Tuesday, March 6, 2007

Apple Patches Serious QuickTime Bugs

By enticing a user to open a malicious QuickTime movie, an attacker could trigger a buffer overflow, which could provide remote access to the compromised computer. For this reason, Apple has labeled the new QuickTime patch "serious" and is recommending that all QuickTime users -- on both Mac and Windows platforms -- install it.

Apple has released several updates for QuickTime, the company's media-player software, to address eight security vulnerabilities. Classified as "serious," the flaws expose Macs and Windows computers to attack, the company noted in its security alert.

The bugs garnered a high severity rating because they could be used to create malicious files that could give an attacker control over any computer running QuickTime.

Apple has issued patches for QuickTime in the past, most recently in January when it created a patch for a zero-day flaw. The new patch is for QuickTime 7.1.5, which can run on both Macs and Windows systems.

Feeling Flawed

The bugs reside in QuickTime's integer overflow and heap buffer overflow functions, and affect the software's handling of video files.

By enticing a user to open a malicious movie, an attacker can trigger an overflow, according to Apple. This action could lead to an application crash or arbitrary code being executed, which could give an attacker control of the user's system.

In addition to issuing the QuickTime patches, the company released updates for iTunes, adding additional support for the music and video store.

Now in version 7.1, iTunes has improved sorting options so users can more effectively organize artists, albums, and songs. It also adds support for the release of Apple TV, expected to launch within the next few weeks.

System Check

Security researchers have been focusing intently on QuickTime and other similar applications because they are in widespread use on blogs and social-networking sites.

As much as Apple hypes its security in comparison to Windows, it is very difficult to say whether one operating system is more secure than another, according to Sophos senior security consultant Carole Theriault.

"There are millions of lines of code behind any platform, and of course there are flaws inside that can be discovered and exploited by those that look hard enough and are determined enough," she said.

Apple tends to be less targeted than Windows because more people use the Microsoft system, she added. That means there are more hackers and malicious code writers scouring that OS for vulnerabilities.

Hacker Target

So, although it might look like Apple is safer, Theriault noted, the more likely reason is that the company is not the market leader, and presents a smaller, less attractive target for attackers.

"Should this change in the future and they become kings of the computer market, I'd be very surprised if we didn't see malware distributors and hackers shift their attention to exploiting Apple code much more regularly," she said.

In terms of warning users and taking security matters seriously, both Microsoft and Apple seem to be very adept at dealing with flaws, she added.