Explore the latest news and trends  

Keep yourself up to date with one of the following options:

  • Explore more news around Spam/Phishing, Malware/Cyber-attacks and Antivirus
  • Receive news and special offers from SPAMfighter directly in you inbox.
  • Get free tips and tricks from our blog and improve your security when surfing the net.
  • Go

Apple Patches QuickTime 13 Month Old Flaw

Apple updated Windows edition of QuickTime on October 3, 2007 to fix a-year old vulnerability that critics commented it did not notice at the time of patching its online media player in March 2007.

Apple has described the malevolent manipulation of the flaw in .qtl (QuickTime Media Link) files as an issue of command injection that relates to the manner in which media player deals with URLs.

If an attacker succeeds to make a user click on a crafty file, he may cause the launch of an application as per the controlled command arguments, thus allowing execution of arbitrary code. The new update fixes the issue by improving URL handling, Apple said through an advisory released on Oct 3, 2007. ZDNet published this in news the same day.

Apple has been trying to fix the vulnerability for the second time. Earlier in 2007, after the discussion of the bug in the Month of Apple Bugs project, Apple released QuickTime 7.1.5 equipped with a patch that, however, proved inadequate.

The patch influences people using QuickTime 7.2 running on XP SP2 and Windows Vista, and fixes vulnerability in CVE-2007-4673.

The update rectifies a QuickTime flaw when the computer runs Windows Vista, and Windows XP. This flaw was first reported by UK researcher Petko Petkov last year in September after he discovered it. In September 2007, Petkov posted on the Internet a proof-of-concept code for the flaw because Apple had not responded to his e-mail messages. A number of samples that were posted on the WorldWide Web encouraged a bug in the Firefox browser and another in the QuickTime to unleash a drive-by attack that could invisibly take over a computer.

About a week after the release of Petkov's exploit code, which influenced Firefox users, Mozilla issued an updated version of its open-source browser to prevent QuickTime's attacks for code execution.

Apple said the vulnerability is not in QuickTime's Mac OS X version.

The updated QuickTime is available for download from Apple's Website, or from the Software Update utility that comes with Apple's iTunes music and the Windows version of the player.

Related article: Apple said a certain number of ‘ video iPods’ constructed post September 12 had the virus called ‘RavMonE’.

» SPAMfighter News - 17-10-2007

3 simple steps to update drivers on your Windows PCSlow PC? Optimize your Slow PC with SLOW-PCfighter!Email Cluttered with Spam? Free Spam Filter!

Exchange Anti Spam Filter
Go back to previous page
Next