toggle

AAPL Stock: 102.46 ( + 0.21 )

Printed from http://www.macnn.com

Two zero-day QuickTime flaws remain unpatched

updated 10:20 am EDT, Wed April 25, 2007

QuickTime flaws unpatched

Security researcher Tom Ferris of Security-Protocols.com has revisited two old vulnerabilities in Apple's QuickTime software that the company never got around to patching. The researcher, who has discovered numerous bugs in Mac OS X, says the zero-day flaws could allow attackers to make QuickTime stop responding or execute arbitrary code as the user. One of the flaws is more than a year old with no patch released to fix the issue, according to Ferris. "Maybe all of the developers are working on the iPhone?" The first flaw which was originally reported on March 28th of 2006 comes in the form of a heap overflow vulnerability within QuickTime 7.1.5 and all prior versions when users access a malformed .mov file. The second, which was originally reported on November 17th of 2006, is an integer overflow vulnerability in QuickTime 7.1.5 and all prior versions when users play a malformed .MP4 file.




by MacNN Staff

POST TOOLS:

TAGS :

toggle

Comments

  1. ThunkDifferent.com

    Joined: Dec 1969

    0

    Silverlight Next QT?

    It is likely in the company's best interest to patch these holes up, but what if they can't? Would an issue like this migrate traffic over to other platforms, such as Microsoft's Silverlight? It could happen if content providers do not want to leak a virus through a architectural flaw.

    More about Silverlight below:

    http://thunkdifferent.com

  1. testudo

    Joined: Dec 1969

    0

    zero-day

    I thought the definition of a 'zero-day' flaw was a flaw that was discovered and a virus or attack was created using the flaw the same day (hence zero-day). Since these are over a year old, what point is it to call these 0-day flaws, when that was a year ago?

    And did someone release an exploit for these flaws?

    Finally, could someone out there actually write some code to actually cause arbitrary code to run, so we can stop reading about how it 'could allow'. I know its done all the time on Windows, but shouldn't someone actually be able to do it before saying that it could be done?

    Its like saying "The flaw discovered could cause forum posters on MacNN to actually like testudo." Now, sure, its 'possible'. But until we see it actually occur (in the wild, in a lab environment, anywhere), all it does it try to get people all scared (the 'arbitrary execution', not the 'liking testudo', although I'm sure that's a scary proposition to some of you as well).

  1. e:leaf

    Joined: Dec 1969

    0

    from what

    I understand, a 0-day vulnerability is an exploit that has the ability to be run by a current system which is up-to-date (I.e., there are no patches available and eventhe most up-to-date user is vulnerable). Most vulnerabilities that are reported for OS X require that a user have a version of OS X which is out of date (say 10.4.4 without the latest security updates), and are suseptible to being affected by vulnerabilities if one were to transform a possible exploit into malicious code.

    But I agree, can someone please stop posting hypotheticals as important news. Yes, I understand that OS X certainly has its flaws, but if you keep crying wolf like this, no one will actually believe it when a real virus does expose itself.

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

MacNN Sponsor

Recent Reviews

Life n Soul BM211 Bluetooth speaker

Bluetooth speakers aren't only for listening to some music at the park or on a long bus ride, but can also be built with tablets in m ...

Epson PowerLite Home Cinema 2030 projector

With high-definition televisions now the standard, 4K televisions becoming the next big thing, and plasma TVs going the way of the din ...

Life n Soul 8 Driver Bluetooth headphones

When it comes to music on the go, consumers generally have some options to consider when looking for the best experience. While Blueto ...

toggle

Most Commented