Apple Releases Patch For Its QuickTime Flaw
Apple released an update for QuickTime on May 1, 2007. It fixes the security hole that helped hack a MacBook at the Vancouver conference.
The media player vulnerability is inside QuickTime for Java code, according to Apple's security alert. A hacker with a fraudulent website can exploit the flaw thereby gaining full control of computers running Mac OS X or Windows, the Mac maker said.
Secunia, the company that monitors security has rated the flaw "highly critical", one level less than its 'most serious rating'. The QuickTime 7.1.6 update performs additional checking to repair the problem. Apple acknowledges the efforts of bug discoverer Dino Dai Zovi and Zero-Day Initiative of TippingPoint in reporting the vulnerability.
An error occurring in some form of handling Java by Apple QuickTime causes the vulnerability. The flaw may permit reading and writing beyond proportions of the allocated content, noted the Apple update advisory. If a user opens a malicious website on a Java-enabled browser it is possible to exploit the flaw. Such a situation can happen in Microsoft's Internet Explorer browser, Mozilla's Firefox and Apple's Safari. The bug can also impact Windows Vista via IE7.
There has been no exploit code so far but one can expect some very soon, said Dmitri Alperovitch - a principal researcher scientist at Secure Computing - in an interview, as published by InformationWeek on May 2, 2007. A comparison of the code in the patch with the vulnerable version can identify the code with the flaw, Alperovitch continued. He said he didn't expect a large number of users to upgrade fast so many would be vulnerable to exploit writers' targets.
Terri Forslof of TippingPoint told InformationWeek that Apple's capability to develop, examine and release the patch so fast was really impressive.
On May1, 2007 Apple also issued an updated version of an earlier security update it introduced in April. This later version 1.1 of the original update 2007-004 mends two problems of the original patch that may cause break down of wireless connections and permit some FTP users to access on an Apple FTPServer more than their privileges allow, Apple alerted separately.
Related article: Apple Patches QuickTime 13 Month Old Flaw
» SPAMfighter News - 08-05-2007