macnn
09/18/2008, 9:25am, EDT
Thursday, September 18th
Vulnerability discovered in QuickTime 7.5.5
A possible security hole has been discovered in QuickTime 7.5.5, which was released last week alongside iTunes 8. Symantec researcher Aaron Adams notes that a particular parameter in QuickTime is not geared to cope with strings past a certain length, and that if this trait were to be properly exploited, it could represent a security threat. "Symantec is currently investigating this flaw further to determine the underlying technical details," Adams' official note reads.
Present testing has only been able to force QuickTime to crash, but it is believed that the potential exists to run arbitrary code, which if true could cause significant danger to QuickTime users. An interested hacker could embed a malicious file onto a website, and launch an attack with minimal interaction on the part of the victim.
Adams suggests that there is currently no real defense against such an attack, beyond avoiding suspicious websites or disabling the QuickTime plug-ins of various browsers.
Filed under: security, software, Apple
Other story tags: QuickTime
, 
, 11
, 
, 
, 
, 
, 
, 
Top
subscribe to comments
for this article
Ohh, disable it?
Come on - you point to a POTENTIAL issue where QT crashes. Ok, that's a bad thing, all that crashing, but it 'just' crashes.
Come back when you actually have a security hole!
End of financial quarter
Time to sell a few more copies of Symantec before the quarter ends, eh?
IF QT does this, and IF a malicous hacker does that, and then IF he puts it on his website which I will NEVER visit because I only surf where I choose to surf and not out on some hackers website looking for pictures of Brad Pitt, and IF I then download it, and IF I am not on a Mac and then IF it crashes my QT then I will just break down and cry and probably end my life over QT crashing.
Give me a break. Enough with the scare tactics. Go sell your software to someone who needs it.... the ever-dwindling pool of idiots using Windoze products.
Let the FUD begin!
Hmmm...somebody from a company that produces anti-virus software warns of a possible threat.
Fuck off!
fools
You all don't know what the hell you're talking about. First, the guy was actually responding to a posting of the issue on a hacker web site. I guess you all just don't care, but at least Symantec responded (let's see how long before Apple responds to the information).
And neither say a security problem exists. It suggests a problem does exist (which it does), but so far they've not yet proved that it could be used to execute arbitrary code.
Oh, and it also is a Mac and Windows issue.
BTW, jhawk, Symantec doesn't check for this flaw, so there's no need to buy the software in the first place.
And if it were something in Windows Media Player or IE, you'd be laughing up a storm, not saying "Yeah, but who goes to some hacker website and view a video.".
Mac users: The set of people who believe information is useless, and security is built-in and not a concern. Gotta love them!
he just never tires
i suppose his constant bashing of all things apple is because he has absolutely nothing better to do. as in nothing at all whatsoever.
and we're the fools. i like it so much better when he disappears for long periods of time. but then he comes back with the EXACT SAME MO EVERY SINGLE TIME. repeating, ad nauseam, the same thing OVER AND OVER AND OVER AND OVER AND OVER AND OVER...
testudo, my dear boy, WE DON'T GIVE A F&*K. are you really so stupid?
Legacy
QuickTime has about 20 years worth of legacy code and needs to be completely rewritten using the modern Cocoa frameworks from the ground up. I hope QuickTime X in Snow Leopard is just such a thing, instead of putting lipstick on a pig.
never tires
Well, posters here never tire of the stupid "Oh, its just a virus company trying to scare people" rants. But they're OK?
And the only bashing of Apple I did was to comment on the fact Apple will NOT comment on this issue. In fact, if Symantec didn't pick it up, the only ones knowing about it would probably be the hackers themselves.
But, I know, hackers aren't problems. They're good people.
Testicular
I mean Testudo... show me one virus or trojan that has penetrated any Mac runing any version of OS X, any iPod or any iPhone...
NONE EXIST in the Wild.
So Shut The FCUK up already!
Are you people serious?
This is a buffer overrun. This is not a little problem. This is the type of problem that can be exploited by novice hackers. Buffer overruns allow malicious users to plant trojans, keyloggers, and potentially take control of your machine.
Mac users really need to understand that OS X is great and Mac is awesome, but the more market share Mac gets, the more it is going to be subject to exploits.
http://www.scmagazineus.com/QuickTime-exploit-disclosed-for-1-week-old-version/article/118154/
These guys are already discussing how to exploit it:
http://forums.remote-exploit.org/showthread.php?t=17024
The National Vulnerability Database lists it as a high severity impact:
http://web.nvd.nist.gov/view/vuln/detail;jsessionid=9cd57844ed038040099c12069cd1?execution=e1s1
It's not a matter of Mac bashing, it's just a matter of being aware that there are actually real vulnerabilities in every operating system. It's not a put-down, it's a warning.
DNSChanger
jhawk95 said...
"I mean Testudo... show me one virus or trojan that has penetrated any Mac runing any version of OS X, any iPod or any iPhone...
NONE EXIST in the Wild.
So Shut The FCUK up already!"
--------------------------------------------
This one is still in the wild and has bitten many Mac users:
http://www.f-secure.com/v-descs/trojanosxdnschanger.shtml
FACT.