Giveaway: Bracketron Case If outdoor adventures are in your future this summer, enter to win a Bracketron Sport Case with Mount Strap from MacNN and keep that iPhone, iPod or other electronic device safe from the elements.      
toggle

AAPL Stock: 443.86 ( -10.88 )

http://www.macnn.com/articles/08/09/18/quicktime.755.flaw/

Vulnerability discovered in QuickTime 7.5.5

updated 09:25 am EDT, Thu September 18, 2008

 

QuickTime 7.5.5 flaw


A possible security hole has been discovered in QuickTime 7.5.5, which was released last week alongside iTunes 8. Symantec researcher Aaron Adams notes that a particular parameter in QuickTime is not geared to cope with strings past a certain length, and that if this trait were to be properly exploited, it could represent a security threat. "Symantec is currently investigating this flaw further to determine the underlying technical details," Adams' official note reads.

Present testing has only been able to force QuickTime to crash, but it is believed that the potential exists to run arbitrary code, which if true could cause significant danger to QuickTime users. An interested hacker could embed a malicious file onto a website, and launch an attack with minimal interaction on the part of the victim.

Adams suggests that there is currently no real defense against such an attack, beyond avoiding suspicious websites or disabling the QuickTime plug-ins of various browsers.


by MacNN Staff

Post tools:

TAGS :

 QuickTime, security, software, Apple

Related Articles

Recent Articles

toggle

Comments

  1. Marook

    Forum Regular

    Joined: May 1999

    +2
    09/18, 09:38am | report spam | Reply |

    Ohh, disable it?

    Come on - you point to a POTENTIAL issue where QT crashes. Ok, that's a bad thing, all that crashing, but it 'just' crashes.

    Come back when you actually have a security hole!

  1. jhawk95

    Fresh-Faced Recruit

    Joined: Oct 2006

    +2
    09/18, 09:46am | report spam | Reply |

    End of financial quarter

    Time to sell a few more copies of Symantec before the quarter ends, eh?

    IF QT does this, and IF a malicous hacker does that, and then IF he puts it on his website which I will NEVER visit because I only surf where I choose to surf and not out on some hackers website looking for pictures of Brad Pitt, and IF I then download it, and IF I am not on a Mac and then IF it crashes my QT then I will just break down and cry and probably end my life over QT crashing.

    Give me a break. Enough with the scare tactics. Go sell your software to someone who needs it.... the ever-dwindling pool of idiots using Windoze products.

  1. Mr. Strat

    Junior Member

    Joined: Jan 2002

    +2
    09/18, 10:23am | report spam | Reply |

    Let the FUD begin!

    Hmmm...somebody from a company that produces anti-virus software warns of a possible threat.

    f*** off!

  1. testudo

    Forum Regular

    Joined: Aug 2001

    -3
    09/18, 11:38am | report spam | Reply |

    fools

    You all don't know what the h*** you're talking about. First, the guy was actually responding to a posting of the issue on a hacker web site. I guess you all just don't care, but at least Symantec responded (let's see how long before Apple responds to the information).

    And neither say a security problem exists. It suggests a problem does exist (which it does), but so far they've not yet proved that it could be used to execute arbitrary code.

    Oh, and it also is a Mac and Windows issue.

    BTW, jhawk, Symantec doesn't check for this flaw, so there's no need to buy the software in the first place.

    And if it were something in Windows Media Player or IE, you'd be laughing up a storm, not saying "Yeah, but who goes to some hacker website and view a video.".

    Mac users: The set of people who believe information is useless, and security is built-in and not a concern. Gotta love them!

  1. nat

    Junior Member

    Joined: Mar 2002

    +2
    09/18, 11:55am | report spam | Reply |

    he just never tires

    i suppose his constant bashing of all things apple is because he has absolutely nothing better to do. as in nothing at all whatsoever.

    and we're the fools. i like it so much better when he disappears for long periods of time. but then he comes back with the EXACT SAME MO EVERY SINGLE TIME. repeating, ad nauseam, the same thing OVER AND OVER AND OVER AND OVER AND OVER AND OVER...

    testudo, my dear boy, WE DON'T GIVE A F&*K. are you really so stupid?

  1. afaby

    Fresh-Faced Recruit

    Joined: Jul 2005

    +3
    09/18, 01:29pm | report spam | Reply |

    Legacy

    QuickTime has about 20 years worth of legacy code and needs to be completely rewritten using the modern Cocoa frameworks from the ground up. I hope QuickTime X in Snow Leopard is just such a thing, instead of putting lipstick on a pig.

  1. testudo

    Forum Regular

    Joined: Aug 2001

    -4
    09/18, 03:19pm | report spam | (1 reply) Reply |

    never tires

    Well, posters here never tire of the stupid "Oh, its just a virus company trying to scare people" rants. But they're OK?

    And the only bashing of Apple I did was to comment on the fact Apple will NOT comment on this issue. In fact, if Symantec didn't pick it up, the only ones knowing about it would probably be the hackers themselves.

    But, I know, hackers aren't problems. They're good people.

  1. jhawk95

    Fresh-Faced Recruit

    Joined: Oct 2006

    +1
    09/18, 06:11pm | report spam | (1 reply) Reply |

    Testicular

    I mean Testudo... show me one virus or trojan that has penetrated any Mac runing any version of OS X, any iPod or any iPhone...


    NONE EXIST in the Wild.

    So Shut The f*** up already!

  1. portisman

    Fresh-Faced Recruit

    Joined: Sep 2008

    +2
    09/19, 04:59am | report spam | Reply |

    Are you people serious?

    This is a buffer overrun. This is not a little problem. This is the type of problem that can be exploited by novice hackers. Buffer overruns allow malicious users to plant trojans, keyloggers, and potentially take control of your machine.

    Mac users really need to understand that OS X is great and Mac is awesome, but the more market share Mac gets, the more it is going to be subject to exploits.

    http://www.scmagazineus.com/QuickTime-exploit-disclosed-for-1-week-old-version/article/118154/

    These guys are already discussing how to exploit it:
    http://forums.remote-exploit.org/showthread.php?t=17024

    The National Vulnerability Database lists it as a high severity impact:
    http://web.nvd.nist.gov/view/vuln/detail;jsessionid=9cd57844ed038040099c12069cd1?execution=e1s1

    It's not a matter of Mac bashing, it's just a matter of being aware that there are actually real vulnerabilities in every operating system. It's not a put-down, it's a warning.

  1. Someone Else

    Fresh-Faced Recruit

    Joined: Sep 2008

    -1
    09/19, 11:28pm | report spam | Reply |

    DNSChanger

    jhawk95 said...

    "I mean Testudo... show me one virus or trojan that has penetrated any Mac runing any version of OS X, any iPod or any iPhone...

    NONE EXIST in the Wild.
    So Shut The f*** up already!"
    --------------------------------------------
    This one is still in the wild and has bitten many Mac users:

    http://www.f-secure.com/v-descs/trojanosxdnschanger.shtml

    FACT.

Show More Comments

Login Here

Not a member of the MacNN forums? Register now for free.

 
close
Photo
toggle

Network Headlines

toggle

Most Popular

MacNN Sponsor

Recent Reviews

Brother HL-3170CDW LED Printer

We've mentioned before that we are far from a paperless society. For now, at least, there are tasks that require a piece of paper for ...

HTC One

It is hard to overstate just how critically important the HTC One is to the Taiwanese company’s fortunes. Despite its alarming decline ...

Samsung Galaxy S 4

Samsung's new flagship Android smartphone, the Galaxy S 4, faces even stiffer competition than its popular predecessor. With a five-in ...

toggle

Most Commented

 

Popular News