Fixture of QuickTime Flaw by Apple Commenced “Month of the Apple Bugs”

On January 23, 2007, Apple launched a patch for a major security flaw in its QuickTime media player software. The fix has been released publicly after 23 days of the hole, together with thorough attack code. The publication of the patch kicked off the "Month of the Apple Bugs" project that has been issuing novel Apple software bug everyday in January.

Apple, based in Cupertino, said that Security Update 2007-001 - its initial security update of 2007 - plugs a flaw where users of QuickTime visiting malevolently designed sites could fall prey to arbitrary code execution.

The Company gave more information on the bug page: A buffer overflow is present in the handling of RTSP (Real Time Streaming Protocol) URLs by QuickTime. By luring a user to access a malevolently designed RTSP URL, a hacker can initiate the buffer overflow that may result in arbitrary code execution.

The Company posted an example of the flaw this patch fixes on the Website of Month of Apple Bugs. It means that although there are no reports of this flaw being exploited, there is a case study readily available for all to look at.

The susceptibility impacts Mac OS X 10.3.9, Mac OS X Server 10.3.9, Mac OS X 10.4.8, Mac OS X Server 10.4.8, and Windows 2000/XP. The patch is recommended for use by all users and is available from Apple's website for free.

One of the bug searchers behind the "Month of the Apple Bugs" stated he is shocked by the time Apple took to fix the vulnerability. 22 days for a distant issue, which results to code execution at once is insane, said the pseudonymous LMH in his interview through instant message, reported CNET News. He further said that there was already a flaw that was being exploited in targeted strikes.

The "Month of the Apple Bugs" is an endeavor by security experts to improve the Mac OS X operating system of Apple, revealing and hunting for security vulnerabilities in different editions of its software and 3rd party applications.

Apple has reported that it knows about the project but chose not to comment further except security of users is taken very seriously at Apple and they have a great record of tackling possible flaws before they can have an effect on users. It added that the Company is always open to feedback on improving the security of Mac.

» SPAMfighter News - 1/25/2007