Security alert: QuickTime bug may be used as a vector for attack

Posted by Daniel East Apple ico Sep 21, 2008 at 7:30am

imageIntego, a Macintosh security specialist, recently announced that it has discovered a QuickTime bug which may be used as a vector for attack. Apple’s QuickTime, the media software used to play music and movies on Mac OS X and Windows, has recently been update to version 7.5.5, but a serious bug has already been discovered that may be used as a vector for malicious attacks.

Exploit: OSX.Exploit.QT755-1
Discovered: September 18, 2008
Risk: Low

The ”<? quicktime type= ?>” tag fails to handle long strings, which can lead to a heap overflow in QuickTime Player, iTunes, or any other program that attempts to display media using a QuickTime plug-in. This can be a browser, such as Apple’s Safari, Microsoft Internet Explorer or Mozilla Firefox, or, on Mac OS X, could be any program that displays graphics or movies inline, such as Mail, or even the Finder if a user tries to view a file with Quick Look. For now, files which contain offending strings will crash programs attempting to display them, but malicious code could be added to such files, and may be executed with no user interaction, other than an attempt to view a file.

This bug can be remote or local, as QuickTime parses any supplied file for a recognized header even if the header does not correspond to the file type; for example, a malicious user could put XML content in an MP4 or MOV file, or could add a QuickTime media file to a web page which could then cause a browser to crash while executing malicious code.

Intego’s Virus Monitoring Center is keeping a close eye on this bug and whether malicious users are attempting to add payload to QuickTime files. Intego will naturally update the virus definitions for Intego VirusBarrier X5 if this occurs. Intego will be posting more information, as it becomes available, on the Intego Mac Security Blog.

image“Macsimum News” is a proud supporter of Planet Gumbo, which feeds the hungry. We urge you to help them in their efforts.



Leave a comment ⇒
Please post the article topic & comment in our forums. No registration required.





Article Information

Comment on this Article Print this Article Email this Article Digg This

Contributor

Contributor

Daniel East

Daniel M. East is a technology author, freelance writer, presenter/trainer and consultant with more than 20 years experience in professional photography, design, pro-audio and music industry marketing. East is also founder and president of The Apple Groups Team support network for user groups.

View Daniel East's Articles

Recent Articles

Migration Kit: fibre-channel connectivity products for Mac OS X
Apple products especially tempting to cyberthieves
Over 190,000 iPads pre-ordered
Everything HerePlus releases 13-port USB external hub
Macsimum Recommended Reading’ for March 20
Bookmakers: iPad’s debut unlikely to outdo that of the iPhone
March 27 is deadline to submit first iPad apps for approval
iPhone/iPod/iPad apps for March 19
Jobs joins Schwarzenegger to promote organ donor registry
Pre-Order taken forThe Settlers 7 game for Mac OS X
Your Macsimum Podcast for March 19th
iPad ad during the Academy Awards gets mixed reviews
Imation to ship multi-terabyte magnetic tape
Voices added to Heileen 2: The Hands Of Fate game
SongGenie for Mac/iPhone/iPod updated to version 2
Apple firing on all cylinders to line up iPad content
Snow Leopard Server TechForum Virtual Events slated
Kool Tools: ConceptDraw Office
Bharti Airtel to sell iPhone 3GS in India
Security researcher to reveal Mac OS X security holes