AAPL Stock: 125.49 ( + 2.24 )

Printed from

Two zero-day QuickTime flaws remain unpatched

updated 10:20 am EDT, Wed April 25, 2007

QuickTime flaws unpatched

Security researcher Tom Ferris of has revisited two old vulnerabilities in Apple's QuickTime software that the company never got around to patching. The researcher, who has discovered numerous bugs in Mac OS X, says the zero-day flaws could allow attackers to make QuickTime stop responding or execute arbitrary code as the user. One of the flaws is more than a year old with no patch released to fix the issue, according to Ferris. "Maybe all of the developers are working on the iPhone?" The first flaw which was originally reported on March 28th of 2006 comes in the form of a heap overflow vulnerability within QuickTime 7.1.5 and all prior versions when users access a malformed .mov file. The second, which was originally reported on November 17th of 2006, is an integer overflow vulnerability in QuickTime 7.1.5 and all prior versions when users play a malformed .MP4 file.

by MacNN Staff






    Joined: Dec 1969


    Silverlight Next QT?

    It is likely in the company's best interest to patch these holes up, but what if they can't? Would an issue like this migrate traffic over to other platforms, such as Microsoft's Silverlight? It could happen if content providers do not want to leak a virus through a architectural flaw.

    More about Silverlight below:

  1. testudo

    Joined: Dec 1969



    I thought the definition of a 'zero-day' flaw was a flaw that was discovered and a virus or attack was created using the flaw the same day (hence zero-day). Since these are over a year old, what point is it to call these 0-day flaws, when that was a year ago?

    And did someone release an exploit for these flaws?

    Finally, could someone out there actually write some code to actually cause arbitrary code to run, so we can stop reading about how it 'could allow'. I know its done all the time on Windows, but shouldn't someone actually be able to do it before saying that it could be done?

    Its like saying "The flaw discovered could cause forum posters on MacNN to actually like testudo." Now, sure, its 'possible'. But until we see it actually occur (in the wild, in a lab environment, anywhere), all it does it try to get people all scared (the 'arbitrary execution', not the 'liking testudo', although I'm sure that's a scary proposition to some of you as well).

  1. e:leaf

    Joined: Dec 1969


    from what

    I understand, a 0-day vulnerability is an exploit that has the ability to be run by a current system which is up-to-date (I.e., there are no patches available and eventhe most up-to-date user is vulnerable). Most vulnerabilities that are reported for OS X require that a user have a version of OS X which is out of date (say 10.4.4 without the latest security updates), and are suseptible to being affected by vulnerabilities if one were to transform a possible exploit into malicious code.

    But I agree, can someone please stop posting hypotheticals as important news. Yes, I understand that OS X certainly has its flaws, but if you keep crying wolf like this, no one will actually believe it when a real virus does expose itself.

Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines


Most Popular


Recent Reviews

Seagate Wireless

It seems like no matter how much internal storage is included today's mobile devices, we, as users, will always find a way to fill th ...

Brother HL-L8250CDN Color Laser Printer

When it comes to selecting a printer, the process is not exactly something most people put a lot of thought into. Printers are often t ...

Moshi iVisor AG and XT for iPad Air 2

Have you ever tried to put in a screen protector that relies on static to cling to the screen? How many bubbles and wrinkles does it h ...


Most Commented