Article

Apple fixes critical QuickTime flaw

Bill Brenner, Senior News Writer

Apple has fixed a flaw in its widely used QuickTime media player that left users' machines open to bot infections. The flaw was first disclosed at the start of the month when the vulnerability researcher known as LMH kicked off his "Month of Apple Bugs" project.

Requires Free Membership to View

In a posting on his Apple Fun blog, LMH described the flaw as a stack overflow error that surfaces when the program handles a malformed "rtsp" URL. To exploit this, attackers could set up a malicious Web site and lure users there. Or, they could trick users into opening a malicious .qtl file.

Apple confirmed those findings in its security advisory 2007-001.

"By enticing a user to access a maliciously-crafted rtsp URL, an attacker can trigger the buffer overflow, which may lead to arbitrary code execution," Apple said. "A .qtl file that triggers this issue has been published on the Month of Apple Bugs web site. This update addresses the issue by performing additional validation of rtsp URLs."

Apple said the security update is available for QuickTime 7.1.3 on Mac OS X 10.3.9, Mac OS X Server 10.3.9; Mac OS X 10.4.8; Mac OS X Server v10.4.8; and Windows XP/2000.