Apple fixes critical QuickTime flaw


Apple fixes critical QuickTime flaw

Bill Brenner, Senior News Writer

Apple has fixed a flaw in its widely used QuickTime media player that left users' machines open to bot infections. The flaw was first disclosed at the start of the month when the vulnerability researcher known as LMH kicked off his "Month of Apple Bugs" project.

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Safe Harbor

In a posting on his Apple Fun blog, LMH described the flaw as a stack overflow error that surfaces when the program handles a malformed "rtsp" URL. To exploit this, attackers could set up a malicious Web site and lure users there. Or, they could trick users into opening a malicious .qtl file.

Apple confirmed those findings in its security advisory 2007-001.

"By enticing a user to access a maliciously-crafted rtsp URL, an attacker can trigger the buffer overflow, which may lead to arbitrary code execution," Apple said. "A .qtl file that triggers this issue has been published on the Month of Apple Bugs web site. This update addresses the issue by performing additional validation of rtsp URLs."

Apple said the security update is available for QuickTime 7.1.3 on Mac OS X 10.3.9, Mac OS X Server 10.3.9; Mac OS X 10.4.8; Mac OS X Server v10.4.8; and Windows XP/2000.