Another QuickTime flaw found

By Dawn Kawamoto, CNET News.com
09 November 2005 08:15 AM
Tags: apple, flaw, osx, quicktime, eeye, patch, advisory
Less than three weeks after Apple Computer issued an update to patch four security flaws in its QuickTime media player, a new "critical" problem has been discovered.

The unpatched vulnerability could allow remote execution of code, according to an advisory published on Monday by eEye Digital Security. It affects various versions of Apple QuickTime running on all types of operating systems, the company said, but did not specify which versions in particular were at risk.

eEye said it notified Apple of the flaw on October 31, when it outlined vulnerabilities that were not addressed in Apple's update of October 12. The security company issued a follow-up public advisory on November 3, said Mike Puterbaugh, the senior product marketing director at eEye.

"We don't feel this flaw could result in an Internet worm, as it does require end-user interaction (such as clicking on a link to a malicious Web site or chat session). The affected component is, however, enabled by default," Puterbaugh said.

This newly discovered flaw could allow an attacker to launch remotely executable code, posing as the logged-in user. An intruder, for example, could access and do everything that a user could do on his computer. If the user had administrator rights, the hacker could also access everything that the administrator could.

"The Apple flaw works with their latest version of QuickTime," said Steve Manzuik, eEye product manager. "The only similarity with the earlier flaws is it's in QuickTime."

Apple's earlier patch, version 7.0.3, addressed vulnerabilities found in QuickTime 6.5.2 and 7.0.1 for the Mac OS X operating system and some versions running on Windows. One of those flaws allowed a malicious attacker to launch a denial-of-service attack, while the other three flaws allowed an attacker to remotely execute code and take over users' computers.

Apple has acknowledged receipt of eEye's advisory, but gave no indication of when, or if, it plans to patch the flaw. "It is something they will undoubtedly have to patch," Manzuik said.

Talkback 0 comments

Latest Videos

Sponsored content

Power Centre - Content from our premier sponsors

Blogs

  • Brad Howarth The key Topik is always money
    One of the big problems of the internet is that is practically impossible to keep up-to-date on preferred topics. You can limit your sources, but this can mean missing a lot of valuable data.
  • Array Google open-sources JavaScript tools
    Google announced overnight the release and open-sourcing of a trio of tools designed to help JavaScript developers.
  • Array Do we need the legislative blackmail?
    Virtually everyone in the telecommunications industry has their say in the Senate Standing Committee's public hearing into the pending legislation to split up Telstra, in this week's Twisted Wire podcast.
  • More blogs »

Tags

Back to top

Featured