Apple updates QuickTime, fixing a number of remote code execution flaws. One security researcher expects malware writers to launch exploits via drive-by attacks.
A new version of QuickTime
plugs security holes
that leave users open to remote code execution attacks
In Version 7.6
covered seven such flaws that could be exploited by malicious media files or
other techniques. The upgrade is available for Mac OS X v10.4.9 - v10.4.11 and
Mac OS X v10.5 or later, as well as for Microsoft Windows Vista and Windows XP
SP2 and SP3.
Several of the bugs involve heap buffer overflows. One lies in QuickTime's
handling of RTSP (Real Time Streaming Protocol) URLs. According to the
advisory, accessing a rogue RTSP URL may lead to a crash or arbitrary code
Another lies in how QuickTime processes AVI movie files that could also
lead to either a crash or remote code execution. The update fixes the issue
through improved bounds checking.
Two other heap buffer overflow bugs exist in QuickTime's handling of THKD
atoms in QuickTime Virtual Reality movie files and its handling of JPEG atoms
in QuickTime movie files. The final heap buffer overflow is due to a signedness
issue involving the use of Cinepak encoded movie files that can be exploited by
rogue movie files.
Other security flaws in the update are a buffer overflow that exists in the
handling of MPEG-2 video files with MP3 audio content, as well as a memory
corruption issue that can be exploited by malicious H.263 encoded movie files.
QuickTime is no stranger to malware authors. Andrew Storms, director of
security for nCircle, expects malware targeting these flaws to surface as
"Any user watching Internet videos with QuickTime could easily become
infected with a single click," Storms said. "You don't have to look any further
than yesterday's huge Internet audience watching [President Barack Obama's]
inauguration online to get a sense of the potential impact of these
vulnerabilities. Web video has huge potential for every malware author."