In association with heise online

02 May 2007, 12:51

Apple patches up QuickTime and April update

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Apple has released a QuickTime 7.1.6 update that should close the critical security hole discovered around 10 days ago during a Hack-a-Mac challenge. The reason for the hole was the inadequate filtering of parameters passed through a browser's Java Virtual Machine (JVM), to the toQTPointer routine in QuickTime Java extensions (QTJava.dll). This meant that an attacker could access a PC's memory via prepared Java applets on a website outside of the allocated domain and use this to inject code and execute it on the computer.

As the error was based in QuickTime, it didn't matter whether the user was visiting the webpage in Internet Explorer, Firefox or Safari according to Dino Dai Zovi, who discovered the hole. QuickTime versions for Windows and Mac OS X were affected. TippingPoint wrote in its error report that Windows Vista may also be affected, although there is currently no Vista version of QuickTime.

Apple also released an update of the previous April 2007-004 security updates for Mac OS X 10.3.9 and 10.4.9. These solve two problems caused by the old patches which involved the AirPort driver losing connection after waking from sleep and the FTP server enabling registered users to get access to data outside of the normal scope. The fault came down to a defective configuration file. The new version 1.1 also contains all the patches from the previous 1.0 update.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit