14 December 2007, 10:11

Several critical security holes in Apple QuickTime

With QuickTime 7.3.1, Apple is closing one known and a number of new critical security holes via which it is possible to infect a computer with malware. A buffer overflow can be triggered by manipulation of the content-type header in an RTSP data stream and exploited to smuggle malicious code into the attacked system. The hole has been known for three weeks and has already been actively exploited for almost two weeks in order to compromise the systems of visitors to prepared Web sites. Whether the attacks are aimed only at Windows users, or Mac users are also targeted, is not known.

With its update, Apple is also eliminating a heap overflow in the processing routines for QTL files, through which code can similarly be introduced and executed with the user's rights. Finally, the Flash Media handler of QuickTime has a number of security holes, at least one of which can be exploited to put a system under remote control.

According to the security advisory, the update does not rectify the actual holes, but disables the Flash Media handler. The handler is only allowed to process a restricted number of QuickTime films known to be safe. Apple does not explain precisely how this is supposed to work. The Flash handler has been a component of QuickTime since version 4 and enables Macromedia Flash SWF 3.0/4.0 files to be embedded as a track in a QuickTime film.

QuickTime 7.3.1 for Windows (Vista, XP), Panther, Tiger and Leopard is ready for downloading. Apple users need to collect 50 MB, Windows users only 20 MB.

Because of the number of holes in QuickTime that have become known this year, it currently looks by far the most dangerous tool for playing back videos and music. Although a problem with Windows Media was eliminated on the last Microsoft patch day, statistics from the SANS Institute show far fewer holes in Microsoft's media player.