Skip to Content

Submit your nominations for the Luxist Awards' Best in Decor
AOL Tech

zero-day posts

Filed under: Multimedia, iTunes, Security

Zero-day exploit for QuickTime in the wild

by Robert Palmer (RSS feed) on Sep 18th, 2008

A hacker who found a vulnerability in QuickTime said he posted the attack code online after Apple ignored him for a month.

The code exploits a flaw in QuickTime that causes a crash when a unusually-long parameter is passed along with a movie file. While it's not demonstrated, the hacker claims that "code execution may be possible."

With Leopard, address space randomization makes it more difficult to execute code in memory spaces left after a crash. Earlier operating systems (like Tiger and Panther) may still be vulnerable.

Apple hasn't released any guidelines to avoid the problem, as it does in high-risk cases. Intego, in a press release, considered the risk "low" and will be updating its VirusBarrier X5 software if someone creates malicious software based on the attack technique.

Even though the risk may be low, an abundance of caution is always advised. Be careful when opening (or clicking links to) QuickTime files from sources unknown to you. In the past, phishing/malware attacks have been delivered as fake QuickTime or Windows Media codecs, so remember that any executable file you download from an unfamiliar source may be suspect.

[Via InformationWeek and IDG.]

Tags: breakingnews, itunes, milw0rm, milworm, quicktime, securfrog, security, zero-day, zeroday

Filed under: Internet, Security

Safari 'carpet bombing' exploit could be serious

by Robert Palmer (RSS feed) on May 30th, 2008

A zero-day vulnerability in Safari that could litter a user's desktop (or downloads folder) with arbitrary files is a serious security flaw, argues ZDNet, and not a mere "annoyance" as Apple claims.

In theory, a user must click a link to visit a malicious website that can begin downloading arbitrary files (including applications) to the user's computer without their permission. The problem affects both the Windows and Mac versions of Safari.

Researcher Nitesh Dhanjani reported the flaw to Apple, which promised to patch it in a future release of Safari. ZDNet and StopBadware.org contend, however, that a patch should be released immediately.

It's old advice, but it bears repeating: be careful of the links you click, and know where they go before you click them.

Tags: bombing, carpet, safari, security, tweet-this, zero-day

Tip of the Day

Use Spotlight as a reference tool. Type any word in the Spotlight box and one of the top entries will be a definition. Click on it, and it will bring up the dictionary application to check the word in either the dictionary, thesaurus, Apple database, or Wikipedia.

Learn More

Follow us on Twitter!

TUAW flickr Pool

www.flickr.com
 TUAW [Cafepress]

Featured Galleries

DNC Macs
Macworld 2008 Keynote
Macworld 2008 Build-up
Google Earth for iPhone
Podcaster
Storyist 2.0
AT&T Navigator Road Test
Bento for iPhone 1.0
Scrabble for iPhone
Tom Bihn Checkpoint Flyer Briefcase
Apple Vanity Plates
Apple booth Macworld 07
WorldVoice Radio
Quickoffice for iPhone 1.1.1
Daylite 3.9 Review
DiscPainter
Mariner Calc for iPhone
2009CupertinoBus
Crash Bandicoot Nitro Kart 3D
MLB.com At Bat 2009
Macworld Expo 2007 show floor

 

Most Commented On (7 days)

Recent Comments

More Apple Analysis

More from AOL Money and Finance

AOL Radio TUAW on Stitcher