toggle

AAPL Stock: 100.53 ( + 1.37 )

Printed from http://www.macnn.com

Vulnerability discovered in QuickTime 7.5.5

updated 09:25 am EDT, Thu September 18, 2008

QuickTime 7.5.5 flaw

A possible security hole has been discovered in QuickTime 7.5.5, which was released last week alongside iTunes 8. Symantec researcher Aaron Adams notes that a particular parameter in QuickTime is not geared to cope with strings past a certain length, and that if this trait were to be properly exploited, it could represent a security threat. "Symantec is currently investigating this flaw further to determine the underlying technical details," Adams' official note reads.

Present testing has only been able to force QuickTime to crash, but it is believed that the potential exists to run arbitrary code, which if true could cause significant danger to QuickTime users. An interested hacker could embed a malicious file onto a website, and launch an attack with minimal interaction on the part of the victim.

Adams suggests that there is currently no real defense against such an attack, beyond avoiding suspicious websites or disabling the QuickTime plug-ins of various browsers.




by MacNN Staff

POST TOOLS:

TAGS :

toggle

Comments

  1. Marook

    Joined: Dec 1969

    +2

    Ohh, disable it?

    Come on - you point to a POTENTIAL issue where QT crashes. Ok, that's a bad thing, all that crashing, but it 'just' crashes.

    Come back when you actually have a security hole!

  1. jhawk95

    Joined: Dec 1969

    +2

    End of financial quarter

    Time to sell a few more copies of Symantec before the quarter ends, eh?

    IF QT does this, and IF a malicous hacker does that, and then IF he puts it on his website which I will NEVER visit because I only surf where I choose to surf and not out on some hackers website looking for pictures of Brad Pitt, and IF I then download it, and IF I am not on a Mac and then IF it crashes my QT then I will just break down and cry and probably end my life over QT crashing.

    Give me a break. Enough with the scare tactics. Go sell your software to someone who needs it.... the ever-dwindling pool of idiots using Windoze products.

  1. Mr. Strat

    Joined: Dec 1969

    +2

    Let the FUD begin!

    Hmmm...somebody from a company that produces anti-virus software warns of a possible threat.

    f*** off!

  1. testudo

    Joined: Dec 1969

    -3

    fools

    You all don't know what the h*** you're talking about. First, the guy was actually responding to a posting of the issue on a hacker web site. I guess you all just don't care, but at least Symantec responded (let's see how long before Apple responds to the information).

    And neither say a security problem exists. It suggests a problem does exist (which it does), but so far they've not yet proved that it could be used to execute arbitrary code.

    Oh, and it also is a Mac and Windows issue.

    BTW, jhawk, Symantec doesn't check for this flaw, so there's no need to buy the software in the first place.

    And if it were something in Windows Media Player or IE, you'd be laughing up a storm, not saying "Yeah, but who goes to some hacker website and view a video.".

    Mac users: The set of people who believe information is useless, and security is built-in and not a concern. Gotta love them!

  1. nat

    Joined: Dec 1969

    +2

    he just never tires

    i suppose his constant bashing of all things apple is because he has absolutely nothing better to do. as in nothing at all whatsoever.

    and we're the fools. i like it so much better when he disappears for long periods of time. but then he comes back with the EXACT SAME MO EVERY SINGLE TIME. repeating, ad nauseam, the same thing OVER AND OVER AND OVER AND OVER AND OVER AND OVER...

    testudo, my dear boy, WE DON'T GIVE A F&*K. are you really so stupid?

  1. afaby

    Joined: Dec 1969

    +3

    Legacy

    QuickTime has about 20 years worth of legacy code and needs to be completely rewritten using the modern Cocoa frameworks from the ground up. I hope QuickTime X in Snow Leopard is just such a thing, instead of putting lipstick on a pig.

  1. testudo

    Joined: Dec 1969

    -4

    never tires

    Well, posters here never tire of the stupid "Oh, its just a virus company trying to scare people" rants. But they're OK?

    And the only bashing of Apple I did was to comment on the fact Apple will NOT comment on this issue. In fact, if Symantec didn't pick it up, the only ones knowing about it would probably be the hackers themselves.

    But, I know, hackers aren't problems. They're good people.

  1. jhawk95

    Joined: Dec 1969

    +1

    Testicular

    I mean Testudo... show me one virus or trojan that has penetrated any Mac runing any version of OS X, any iPod or any iPhone...


    NONE EXIST in the Wild.

    So Shut The f*** up already!

  1. portisman

    Joined: Dec 1969

    +2

    Are you people serious?

    This is a buffer overrun. This is not a little problem. This is the type of problem that can be exploited by novice hackers. Buffer overruns allow malicious users to plant trojans, keyloggers, and potentially take control of your machine.

    Mac users really need to understand that OS X is great and Mac is awesome, but the more market share Mac gets, the more it is going to be subject to exploits.

    http://www.scmagazineus.com/QuickTime-exploit-disclosed-for-1-week-old-version/article/118154/

    These guys are already discussing how to exploit it:
    http://forums.remote-exploit.org/showthread.php?t=17024

    The National Vulnerability Database lists it as a high severity impact:
    http://web.nvd.nist.gov/view/vuln/detail;jsessionid=9cd57844ed038040099c12069cd1?execution=e1s1

    It's not a matter of Mac bashing, it's just a matter of being aware that there are actually real vulnerabilities in every operating system. It's not a put-down, it's a warning.

  1. Someone Else

    Joined: Dec 1969

    -1

    DNSChanger

    jhawk95 said...

    "I mean Testudo... show me one virus or trojan that has penetrated any Mac runing any version of OS X, any iPod or any iPhone...

    NONE EXIST in the Wild.
    So Shut The f*** up already!"
    --------------------------------------------
    This one is still in the wild and has bitten many Mac users:

    http://www.f-secure.com/v-descs/trojanosxdnschanger.shtml

    FACT.

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

MacNN Sponsor

Recent Reviews

Life n Soul 8 Driver Bluetooth headphones

When it comes to music on the go, consumers generally have some options to consider when looking for the best experience. While Blueto ...

Pure Jongo T2 wireless speaker

Multi-room audio compatibility is a key metric for wireless sound systems these days. The entry cost into a house-spanning system can ...

Logitech Z213 multimedia speakers

Desktop computer speakers sit in a weird area of limbo: many consumers have forgone the era of desktop listening for the privacy and v ...

toggle

Most Commented