what they need (not to mention being far easier to learn and use as has been repeatedly shown in study after study after study, including a recent one that shows that Vista with Aero is actually [i]worse[/i] than XP in this regard!), Apple is the way to go.

            Get a Dell with Windows, add a high-end Matrox professional video card, and run Adobe AfterEffects on it. Ooops, an error happens. Who do you call?

            Dell Tech Support: “Oh, we know about that. It’s a known bug in Windows. Call Microsoft.”

            MS Tech Support: “That’s a problem with the version of AfterEffects that you’re running. Call Adobe.”

            Adobe Technical Support: “That’s caused by a driver incompatibility. Call Matrox.”

            Matrox Technical Support: “Yeah, we know about this one. It’s due to a motherboard flaw in the Dell in that it can’t handle the bandwidth loads from our card, even though by its specs it’s supposed to. Call Dell.”

            Get a Mac, use Final Cut Pro Suite (including Motion) instead of AfterEffects, and Apple can’t play that game (well, except for third-party add-on hardware and software, but they do support their own cards from Nvidia and ATI). You only have one number to call on the off chance that something goes wrong.

            For people whose livelihoods depend on a computer working, and any problems being promptly resolved, this is a [i]vital[/i] consideration in choosing a platform (it’s also why companies get Sun Solaris or used to get SGI IRIX workstations for advanced stuff).
            Joel R