Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


eEye Spots Unpatched Flaw in QuickTime



 By: Ryan Naraine
2005-11-08
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
The security research outfit flags a "high-risk" code execution vulnerability in Apple's QuickTime media player.

Just weeks after Apple Inc. released a fix for three gaping security holes in its QuickTime media player, a private security research outfit has flagged another "high risk" flaw that remains unpatched.

Researchers at eEye Digital Security warned in a brief advisory that default installations of the QuickTime 7.0.3, the newest version, are vulnerable.

A spokesman for eEye told Ziff Davis Internet News the bug was reported to Apple on October 31.

Resource Library:

Apple plugs QuickTime code execution holes. Click here to read more.

Although the bug could be exploited remotely to launch executable code, a successful attack requires some user action.

"It requires that a maliciously created media file is played," the eEye spokesman explained, noting that the flaw is unlikely to result in an Internet worm.

He said eEye supplied Apple with its preliminary research, which included confirmation of the flaw in QuickTime for Windows. eEye is doing additional research to determine if the Mac OS is affected.

A spokesman for Apple declined comment on the eEye advisory.

Word of the new vulnerability comes just days after an advisory from Apple detailed multiple QuickTime security flaws that could lead to remote code execution attacks.

Those bugs, fixed in QuickTime 7.0.3, were rated "highly critical." In all, the media player upgrade fixed four vulnerabilities, the most dangerous being an integer overflow error in the handling of a "Pascal" style string when loading a ".mov" video file.

This can result in memory overwrite due to a large memory copy, potentially allowing arbitrary code execution via a specially crafted video file.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.



  Reader Comments: eEye Spots Unpatched Flaw in QuickTime
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Ryan Naraine
 


x}kw6DىCoٖۚ-nOgw%Bc䐔m%;~bVKZӹ;-`U* wAH Ӟ ǘ[cӑGLzIj}ݻ@BizNU sJe>HwW7nQ;^> \?g#Q;Y|}^~b .hѲ ⌳IlG tyG`azN6O) |@ɠ#ӱCԣzr(˺79h#m#HSKVUBX)ڑx>oچs[=0q*sș|;n>(eUvѻl_HQPw۷@ږVj0n{'ONvy//;YJM~c/DR˅,D>- ,ֳP /kzQҏZ-_ ԊhGZAAv,f3} 3+i3*5dv*?[Zu"uuYf0ZhCA+t?c;sD}yڽ鑳59m}jz GlH  Wh6 N/f O{uH0|kh2`=r8LwjT ?vOZd[W;dp"˧SEt7Q[,.s$B&rZ~@X*,>JAͼ94o o 3NE ;- ujvf5Pko43@_x0Nusns'@kFPYT`6R\ 9lb v!fByM)IK _VPJB-)\Dh+Ԍ$ٛ"G;z̈_"ʥcp1S{n.sd>U<8~vwެu*մ޹-~iQw9qj?^NI{⧋V|߂)WCKEhYf7-wIFꨦUʵt ~~,VRS_WL F̶-a[e)uu}y>#ZG>O=3jY}vi(|I}Ѧޣ87}45 @ Lna V83uCuӹݰ=Wԇ9[i50CGE 6]LR}b;>t9 HhQ0<sx0ܙ[3衟#]ӽ:?a= 0.Z- Be^~}¢8sB7}`t҇&Qc>>x?ɜk) Tt=JIA }At"AђF *4 gscX"C"' `[Xk ab .<ҶBIg RTD;7 KŔ=*%nqR%a 934YIjL=?Fu Q򍜈="`&Qea*0pRx5Qn-`oʑUtDބxlLX,CtH{<7-4a [N@Nu0OiH\U}`9ޟx=~ h? OzuG VV̚s=R.ƃ5‚L;i<͙iÂqj$rTDhL˄r=6`]2'uuK-cys3t7Nm~|FpIN3_hy>grGֶL/ J% jJ=SsA|5i!3L&Ze onД S518 FLqG)'SgFFJ V zh'ѫ>Ug HtlX+nMo?JՍ݋pz1(ەa]jk-T8?Z!d[o|aa1E]QZJKHD@CR)Ե šaY^`(ytMʆТ𧖴|söVUVjnS#SV-iV^Ϛe+ L 4 o`*7`b\0`Ny9tAz[fl.>u  p>h>JeHǝ:~LS CO5,v&Vfj:Y[~2.|O V,'0{ gб3a0익Vׅ]);/xMVpv9Je!6c{i-6ӮWKHLZ`!?RP՘$'i/#Y /9-0cY}6aDm6#(MEZ"=G:@&"C'ѠcD8v_(+ G.szm>UF=3 $#о'hʰeh8`Zzq&$KD(Oܧx&\3atSM副3ۉi0Aq_8R"X @ 4~ч>B SK@'Z``ELs ǖYCǖbTیЂ[|T=OҶ@%УpӞrFVyUB濚?O=~T+BZ=N QQT*8Y+0yϹoǼL]:x /OqQo>+vo?SMwK\ >#]\aQaSƖ]4FXXoH]M;H̎OƚR*%)ϐPc0](*h3saztݛyh dEM]CNxHlW1hv~9N(k58ΓuO#%c#lʂu!WMUm~,n`w]0>AG50qH&{3E689S"uW:KjZSZ+::>j瞏+ӥ ,ć# 4k 0Y[ ⺪TjՂʾ_YiW{%|h#Q `! Kx{ZCA;eSt}tq@l#RaCݜ5m"uy@VIJXhQwl\ڡQm(}nLZ޼?~WӅBo'37 ~ɴavKreH˷"gf o鸙 ֝NM= h˃QaߋCWuRԣo{{C4g?"XWSwgtċ)usC\Դ"hw ĶRsG%D.LqC` H\}PKdQ"Y rrjT GrF2R@BZNbx<'b{H ' aV*S7~.RȓC+cI`q`w0DB*nLGFDccb^f>A*oP@/I6C.:;b4Bޏ.}ﻛi4O}ֽKg͋v!1`~<-~61%z˾NIM$(XNp4q!s'^y{{<=m_; Yu#8-odD4|w/IӽGH}ْWs=ADHN!KrBë<'V:<aShmǛ&a֏5!F襑a3+"m@Ku͙b9kI.Dz=d_5g0Gh4l5/ٿ+[̚_fńBAJΎx(G@RPOh5[#N۽Nst$;3v;$B 0FD_TJi)W4f'uSxv:^79S%j67 EW%'K+ u{--':}mF1џW` e܃*׌Vrh'?n瀐 ׉ NAN ?wZr30y!DnT2 7?xKP -Mu?So4 jGYkNEm{-~=`rrPR)&bz&I;ɨG%uyjtJ1SBt 02H P6,O&e=lI1 iKBih%bbVHRowռܞ6<1ޥ]ƙBƗHΖf̗4.נf'+ `->#+y-EY-V6y;qz])LU9$y/uϏZEbݙms==vc%vd:Gw*b9,_빿=hrrӅ[ey$smCgLرD}4%/5g3 \:`A)cn ~Uު9Gqܘx,3ug[f1vfGP >I>]bwP;_zŞYiIu/K\-"Pn'ZZ|+U@< b]_ I{Oz[6N Ģ762cŸA!{zeNj&X r?4hgazc{ƹ39x <v<.߭[ݚ8)<A~A< vD4);7yΛz}hn;d⫆ܖM õcV`j8$$\}5 ߊ;bE#Ɠt-ۊc򽵢rpf:ip*9_P߅ M{fr+ 7~=nɸ!E'͖xLM>_'p5dnV،SLsQWR Lt/t;cXbiߟRr67Lt.>icO+[FC$wG <#`8t<-0Dz<+RGی\xH;Aփk9fǢ)X1MCGR- [c6Pkq-nO#M/ʬ*-^I7M .,$q[zȏ)"A \'9QgmxmYEU$-_ULIܱ@*,q#!`1A*^2Ųeŝ\irIŹlYc:"knA *+_:BxK$U24 X)!n a@˻ZXz1W/M+tüե2Z^ )?fW~<z=̆`XHc-G{yזpfwm%IdBT^i/(W2x;aخޖ#b V-*݄ y4EꛮԛRlfvW=N4ht n(mƪh{1o";m_DmW0+ |7?{h/r{_}!Ώ.rK/=i^>[7R{UE:.]Q]7zgޢ ]ЕcT*jJm  o` [ a | lD-'W6%$"r/eKN|yXvqM1ƴzSZF$2A61R ?n I@Bm0(,6B -DvĻ [E5me}ڒ.N oë06`k3IǠL_Y<4u 8%g%,pKpI% H'$tdE`1}|{J5c~}}}}^ 4lҼJmyrm1KeiYA12|@ !fgaY}ilk#ŵmwߍLǴ}$iDO)?Tr[[jyC Y^D—ih5/lc65ȆwxH8Ï>b ixIՂrfHµǞ IC[',GBx_[z8D 4B4ڗvY[Cy Hm<샪-oxbsÔNJ uʋ U0! v0iQ>9wZfy^ Q쮽bl5kFFEX}tl9,q8洃P_lfKLUEo| .zq mll[s,:,J $Օnr&ΠRzJxEܱkx;0G\e@~#d4su\ݲ&⫽Jh;ŗ{[dp=#Lc.NcۍR *D9 Ml߼ ۩iLfERso Zߦm_ma}^eA/{*淵GgT[C6%eb5>KpjlCo؂_ FRˬ$I3Ʊ+}_8cET1̭-2dn1VᶀHB yA|`߱1_Apx@ۘ]"ҶZ̒\׷81X?̫״d=IÙF Q{8R[xA!51^)SlwTa1${7~)@( x}-'Ӫ=D(XK|b>QiH :-Fr41Rx@$Ů,@a]IYx =M).al+?P}fɷvw1^c&Y2UȏS QEd̙xnGWh¤t'O|o$D2~(^6Ax8n UK{Wr{[$Ԏb!jv{"bTQ]kN9-0? ol*n?mE~_*t^qO Pb!QO4#|ȮHAwP^я TeQO^t ]D a%0-cWF%5z J 0+yCX^qGN3&j4cu\]SS[7bZ/U[+W#rd! `,%7vya `8(ĒAGO]x(h#8iLʃqR aeS,Y4ƣK711\R'RSK.}KRG*+N+ߥtW BZcěVWes[ɣ.j",jD#0Z`>bTy G<)fF<w>!ɣ`58?mJvn&*m'hzBRKo^;G'ܬTMd. n߮sG܀<')ڢ RDXDuB1[+x6_j~ЛR.gI*]Z 0>2lW-TH+(%\z`u_8ZՔV-`{tȊ*LJ{*=ktv s§,TO䲈֞uvücn?y r Y 4x H k|g)xMG J6_K>&W#g( G+j1[ w5+rQT t|X]KjL_"|ͱrfs[O%~юMUbtm-R^@II -gw~1~"js{-aeYKYqc[RJBYIc4K":;Mf 纭ۦ~ lG"a߶~m9`VŘMZøjU!TQ b$O_ňR>fD+9mCW1h=୤q1 \TbЭB1˪M;InP}sY?e=` 'IoRGP56_:iX fC.[7No]*!;p樯Mdg:L̅a] {t CO 2d|<ayd4u07{χ\o|J7[>B8!i.t[7/{JM)`#}~! 6LF Df¤"c*41GJ[#}ɹcMZӄpxX0!,YC)J~x&iipb1Ř!&"=lFLN?tc< +&(?,q E {GLƙ;fQs ˿IS*N.JgUEt037  c!♘z)%n67p>9 [,af4:`F"O-x})lH < 23LkR>ɖàzEQp#ߛSg0Y-غ9P;tɉcdhw>N)N^^ZǼA 'M&7bQN{5Bx_mv;CF/PKF5_o.?i63ʻP(GNo.?2Ods,>3#\~5ۛۧF4gڗvF?rPysyw2l׸ " {A E}. /?/2"?QF/32ϡe )~7P~U{7MF77$)cf5pvJEsQ^53T}~)Pg5(ge3Vڍna{Ar!{e_/C@q}u=M+ťW*7YKxM}%kkF1nvd}WG{1:,y& r hxVydb bye?VPw;]CҤ]z.{%])W[O'ikr(%s<2g)h{U2̉#{"eނb>| #rݶ=Mԝy.omG;yh#62"X;Yo)P/CS$CgeA:*k6:5TQ3[ ňC?s HziG>Rq6v3{xuCZחY>Y"x}s&pN!3J81|fZ g8a箩%gWCtJ {4"q&``d@R'9w>EM++J9wWrDĴdQL`FTMVYI0ZYrF(RB4|O۴W)]7tCsc<{+4аY-}"z5~L@NL6"/cA6of)3^8,{|y؛ގe@?o9Xj-/#RgQW!+\ș6mc5q) ?dD:G̔q8Ss#ӄwY!DӸx4@;4Dʹ)9P3G)b|337rB΄[6пCLs%(MLy603F@ B`G:՞/ [2FlX jXJr\M:mx'G⤰Erly0%63wHzP,cV}+"0 ;VWӄ./'".ipxx) " n+QULZDAi$ś04FGjb5spa3 Ӯ}r 1-X&֠}ֽFӴFo"9ţ:aс(Yc{XnD82sx 2&6uc7AHh10'OtE.mc6H[8=ۺ9l؆"0w]Ww-~~K5 D 9bH'[u](᧦Ϯ``B~".'%лx^B.;4mF26Xq?Ih"v]#6 R Ň%?1Ӟ?]ex`礷LxׁƇ ?>KGJ Ǝ$z S߂93r^ ɡOYl@O 0Wd]fA_f|bOh޳Zo/TùLHK7;}Ǧ e4`7H,< "s k!v+ޢԱ"䴯Hϱ=u`<=;hPxUE'0P$=Cf Kӗ?Qcd4 xzA߭Ud#ə B| ,+- O*)bNm% 1o)%&okv[h* b9?v"ㅰx/!Z^y|XT ,sD?>K:[31U)֒_W2y9=|En[~QڗE@1agG(HYUҎ_Nw. ?!#R.ܐOF{)0Bniy㲁e"}`3 s"Ttr!,ML[Kx?;wa3F)f'NFp)hN<}y?٢ u+ğ? \ cwHVLt>;OulםW (|x@NlMކ.1ue|nHHU֧f2{M{:з57d([|ӽނ4ܨNAeVb0yMvSFߟ2"L- Ӣ?3g(\*],1Ał?qLw99 3/&u@EqDgPyGmm<^|:y-E{Ofuݍ2ZWtmk]#+b 1Cc]R>Ŕ+ ]'[ۧ3й?-{ף/e;.]_X (K#LwEΠ8uF얢u.nD{~w1Ǹ 0tcz7^?Wg[8KIZ epCikZ+ 0DqS XǢVWqTR:!; /D?8 ciL;acXJ ,oԛ'TS*4.v>ϝ>Z\99ZpϢq9q3E~#VW.^sotl#"|f`*H%hw2b59Ӟ_yfOȅ^`\YG7^sr1^ʳe_:k^;yH%D=C QFK+O(QF2~?\S|tcoɇݏRXBYZP$Di+ AHcɊxY޿`(XECh⍿c0146]ӨZY$I#;ov[b$- U.IM)V []jv[W셳Qbm٦d Ui29Z{) qU֫4>!an-nǝl| n%96L]_[ PK9}'