IT Security & Network Security News & Reviews - eWeek



IT Security & Network Security News

QuickTime Movies Are Vector for System Hijacks


By: Lisa Vaas
2007-07-12
Article Rating:starstarstarstarstar / 0


There are  user comments on this IT Security & Network Security News & Reviews story.


There are eight security flaws that allow tainted QuickTime movies to lead to sensitive information being stolen.

Tainted QuickTime movies can get a system hijacked or lead to sensitive information being stolen due to eight security vulnerabilities in Apples movie-viewing software.

According to Apple, the first problem is caused by a memory corruption error when processing a malformed H.264 movie. H.264—also known as MPEG-4 Part 10 or AVC (Advanced Video Coding—is a standard for video compression.

If a user were to view a bogus H.264 movie, it could lead to either the application quitting or a targeted system being laid open to arbitrary code execution.

The second vulnerability is caused by a memory corruption error when processing a malformed movie file, which could be exploited by attackers to execute arbitrary code by tricking a user into opening a malicious file, the Cupertino, Calif., company said July 12.

Another QuickTime bug involves the handling of .m4v files and also may lead to unexpected application termination or arbitrary code execution. The problem is an integer overflow vulnerability.

QuickTime also has a problem with handling SMIL (Synchronized Multimedia Integration Language) files that again could lead to system takeover. SMIL is a W3C-recommended XML markup language for describing multimedia presentations. This, too, is an integer overflow issue.

QuickTime for Java is the source of a fifth issue. This problem, which is a design issue, could allow disabling of security checks so that a victim can be lured into visiting a site that serves up a malicious Java applet. After that, an attacker could take over the targeted system.

The sixth issue is also a design error in QuickTime for Java that can be exploited by malicious Java applets to bypass security checks and read and write process memory, leading to arbitrary code execution.

Click here to read more about Java security problems found in QuickTime.

The seventh issue is yet another design error in QuickTime for Java. This one involves certain interfaces being exposed by JDirect, a Java-to-native library. Again, the risk boils down to system takeover, according to Apple.

The eighth vulnerability is also caused by a design error in QuickTime that could be exploited by attackers to capture a clients screen content by tricking a user into visiting a specially crafted Web page.

Apple has issued an update, QuickTime 7.2, to fix all of these security problems. It can be obtained from Apples downloads site or via Apples automatic software update.

For more details, check Apples product security site.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.







 
 
>>> More IT Security & Network Security News & Reviews Articles          >>> More By Lisa Vaas
 


FEATURED SPONSOR VIDEOS

Benefits of Workload Optimization

What Smart Companies MUST Learn from Gaming

Advances in Authentication

Vertical Markets Benefit from Workload Optimization

View More Videos

Brought to you by
Advertisement

FEATURED SPONSOR MESSAGE

Start the New Year with business intelligence—it’s a smart move

Join us on February 1 for an encore rebroadcast at either 5 am or 12 noon EST and discover how business intelligence (BI) supports companies in uncertain business and economic climates. Get expert advice on how to create a strategy that fits your organization's needs and budget and see how quickly it can pay for itself.

Click Here

Brought to you by
eweek digital

Suggested Related Content:

Articles Labs/How-To Multimedia


Advertisement
 
APPLY FOR A FREE 
SUBSCRIPTION BELOW:
>Try digital eWEEK
>Renew today
>Subscription help
>More FREE Subscriptions
First Name:Last Name:
Title:Company:
Address:City:
State:Zip Code:
Email:
Issue Index | Contact Us | About | Advertise | Magazine Customer Service | Site Map
eWEEK Quick LInks

Security:
Enterprise Networking
Network Security
Infrastructure Security
How To: Data
Security Watch Blog
Storage:
Data Storage
Cloud Storage
Storage Virtualization
Network Access Storage
How To: Storage
Storage Station Blog
Computing:
Apple OSX
Linux Systems
Windows 7
Managed Print Services
Computer Reviews
Microsoft Watch Blog
Google Watch Blog
Communications:
VoIP Solutions
Wireless Technology
Messaging Software
Web Services
Apps & Development:
Application Development
Enterprise Apps
Search Engines
Database Software
Web 2.0
CIOs

Vertical Markets:
Federal Government IT
Health Care IT
Finance IT
Mid-Market
Channel and VARs
Careers Blog
More eWeek Links:
Green Computing Center
Tech Knowledge Center
Tech Newsletters
Tech RSS Feeds
White Papers
Tech Videos
Magazine Subscriptions
Enterprise Websites:
ZDE Home
eWeek
Baseline Magazine
Channel Insider
CIO Insight
eSeminars and Events
Web Buyers Guide
Developer Websites:
DevSource C# and .Net
Dev Shed
DeveloperShed
ASP Free
SEO Chat
Codewalkers
Tutorialized
Scripts.com
Dev Mechanic
Dev Articles
Web Hosters
Dev Hardware
Technology Websites:
Device Forge
Desktop Linux
Linux Devices
Windows for Devices
PDF Zone
Linux Watch
TechDirect
Windows Migration
Smarter Technology

Use of this site is governed by our Terms of Use and Privacy Policy
Copyright ©1996-2012 Ziff Davis Enterprise Holdings Inc. All Rights Reserved. eWEEK and Spencer F. Katt are trademarks of Ziff Davis Enterprise Holdings, Inc. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Enterprise Inc. is prohibited.
ZDE Cluster 5