Article

Apple fixes critical QuickTime flaw

Bill Brenner
Apple has fixed a flaw in its widely used QuickTime media player that left users' machines open to bot infections. The flaw was first disclosed at the start of the month when the vulnerability researcher known as LMH kicked off his "Month of Apple Bugs" project.

    Requires Free Membership to View

In a posting on his Apple Fun blog, LMH described the flaw as a stack overflow error that surfaces when the program handles a malformed "rtsp" URL. To exploit this, attackers could set up a malicious Web site and lure users there. Or, they could trick users into opening a malicious .qtl file.

Apple confirmed those findings in its security advisory 2007-001.

"By enticing a user to access a maliciously-crafted rtsp URL, an attacker can trigger the buffer overflow, which may lead to arbitrary code execution," Apple said. "A .qtl file that triggers this issue has been published on the Month of Apple Bugs web site. This update addresses the issue by performing additional validation of rtsp URLs."

Apple said the security update is available for QuickTime 7.1.3 on Mac OS X 10.3.9, Mac OS X Server 10.3.9; Mac OS X 10.4.8; Mac OS X Server v10.4.8; and Windows XP/2000.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: