Apple Releases 7.3.1 Update to patch QuickTime Flaws
Apple Inc. helped repair a number of flaws in QuickTime by issuing patches on December 13, 2007. One of the flaws is a media vulnerability that has existed since three weeks now. An exploit code for the vulnerability also has been circulating since late November 2007.
QuickTime 7.3.1 takes care of three critical loopholes in QuickTime. Criminals have already waged attacks by using one of these flaws. The security update has been used in Software Update, in Apple's operating systems such as Panther, Tiger, Leopard, and in Windows.
Of the QuickTime flaws, the most critical one is in the implementation of its RTSP, i.e., Real Time Streaming Protocol, employed to play video and audio online. The flaw was disclosed to public on November 23, 2007 and after the end of the month, attackers started to exploit the vulnerability to launch attacks. By enticing potential victims into accessing a malicious site that manipulated the vulnerability, hackers managed to install malware on the user's computer.
So far, these assaults have aimed systems running Windows but according to security experts, users of Mac OS X are also vulnerable. Apple designed fixes for both Mac OS X and Windows on December 13, 2007.
Security Researcher Krystian Kloskowski from Poland and another expert who used alias InTel remarked that only QuickTime operated on Windows Vista and Windows XP SP2 is vulnerable. However, within few days, some other experts conformed that even Mac QuickTime was buggy. ComputerWorld published this on December 13, 2007.
One more critical flaw having a patch relates to the QTL, i.e., QuickTime Media Link file format utilized for media play.
A bunch of similar flaws in how QuickTime deals with flash media format of Adobe has also been patched. The more severe of these bugs could allow attackers to execute unauthorized software on victims' PCs, in the same way that the RTSP flaw does, Apple declared.
Apple said that the exploit codes of vulnerabilities it has patched could allow execution of arbitrary code where an attacker injects malware to hijack a system. Unlike other vendors like Microsoft, Apple does not have a flaw-rating scale.
Related article: Apple Patches QuickTime 13 Month Old Flaw
» SPAMfighter News - 28-12-2007