Zero-day exploit for QuickTime in the wild

A hacker who found a vulnerability in QuickTime said he posted the attack code online after Apple ignored him for a month.

The code exploits a flaw in QuickTime that causes a crash when a unusually-long parameter is passed along with a movie file. While it's not demonstrated, the hacker claims that "code execution may be possible."

With Leopard, address space randomization makes it more difficult to execute code in memory spaces left after a crash. Earlier operating systems (like Tiger and Panther) may still be vulnerable.

Apple hasn't released any guidelines to avoid the problem, as it does in high-risk cases. Intego, in a press release, considered the risk "low" and will be updating its VirusBarrier X5 software if someone creates malicious software based on the attack technique.

Even though the risk may be low, an abundance of caution is always advised. Be careful when opening (or clicking links to) QuickTime files from sources unknown to you. In the past, phishing/malware attacks have been delivered as fake QuickTime or Windows Media codecs, so remember that any executable file you download from an unfamiliar source may be suspect.

[Via InformationWeek and IDG.]

View Tags

Source: http://www.informationweek.com/news/security/vulnerabilities…

Categories

Multimedia iTunes Security

A hacker who found a vulnerability in QuickTime said he posted the attack code online after Apple ignored him for a month. The code...

Add a Comment

Sign in »

4 Comments

Filter by:

Paul

Wait, a multi-billion dollar company doesn't answer every little e-mail it gets, and so the responsible thing to do is get huffy and post damaging information that could potentially inconvenience millions of people?

Smooth. Ethical. Mature. Jerk.

September 19 2008 at 11:21 AM Report abuse Permalink rate up rate down Reply

Jesse

Actually, Address Space Layout Randomization (ASLR) was never fully implemented in Leopard. So little of it was, that it may as well not be in there at all.

I was rather disappointed to learn of this, after the promises by Apple.

The Matasano blog posted some technical details about a year ago:
http://www.matasano.com/log/986/what-weve-since-learned-about-leopard-security-features/

(Numerous others have corroborated the findings, but that was the first link I had handy)

It's time to end the delusions of OSX security. I love the OS, but Apple has been very lucky in that it's avoided scrutiny for this long. There are plenty of technologies available, and there's no reason that they can't spend a little money on this before it really becomes a target. Every other OS has gone through it, and ours will be no different.

September 19 2008 at 12:18 AM Report abuse Permalink rate up rate down Reply

SpinThis!

"Code execution may be possible." Oh really? You know, if you want to get Apple's attention, get some code to execute otherwise it's just another browser crash. Apple is either not taking this seriously or more likely, they've looked into this and considered it's not really a serious threat and it's on the bug-fix list.

It's amazing the number of anti-Apple people who sneak out of the woodwork every time some hacker finds a little bugâ€”no matter how severeâ€”and spouts FUD about how insecure Mac OS X or how it'll become the virus-laden minefield that Windows is if the user base ever grows.

Some concern is definitely merited, especially with the already released open source software Apple bundles with the OS. In some aspects Apple is a couple versions behind what the latest point release is and usually all it takes is a recompile to get up-to-date. I agree with the articleâ€”Apple could take security a little more seriously but this is hardly front-page news.

September 18 2008 at 2:34 PM Report abuse Permalink rate up rate down Reply

alansky

Curiosity killed the cat!

When will people learn not to open unknown downloads, not to click links embedded in email messages... This is not exactly rocket science!

September 18 2008 at 1:34 PM Report abuse Permalink rate up rate down Reply