Zero-day exploit for QuickTime in the wild
A hacker who found a vulnerability in QuickTime said he posted the attack code online after Apple ignored him for a month.
The code exploits a flaw in QuickTime that causes a crash when a unusually-long parameter is passed along with a movie file. While it's not demonstrated, the hacker claims that "code execution may be possible."
With Leopard, address space randomization makes it more difficult to execute code in memory spaces left after a crash. Earlier operating systems (like Tiger and Panther) may still be vulnerable.
Apple hasn't released any guidelines to avoid the problem, as it does in high-risk cases. Intego, in a press release, considered the risk "low" and will be updating its VirusBarrier X5 software if someone creates malicious software based on the attack technique.
Even though the risk may be low, an abundance of caution is always advised. Be careful when opening (or clicking links to) QuickTime files from sources unknown to you. In the past, phishing/malware attacks have been delivered as fake QuickTime or Windows Media codecs, so remember that any executable file you download from an unfamiliar source may be suspect.
Software Updatesmore updates
- Apple Remote Desktop updated with Yosemite support
- OS X Yosemite 10.10.2, iOS 8.1.3 updates now available
- Sports Illustrated 120 SPORTS channel comes to Apple TV
- Logic Pro X update brings AirDrop support, new effects, tools, and more
- Parallels Access 2.5 released, adds file manager, computer-to-computer remote access
- The Google Translate iOS app is about to get a lot smarter