Network Security & Hardware - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Apple Plugs QuickTime Malware Installation Hole



 By: Ryan Naraine
2008-02-06
Article Rating:starstarstarstarstar / 2


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
The company acknowledges the bug could lead to drive-by malware installations on Windows and Mac machines.

Apple has issued a patch for a high-profile vulnerability in its flagship QuickTime media player, acknowledging that the bug could lead to drive-by malware installations on Windows and Mac machines.

With QuickTime 7.4.1, the company provides cover for a heap buffer overflow in QuickTime's handling of HTTP responses when RTSP (Real Time Streaming Protocol) tunneling is enabled.

Resource Library:
Apple warned that malicious hackers could use booby-trapped Web pages to "cause an unexpected application termination or arbitrary code execution."

The QuickTime update is for Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista and Windows XP SP2.

The patch comes almost a month after it was first released as zero day (previously unknown or unpatched) on public mailing lists.

Proof-of-concept exploits have been in circulation since Jan. 10, putting both Windows and Mac users at serious risk.

The issue occurs because QuickTime fails to properly bounds-check user-supplied input before copying it to an insufficiently sized buffer.

Not counting silentor undocumentedfixes, Apple has patched at least 40 security flaws affecting QuickTime since January 2007. In 2006, the QuickTime patch count was 28.

Apple Feb. 4 also shipped a fix for a critical flaw affecting the iPhoto application.

 





  Reader Comments: Apple Plugs QuickTime Malware Installation Hole
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Ryan Naraine
 



x}r㶲s\@♵MQHS%ƶ,8:U*$ER89 7](ɗ>ĶD th4I"f\8ܢdC3齿O$wmL9P[Ϡ^#WZj:@a5˜؍Nz&pDwd>J`OS{SM)5'Ӡ6ߙ =/3mB}F7\3Ѣcgb ^Pk$ȁ_ E9J~=K Qݯw,8"a}c$aLBaUw0vK]K{8$#oAUVekV:6^ ;4r9ȹ3z$fPr&NWw#205IRZ [ XdTj ӑc)u8r x08JeJ-jfL yf_%z(ww6O) |@AuӱCԣFr(˚79heynJ\WkQZ ^r7mù-Ӟ5q*sܼ_煊B=ʑ#Ko5-'4a(.'׽~t@.{;Qc'HH_L Z.JX<%ȇ Tjg`rM7JQq+z^T Z, Ԏ$0L"ÌJ3~̢(:2qs9]vsGV=Bg#j`Bmium¿\vO^3Q&ںa#j庤#3 \u4>wOHN,m247Q[h,w.s$b&Z|Y|ěy#0ri4(=-8X@/@ש#7V4ut-Mf #dh&ͻFh- @ho*KjLr &@Sk~$M5ņ])!edF-ۤ%/^(Pe!P샚_.[ jF|*\($ٛ"G;z̈_"ʥgp1S{.S4epqZoV͉*]X]uUjZlE?´Tw9yi >]wڤջEo}ǫg",$ꨦV+t o| 5KX+_WL F̶-a[e)u5~̆>:mNQ'm51l;4}t>჆$>hhƋMriOMrӇtu@>+GݺzLnXŞ+ Qm:FAтMx>tT؎]6}l2w9;-L&w& zrWtc` VPCh9N@tmS(r`39;ʹiǀxԘЯ.%w2J ] cRR,H@t"AђF *4 gscX"C"'A_$w$]KI+\fD8nOu$;g_%s㙰\J٣XB YX/_23CCɴX9{DMfT`B[/Kቖ6ZlZe y-0fГ93 ->քMGsy6:D&f+Lo_>L>hQox@j"[fShW(fsᠺ4C}52{B[`n9sc]edܣ!?p*JNCjVzv}n7r>5mVAL  |U=kb$`~f y6yBfOx;r+kF3UʝW.NrB@-T᧒,H@fmdz?Ԍ;Oq)2:3f$,4tOݡ~L?ͺz+YF^u 9r@]օVP M2%W}ka %/DA n:bXG6X}iМ^fdTRSOSw]:6pȞc>S+EE.OLYZf<[ꑪ+RY;l ʸSI͐6 [IF|t |8.MKϱ("}r36O=<fqMa)e-6BUjbg`m1Jx=e\48L XbOF\F Kzf/.,KigyMٓ.[\|zN YX:=4̄+ulZ'TMa?x;Hyì55̆r(1`s@M$ knV2 &G-cY}6euEm$ci.:Ĕ20y4h_GSsDb8"T paLHa03M#ؚyeoX~?59r]ilu0q`( Z3:sFV*[O3$!WԶͶwP$>5 cd]TZ@4`Dk pHE&@|Zkhp \@E.br>+j*eT0@AS Ւ.ZE^~~ VKi?`E"'>ڧs!a*/W3 Z|ۏZV,֪19P+Rjss??]et4R:1psy >{Vv0eC>yL{HeX*`|JZYXIb+ģ#YV 2h:pn`wy~t=t@h#xZ `i@%p LU}֕ZJwg 唟`Z~a51r]ߘ4|l'Ge7M#3pTa7n-* ~2s bT 7$J\SGQ>N<͠1p Fu*%U-vWAlj%wwG4 3 *Jeѓ%O.'-U*j^(YHX9H(P Yx[!6E!,8{Je%[ yr2=QZaǰ^Xkٿ oo(0h_pCm;$\auv>g +f[I)7+uʶO{u=r Wi_Ut{uYleFkeKKxfq/R,Z>~}lK݋և?pȾYU$(XM4qߵs'^Y {{jk6|v972CH"r zECR|Iw޻y#%{;j܃Z,= YE#BwZǍ5Bk;d4) 3zI]a "AKݹ̂! Qל$"Z*\N3dn,*~W1w~em`!w1ߐdxPZ#  G@RPOh[#yKt;3ĞZh !:e}E/R)Q\(뉞hYsһnq l(_(/0[JӷoHWY/xExW(khLUbsZ;LzdNlp jwySr4/%/p]Zins zsHaP;DZ3pu*hhwl)~ڲO6D20O&8v\f0G`q0螴É@P V&k?7O q;f=;0蹳= }-{oC'4dkwD /gyVz7ngmQXFC\foœ~s_; ?-l-8tǠ#R#K1M&$(j^UH*"sᔤ˾\E㣑)?8b;`@L6CGfKζ==4zoѯo=إ'%<A?gLwUv@r@pSx{geQJW=(q-@kjyAJ\<~^]䑽DXHڃ}co[#D:*p&޸_'2>6,eM`a$6$1}plc xGD]Ke"r[ ,k.}a-ܥ3}t4?48!)eP3ԕO>,-Hӭ@ʳ/' _#Z|%X sxLHSڳ5;Aӏb(1~Y}kjbi\yWO!]ܧxJlHX@Ħp3A4,=#17vHȅ3)9L$jMKJ Aqiw~Y rG{Y sQȻ71& oUh%),[ ue"/cmf>PLG|;d(΀,^S&I}Lbtm'1crz2uO|U`~ nI"36XpήJAC!/ܓXFQ5rKauX**e%;B"!<32x׏ ŋEHQoVwR۲UتX"q)LǗS-NeH-Is0lx @ZTf(A%OM (3]? ~{ "%xpg4#-7/Lc2ʜz7&Hv@jG+oZ{T+LƩD " {RߗN=Oױ%_|^z%L~ u(5˷h {_$uiI$b*~3 _&dAR bw'I}к@*YH*kե8EJ4Jx$L]%a7z@UI4DW/ߊf׳Kζlj`00kx-lxu V|Q [Usm:wI9{]HhV҅=x\`N<=,DBV:x-^b%  =`3:iwZdo|kTD~RLo}4$q{`=c @‘ccq5HL,LƛΤt/ʛyٞ|İ'`:x$5Ǝhη$z&HWFKKQyֲRI9>ѠJ QM~}z{"uOHNm\rWoq:P|W eY@{.I3mq+!ZpP]}zUcxcvϑcHa)gG Gx~{kQY#cT<?FU6^Go nb(.[*@,9$*>dS]Ć%G*Dz'~/hn J\ܻH(aZ 'Ʈ,!/B^[’$M=1Ho'Dhk+j5ژA^ cZrD,?tUHE/]^|bml?QX2H\Fpxe3)4k 0iS"Ω,, Y4ZK11\RKj\.he,zVdq2&ϯ #zkPWsƌFSj9椷 G]!M)jD:-~07|Zc`cs05̈ ZOkafSVi +G6vn&%%m'hzBRKo^좔eͪNDet>i~r&:q."{ 2C`m 4,\ (\πTn;nIe!ÙUʜ ݺ=RZZGjPV*ڑ^y-0f#@8RS UVR,"guxz\0'|zG5B .kXGl7K1eTURw4z -qGp}X2ƏxL,ji'1 m|EPp@O eˡqUc\oZh z (D]XC @ݥDu+i!',l6Ý?Ҧ3F;6vCknnBzTwLϱ{cHK:z s ),9+iZ`3+n{lˊRMȶ8.NS)q2>3lS; ʠ:Iߥ4 ?R)!m%:* RW"Yc6يj #K KO..KzZ#ZIHx5J\^x_%ʄ&,7c Ƅ[)RUfwܠeȃ5T?0dм' )VۣV_d@2u؁kIO؟0nh?Do9fkH s;D+חBPdHe Ft83)IΒF2*mGM=/>nr-i`Ik@JOf+p 0c1CLD:5L[>'u & Z_j :q@>WLQXj*!b3wأ4ϓo }f_$R[3a:t]\VP*@J>QeAm??&­!Rjs# h_ʜfF \ <7`%fQиOnF;`Af&t,yǥ}-AGjp H:ςG)s!aZ;Mo )ns9e' MjV}QuxQ?fd_Cpj+彌r6Р(?@ |OPi}Y7Eyy(_~gP~Q(GF_d^f%e\]f_O/C@2U\W_\gOg7^_ S}Y >>goʁo2ڿh&s$eCPʐ.Np3˹q+/ޯVD=՞bMdG,DlG\%Üf1'06L|,y|e8Nt7LwU/3yKw3+ʘ=}nC7}f­n_x` ~iMnڧZDpqk;ُϋGkwՕ ~3b jN^fJC#Dk(xxըm4 zO˘͛YȌNE5//{_۱ B bb{ˈT`T|Jx /p9ܛ]|LAÆo^Ėٵv"n<4Nwz:cJX0N0\9Khw]V=ȾwF=Ch6%'x5WYFmn%c$Q% H|r[ {wrFr:=fGW4yxaw.kZ6좗4w<Ɓs( 5&-c ],N=X v7i:ŒkK$LU\x2Of@L V86>/޺ۄ$֚lAa[Nƀ_Pn=,N7"f8̆I-m`x܉ -1n>΅-~뚅ӳVm(b-]U]ݍ;S O!MO,$m:X3!?cW,ITckŃBLr$Ҵ)bHˌ!4_^A>7W!fI3)L&lOW[l,)1{9$z 5sb{P΢|\k,!#1苌YMЦ O$6_{JfBM'KYǦ e4dW,< "s k!vz+2jQ-Nk.|ۃ[usJ,`'6 o6>F"2cX =xS4FUY{N6 )4˧Mϫ΢R=T?6bNm% 1o)%:dkw[i>:Oe;BI<ŷ5_x|Xe֓tk,X̨T*L[ |IGAM6_wsԶeEQ&PL®)JqK;\7Tr$sDs݅ ߠ^ yJ>? T|- 5\6LDRw }J0~N]jV0N&? `nwjښ ˎ0 m'#84C>ܺmQ޺%76x}҂O1Su ѫvl>cx 'Lwe]5&Tc *۳|? Oe Lt4?@&s`܈}olI #O9D/7ag~ r@b]Tn'`wDl .3g4k̜epvRv ?93_rxgsg_(LOWv:mmlP/>yGW}Q'a|dt%+^FzHM`WH؂{XiWe1RpCV)tO!?^RoD7#D**k,^zXտbNnpSGgp#b uu+e!.1:f.XU\(S_7lBTFE[®":u`x];<k{&**2wyXA\XIڙBX<ٰ޳s+o=Љe{0^Op2$82epCikZK 0Dq] XǢȖWqTR:!; /D?8 ciL;acXJXF!&ۅ 7O80Ux|-h\};Mr,S0#ŸEr,IGJ^td'KW̱0_^5FElT$bB}Ay4O>jA@`V\3zf7tZЮsq7MCga+cPXjcL1GY{&L 92lt* X>ˣŬ"D0Ȯ'Z:tsh{h۟XsTBX6c?rf @ýō]^c*a?<#/ah(`yjSSQ2$YSlv,<~v .3JbQ'.t? W{1X74N>~}lKaE e遢%!۝4!ջjɊxY0]\}!l4⍿c014ߛi4VA$摝7yE1um*^(Պ[]jv[W셳Qbm٦di29J{) 1^[)Mj39Q2kGs+q>tgLp -ͱeRZ`l/Z6a.m-#