AAPL Stock: 117.81 ( -0.22 )

Printed from

Two zero-day QuickTime flaws remain unpatched

updated 10:20 am EDT, Wed April 25, 2007

QuickTime flaws unpatched

Security researcher Tom Ferris of has revisited two old vulnerabilities in Apple's QuickTime software that the company never got around to patching. The researcher, who has discovered numerous bugs in Mac OS X, says the zero-day flaws could allow attackers to make QuickTime stop responding or execute arbitrary code as the user. One of the flaws is more than a year old with no patch released to fix the issue, according to Ferris. "Maybe all of the developers are working on the iPhone?" The first flaw which was originally reported on March 28th of 2006 comes in the form of a heap overflow vulnerability within QuickTime 7.1.5 and all prior versions when users access a malformed .mov file. The second, which was originally reported on November 17th of 2006, is an integer overflow vulnerability in QuickTime 7.1.5 and all prior versions when users play a malformed .MP4 file.

by MacNN Staff




    Joined: Dec 1969


    Silverlight Next QT?

    It is likely in the company's best interest to patch these holes up, but what if they can't? Would an issue like this migrate traffic over to other platforms, such as Microsoft's Silverlight? It could happen if content providers do not want to leak a virus through a architectural flaw.

    More about Silverlight below:

  1. testudo

    Joined: Dec 1969



    I thought the definition of a 'zero-day' flaw was a flaw that was discovered and a virus or attack was created using the flaw the same day (hence zero-day). Since these are over a year old, what point is it to call these 0-day flaws, when that was a year ago?

    And did someone release an exploit for these flaws?

    Finally, could someone out there actually write some code to actually cause arbitrary code to run, so we can stop reading about how it 'could allow'. I know its done all the time on Windows, but shouldn't someone actually be able to do it before saying that it could be done?

    Its like saying "The flaw discovered could cause forum posters on MacNN to actually like testudo." Now, sure, its 'possible'. But until we see it actually occur (in the wild, in a lab environment, anywhere), all it does it try to get people all scared (the 'arbitrary execution', not the 'liking testudo', although I'm sure that's a scary proposition to some of you as well).

  1. e:leaf

    Joined: Dec 1969


    from what

    I understand, a 0-day vulnerability is an exploit that has the ability to be run by a current system which is up-to-date (I.e., there are no patches available and eventhe most up-to-date user is vulnerable). Most vulnerabilities that are reported for OS X require that a user have a version of OS X which is out of date (say 10.4.4 without the latest security updates), and are suseptible to being affected by vulnerabilities if one were to transform a possible exploit into malicious code.

    But I agree, can someone please stop posting hypotheticals as important news. Yes, I understand that OS X certainly has its flaws, but if you keep crying wolf like this, no one will actually believe it when a real virus does expose itself.

Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines

Follow us on Facebook


Most Popular


Recent Reviews

Ultimate Ears Megaboom Bluetooth Speaker

Ultimate Ears (now owned by Logitech) has found great success in the marketplace with its "Boom" series of Bluetooth speakers, a mod ...

Kinivo URBN Premium Bluetooth Headphones

We love music, and we're willing to bet that you do, too. If you're like us, you probably spend a good portion of your time wearing ...

Jamstik+ MIDI Controller

For a long time the MIDI world has been dominated by keyboard-inspired controllers. Times are changing however, and we are slowly star ...


Most Commented