updated 10:20 am EDT, Wed April 25, 2007
QuickTime flaws unpatched
Security researcher Tom Ferris of Security-Protocols.com has revisited two old vulnerabilities in Apple's QuickTime software that the company never got around to patching. The researcher, who has discovered numerous bugs in Mac OS X, says the zero-day flaws could allow attackers to make QuickTime stop responding or execute arbitrary code as the user. One of the flaws is more than a year old with no patch released to fix the issue, according to Ferris. "Maybe all of the developers are working on the iPhone?" The first flaw which was originally reported on March 28th of 2006 comes in the form of a heap overflow vulnerability within QuickTime 7.1.5 and all prior versions when users access a malformed .mov file. The second, which was originally reported on November 17th of 2006, is an integer overflow vulnerability in QuickTime 7.1.5 and all prior versions when users play a malformed .MP4 file.