Security alert: QuickTime bug may be used as a vector for attack
Posted by Dave Merten 
Sep 21, 2008 at 12:30pm
Intego, a Macintosh security specialist, recently announced that it has discovered a QuickTime bug which may be used as a vector for attack. Apple’s QuickTime, the media software used to play music and movies on Mac OS X and Windows, has recently been update to version 7.5.5, but a serious bug has already been discovered that may be used as a vector for malicious attacks.
Exploit: OSX.Exploit.QT755-1
Discovered: September 18, 2008
Risk: Low
The “” tag fails to handle long strings, which can lead to a heap overflow in QuickTime Player, iTunes, or any other program that attempts to display media using a QuickTime plug-in. This can be a browser, such as Apple’s Safari, Microsoft Internet Explorer or Mozilla Firefox, or, on Mac OS X, could be any program that displays graphics or movies inline, such as Mail, or even the Finder if a user tries to view a file with Quick Look. For now, files which contain offending strings will crash programs attempting to display them, but malicious code could be added to such files, and may be executed with no user interaction, other than an attempt to view a file.
This bug can be remote or local, as QuickTime parses any supplied file for a recognized header even if the header does not correspond to the file type; for example, a malicious user could put XML content in an MP4 or MOV file, or could add a QuickTime media file to a web page which could then cause a browser to crash while executing malicious code.
Intego’s Virus Monitoring Center is keeping a close eye on this bug and whether malicious users are attempting to add payload to QuickTime files. Intego will naturally update the virus definitions for Intego VirusBarrier X5 if this occurs. Intego will be posting more information, as it becomes available, on the Intego Mac Security Blog.
“Macsimum News” is a proud supporter of Planet Gumbo, which feeds the hungry. We urge you to help them in their efforts.
Dan Udey Says:
@Jason - Obviously not enough. Quicktime 7.5.5 was released not too long ago - not long enough for reasonable security disclosure - so if they discovered the bug *in* QT 7.5.5 they’re being horrendously irresponsible here. if they discovered it beforehand and Apple released 7.5.5 anyway (likely because it had ‘gone gold’, as they say) then they should provide a reasonable timeframe after the release for the bug to be fixed.
Posted on September 22, 2008
Nan Says:
Why give time to fix the problem? Nobody use the same white gloves with microsoft products so must be right in this way.
Posted on September 22, 2008
Marc Says:
i actually had that problem all day yesterday
it was causing both safari and firefox browsers to have massive delays when loading new pages, i had to turn the airport card off then on
i loaded intego virus software and it cleared it up
i do agree about the fishiness of all of this
almost too perfect for intego to swoop in with a fix, but it did work
Posted on September 22, 2008
Dan Udey Says:
@Nan - Actually, people DO give Microsoft fair warning. The reason Microsoft gets flack isn’t just for having bugs, it’s for taking ages to fix them, or ignoring them entirely. People report bugs to Microsoft and they say ‘Ok, sure, great, thanks for letting us know’, and then four months later - no fix. Then people announce the vulnerability, and Microsoft says ‘Oh crap!’ and has a fix ready in two more months.
Posted on September 22, 2008
Jason Says:
Why give advanced notice? Because it is the right thing to do. If you go public about a problem with a given product without giving the manufacturer any time to resolve it and potentially keep users from getting nailed by it, it only hurts everyone. It creates panic, which in turn creates a whole set of new issues far surmounting the original one.
There are teams at Apple, MS, Sun, etc. dedicated to handling problems like this quickly, efficiently and effectively. Intego is doing this SOLELY to promote itself, not for the public good.
If this were a problem with Intego’s software and I went public with it without giving them a chance to address it beforehand, they would say the same thing I am. The only difference is their so-called double standard.
Posted on September 22, 2008
Article Information
Comment on this Article Print this Article Email this Article Digg This
Contributor
Dave Merten
Dave was one of the founding guides at ‘The Mining Company,’ now known as About.com, in February 1998. Dave was their ‘Focus on Mac Support’ guide. In 2004 he started ‘G5 Owners Support Group,’ and in 2005, renamed it ‘Mac Owners Support Group.’ In 2006, he started the ‘MacOSG Support Corner’ column here at Macsimum News.
View Dave Merten's Articles
Jason Says:
I want to know if Intego alerted Apple, and how much time they gave them before going public with the alert to hype their own brand name.
Posted on September 22, 2008