Risk
4/4/2008
01:36 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Apple Issues QuickTime Security Fix

Apple patched 11 vulnerabilities, nine of which might have allowed an attacker to execute malicious code on a victim's machine.

Apple this week issued a security patch for its QuickTime multimedia software that addressed 11 vulnerabilities.

Nine of the 11 vulnerabilities might have allowed an attacker to execute malicious code on a victim's machine.

Eight of the vulnerabilities affect both Mac OS X and Windows versions of QuickTime. Three of the vulnerabilities affect Windows Vista and XP SP2 only.

Several of the flaws can be exploited through maliciously crafted movie files. Such attacks often take the form of e-mail messages with Web links to the malicious files.

Apple's patch comes a week after three security researchers at a Canadian security conference hacking contest managed to compromise a MacBook Air laptop using a zero-day vulnerability.

The exploit took advantage of a hole in Apple's Safari 3.1 Web browser.

TippingPoint Technologies, the sponsor of the contest, said that the vulnerability had been disclosed to Apple and that it would provide no further information about it until the hole was patched.

It's not immediately clear whether the Safari hole was related to QuickTime. TippingPoint Technologies was not immediately available for comment. But Apple did credit TippingPoint researchers for discovering six of the QuickTime flaws it fixed.

QuickTime, like other popular media applications such as Adobe's Flash, represents an appealing target for malicious hackers because it is widely distributed. With Apple's sales on the rise, QuickTime is likely to become even more common.

From the release of QuickTime 7.1.3 in January 2007 through the release of QuickTime 7.3.1 in December of that year, Apple fixed 34 QuickTime vulnerabilities. In 2006, Apple patched 28 QuickTime holes. So far in 2008, Apple has made 16 specific QuickTime repairs.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4840
Published: 2014-07-28
Unspecified vulnerability in HP and H3C VPN Firewall Module products SECPATH1000FE before 5.20.R3177 and SECBLADEFW before 5.20.R3177 allows remote attackers to cause a denial of service via unknown vectors.

CVE-2014-2974
Published: 2014-07-28
Cross-site request forgery (CSRF) vulnerability in php/user_account.php in Silver Peak VX through 6.2.4 allows remote attackers to hijack the authentication of administrators for requests that create administrative accounts.

CVE-2014-2975
Published: 2014-07-28
Cross-site scripting (XSS) vulnerability in php/user_account.php in Silver Peak VX before 6.2.4 allows remote attackers to inject arbitrary web script or HTML via the user_id parameter.

CVE-2014-3303
Published: 2014-07-28
The web framework in Cisco WebEx Meetings Server does not properly restrict the content of query strings, which allows remote attackers to obtain sensitive information by reading (1) web-server access logs, (2) web-server Referer logs, or (3) the browser history, aka Bug ID CSCuj81713.

CVE-2014-3304
Published: 2014-07-28
The OutlookAction Class in Cisco WebEx Meetings Server allows remote attackers to enumerate user accounts by entering crafted URLs and examining the returned messages, aka Bug ID CSCuj81722.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.