Just over a week after a dubious duo
found a way to commandeer a Mac thanks to an elusive flaw in QuickTime (of all things), Apple's security police have purportedly fixed the
flaw and issued an update. Apparently, the hole could be "exploited through a rigged website and let an attacker control computers running both Mac OS X and Windows," and the firm elaborated by stating that a "maliciously crafted Java applet could lead to arbitrary code execution" if users didn't apply the patch. The newest version of QuickTime now sits at 7.1.6, and reportedly "repairs the problem by performing additional checking," and interestingly enough,
Apple seemingly tipped its hat to Dino Dai Zovi and the TippingPoint Zero Day Initiative for reporting the issue. So make sure you fire up that Software Update today if you haven't already -- a presumably small bundle of downloadable joy should be waiting.
Reader Comments (Page 1 of 1)
Johnny @ May 2nd 2007 9:38AM
"and interestingly enough, Apple seemingly tipped its hat to Dino Dai Zovi and the TippingPoint Zero Day Initiative for reporting the issue."
This is actually standard practice. If you read the release notes for Apple security updates, you'll see that they routinely give credit for bugs reported by outside parties. For instance, Security Update 2007-004 include hat-tips to Kevin Finisterre, Month of Apple Bugs, Mu Security Research Team, etc.
http://docs.info.apple.com/article.html?artnum=305391
Likewise, Apple didn't "seemingly" tip its hat in this case -- it was a pretty clear-cut credit. From the release notes for the QuickTime update:
"Credit to Dino Dai Zovi working with TippingPoint and the Zero Day Initiative for reporting this issue."
http://docs.info.apple.com/article.html?artnum=305446
daliminator2000 @ May 2nd 2007 9:54AM
@Johnny
I believe it was a reference to the wireless exploit found by Maynor and Ellch - it was a somewhat high-profile controversy since Apple issued a patch for the problem after denying the issue, and without giving the researchers any credit.
Johnny @ May 2nd 2007 10:16AM
I know the Maynor flap was a "high-profile" controversy, but not every Mac security issue revolves around Maynor and Ellch. Plus, Apple never denied the issue as you say. The company's claim was that Maynor and Ellch did not provide Apple with enough details to identify the specific issue, so they conducted an audit of the AirPort software and eliminated the bugs they found. Whether you believe them or not, I don't really care -- the whole mess is long past its expiration date as it is. But let's not repeat the canard that Apple denied there was a security issue in the AirPort drivers.
J @ May 2nd 2007 9:57AM
So in esence the flaw existed because Quicktime is cross platform. It seems that Windows Compatible also means Hacker Compatible. We could say that the Mac is still pretty safe sans platform hoping apps.
josh @ May 2nd 2007 1:26PM
"So in esence the flaw existed because Quicktime is cross platform. It seems that Windows Compatible also means Hacker Compatible. We could say that the Mac is still pretty safe sans platform hoping apps. "
How on earth do you arrive at this logic? The fact that quicktime is crossplatform didn't make it insecure. Last I checked having some version of Quake on your system doesn't mean your system is all of a sudden vulnerable just because it is crossplatform. Quicktime could have only been supported on the mac and it would have STILL had the vulnerability as the reliance on Java is for browser extensiblity (hence the attack vector through Safari in the original discovery) rather than multiplatform support.
If that isn't convincing enough I have a .dmg file for you to download in safari. Don't worry, you don't need to install any of the security updates for safari that apple has released specifically because there are a wealth of known exploits on OS X systems via safari's automatic and improper parsing of .dmg files. Apparently according to your logic Safari should be perfectly safe out of the box since it is OS X specific. In fact, why don't you stop installing any of the QUARTERLY security patches that Apple releases for OS X, patches that address dozens of security vulnerabilities per patch, and instead only update quicktime and iTunes since they are cross platform. I'm sure your system will be invulnerable anyway. Dumbass.
"QuickTime (of all things), "
Not entirely surprising. Quicktime has been none to have security issues in the past (just do a websearch and you will find plenty of articles from security researchers on the subject). Moreover, a great majority of security vulnerabilites on any platform are application level rather than OS level. There are dozens of pieces of malware that propogate because of a flaw in flash that will automatically download and execute code. The last version of Acrobat will arbitrariliy execute code embedded in compromised pdfs (hence the recent update). It isn't surprising quicktime also is an attack vector, especially since it integrates with the webbrowser to a degree (actually, that was specifically the reason this time, since the flaw found exploits a weakness resulting from using Java to help with this browser integration).
MickeyMoo @ May 2nd 2007 10:14AM
I wish a future update would allow a universal disabling of the URL track in Quicktime - you know, the one that fires up your browser and opens 20 porn windows the minute you open something you may have d/loaded from a P2P client (not that I would know about this first hand or anything....)
nigel @ May 2nd 2007 10:39AM
I thought Mac was impenetrable?
Ihar `Philips` Filipau @ May 2nd 2007 10:40AM
Kind of off topic.
Can anybody tell Apple to "fix" their Windows version of QuickTime. They update iTunes often enough to annoy everybody by forced installation of QuickTime Player which always: (1) puts icon into the tray (and useless resident to show the icon) (2) put shortcut of QuickTime player on desktop (though no sane person on PC would ever use QuickTime) and (3) put icon into QuickLaunch bar - though *nobody* even wanted to install QuickTime in first place - 90% of people have QT only because of iTunes.
I'd say: "Apple, keep QuickTime and kill the abomination called 'QuickTime Player', it is useless anyway."
andy @ May 2nd 2007 10:59AM
"Kind of off topic.
Can anybody tell Apple to "fix" their Windows version of QuickTime. They update iTunes often enough to annoy everybody by forced installation of QuickTime Player which always: (1) puts icon into the tray (and useless resident to show the icon) (2) put shortcut of QuickTime player on desktop (though no sane person on PC would ever use QuickTime) and (3) put icon into QuickLaunch bar - though *nobody* even wanted to install QuickTime in first place - 90% of people have QT only because of iTunes.
I'd say: "Apple, keep QuickTime and kill the abomination called 'QuickTime Player', it is useless anyway.""
boohoo, im sure ya wont notice one more flaw in security in windows lol
mattstl77 @ May 2nd 2007 11:40AM
Weird...I thought only Microsoft's software had security flaws. Looks like Apple lost it's "security hole virginity."
Yeah right.
Every Mac and Apple software I have owned has been buggy. This article doesn't surprise me one bit.
Ethan Fortes @ May 2nd 2007 12:06PM
Very nice, Apple, but shouldn't you be working on the iPhone/Leopard??
Matt Williams @ May 2nd 2007 12:16PM
I never trusted the Apple ads where they criticize Windows security, thinking that it was just because it is a less used platform. Now there is demonstrable evidence that their ads are unfounded.
Temujin Kuechle @ May 2nd 2007 1:17PM
The Apple adds just emphasized how common it is for Windows PCs to have exploitable security issues, but Apple made no claim to its own abilities in that area. Most of the security issues faced on the Mac have been vulnerabilities, not exploits. Big difference in definitions here. Actual versus potential would be a better comparison.
Don't get your panties all tied up into knots about that topic, it is really boring anyways.
Someday, all OSs will be nearly the same, and most people won't give a rats ass, like most people already don't care much about computers today.
Dan @ May 2nd 2007 12:57PM
Meh, I wouldn't call a 40+ megabyte file a "small bundle of downloadable joy."
Also, this was not just a security fix. Quicktime 7.1.6 adds support for Final Cut Studio 2 and closed captioning display, but I haven't been able to find more information about this latter enhancement. Does this mean closed captioning could now theoretically be added to video content purchased from iTS?
barnz2k @ May 2nd 2007 11:42PM
Quicktime is one of the worst players around. Its buggy and slow - both mac and PC, and it never plays smoothly on either - even if the codec looks nice it just never plays as well as runs on say ZOOMPLAYER
and come on, Full Screen is a PAID option? are you kidding?
I still dont get the security thing.. Install a FREE antivirus like AVG and a free firewall and your set. dont gimme the but on a mac.. macs have more issues in other areas. time wise your far better off on a PC