toggle

AAPL Stock: 423 ( -8.77 )

http://www.macnn.com/articles/07/04/25/quicktime.flaws.unpatched/

Two zero-day QuickTime flaws remain unpatched

updated 10:20 am EDT, Wed April 25, 2007

 

QuickTime flaws unpatched


Security researcher Tom Ferris of Security-Protocols.com has revisited two old vulnerabilities in Apple's QuickTime software that the company never got around to patching. The researcher, who has discovered numerous bugs in Mac OS X, says the zero-day flaws could allow attackers to make QuickTime stop responding or execute arbitrary code as the user. One of the flaws is more than a year old with no patch released to fix the issue, according to Ferris. "Maybe all of the developers are working on the iPhone?" The first flaw which was originally reported on March 28th of 2006 comes in the form of a heap overflow vulnerability within QuickTime 7.1.5 and all prior versions when users access a malformed .mov file. The second, which was originally reported on November 17th of 2006, is an integer overflow vulnerability in QuickTime 7.1.5 and all prior versions when users play a malformed .MP4 file.


by MacNN Staff

Post tools:

TAGS :

 troubleshooting

Related Articles

Recent Articles

toggle

Comments

  1. ThunkDifferent.com

    Fresh-Faced Recruit

    Joined: Apr 2007

    0
    04/25, 11:42am | report spam | Reply |

    Silverlight Next QT?

    It is likely in the company's best interest to patch these holes up, but what if they can't? Would an issue like this migrate traffic over to other platforms, such as Microsoft's Silverlight? It could happen if content providers do not want to leak a virus through a architectural flaw.

    More about Silverlight below:

    http://thunkdifferent.com

  1. testudo

    Forum Regular

    Joined: Aug 2001

    0
    04/25, 12:31pm | report spam | Reply |

    zero-day

    I thought the definition of a 'zero-day' flaw was a flaw that was discovered and a virus or attack was created using the flaw the same day (hence zero-day). Since these are over a year old, what point is it to call these 0-day flaws, when that was a year ago?

    And did someone release an exploit for these flaws?

    Finally, could someone out there actually write some code to actually cause arbitrary code to run, so we can stop reading about how it 'could allow'. I know its done all the time on Windows, but shouldn't someone actually be able to do it before saying that it could be done?

    Its like saying "The flaw discovered could cause forum posters on MacNN to actually like testudo." Now, sure, its 'possible'. But until we see it actually occur (in the wild, in a lab environment, anywhere), all it does it try to get people all scared (the 'arbitrary execution', not the 'liking testudo', although I'm sure that's a scary proposition to some of you as well).

  1. e:leaf

    Fresh-Faced Recruit

    Joined: Mar 2006

    0
    04/25, 03:54pm | report spam | Reply |

    from what

    I understand, a 0-day vulnerability is an exploit that has the ability to be run by a current system which is up-to-date (I.e., there are no patches available and eventhe most up-to-date user is vulnerable). Most vulnerabilities that are reported for OS X require that a user have a version of OS X which is out of date (say 10.4.4 without the latest security updates), and are suseptible to being affected by vulnerabilities if one were to transform a possible exploit into malicious code.

    But I agree, can someone please stop posting hypotheticals as important news. Yes, I understand that OS X certainly has its flaws, but if you keep crying wolf like this, no one will actually believe it when a real virus does expose itself.

Login Here

Not a member of the MacNN forums? Register now for free.

 
close
Photo
toggle

Network Headlines

toggle

Most Popular

MacNN Sponsor

Recent Reviews

Logitech FabricSkin Keyboard Folio for iPad

Since the fourth-generation iPad didn't evolve much over its predecessor, the market for iPad accessories has remained somewhat static ...

Huawei Ascend Mate

The Huawei Ascend Mate is a phone that fits the screen-size gap between the 4 to 5-inch smartphone and the seven-inch or more tablet, ...

MaxUpgrades MaxConnect for 2006-2008 Mac Pro

Nobody outside of Cupertino's privileged bunch knows the future of the Mac Pro line for sure. Despite Apple's reluctance to tell us wh ...

toggle

Most Commented

 

Popular News