Contact Us Today! (215) 853-2266

Bardissi Enterprises Blog

Bardissi Enterprises has been serving the Hatfield area since 2000, providing IT Support such as technical helpdesk support, computer support, and consulting to small and medium-sized businesses.

Apple’s Nine QuickTime Flaws Affect OS X and Windows

Severity: Medium

9 September, 2008

Summary:

§ These vulnerabilities affect: OS X 10.4.x (Tiger) and OS X 10.5.x (Leopard), Windows XP, and Windows Vista

§ How an attacker exploits them: By getting your user to view a maliciously-crafted movie, PICT, or QuickTime Virtual Reality (QTVR) file

§ Impact: Various results; in the worst case, an attacker could execute code on your user’s computer, potentially gaining control of it

§ What to do: Download, test and deploy QuickTime 7.5.5 for Windows or OS X

Severity: Medium

9 September, 2008

Summary:

§ These vulnerabilities affect: OS X 10.4.x (Tiger) and OS X 10.5.x (Leopard), Windows XP, and Windows Vista

§ How an attacker exploits them: By getting your user to view a maliciously-crafted movie, PICT, or QuickTime Virtual Reality (QTVR) file

§ Impact: Various results; in the worst case, an attacker could execute code on your user’s computer, potentially gaining control of it

§ What to do: Download, test and deploy QuickTime 7.5.5 for Windows or OS X

Exposure:

Today, Apple released a security update to fix vulnerabilities in QuickTime, their popular media player for both Windows and Macintosh OS X. The update fixes nine security issues (number based on CVE-IDs) present in how QuickTime processes certain file types. Only some of these nine vulnerabilities exploit file types that are in wide use by typical users, and we are not aware of exploits currently active in the wild, so we rate the severity of this update Medium. Apply it at your earliest convenience. The fixed vulnerabilities include:

§ Security flaws in how QuickTime handles movie files. By luring one of your users into viewing a maliciously crafted movie file, an attacker can exploit either of two QuickTime flaws to execute code on that user’s computer (or, less worrisome, crash QuickTime). Some of the files susceptible to this attack would be formatted as H.264 (typically arrives as a .MOV file), MPEG-4 Part 10 (the format used on Blu-Ray and HD-DVD files), or MPEG-4 AVC files (the format used by many consumer-grade camcorders and on iPod and PlayStation3). These vulnerabilities can be exploited on Windows and OS X computers.

§ Flaws in how QuickTime handles PICT images. PICT is a graphical image file format that still enjoys some use, but has largely been replaced by PDFs. An attacker can craft a malicious PICT file that is designed to exploit any of three different errors in how QuickTime opens PICT. If a user opened the booby-trapped file, the results could either crash QuickTime or execute the attacker’s code on the victim’s computer. These flaws affect both Windows and OS X.

Apple’s alert also describes flaws in handling QuickTime Virtual Reality (QTVR) files. QTVR essentially stitches photos together to give the impression of a 360-degree view. You might see it in use, for example, on a web site that shows what the inside of a hotel room looks like. It is not used by the vast majority of our subscribers, so we’ll spare you the details (although you can get them in Apple’s advisory). Apple also mentions flaws in QuickTime’s handling of a codec called Indeo. Indeo is just another way of creating .MOV files.

Solution Path:

Apple has released QuickTime 7.5.5 to fix these security issues. Windows and OS X administrators should download, test, and deploy the appropriate update at their earliest convenience. By default, the download bundles iTunes with QuickTime; because iTunes often has security issues of its own, we recommend that you select the option of downloading QuickTime alone.

§ QuickTime 7.5.5 for Windows

§ QuickTime 7.5.5 for Leopard (Mac OS X 10.5 or later)

§ QuickTime 7.5.5 for Tiger (Mac OS X 10.4.x)

For All Users:

Because QuickTime handles so many different media types (many of which are essential for doing business today), trying to block exploitable file types using your firewall may not be the best way to support your organization’s mission. Instead, your best solution is to download and install Apple’s fixes.

Status:

Apple has released updates to fix these issues.

References:

§ Apple’s August QuickTime advisory

 

Comments

No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Guest
Sunday, 22 December 2024
If you'd like to register, please fill in the username, password and name fields.

Captcha Image

Mobile? Grab this Article!

QR-Code dieser Seite

Blog Archive

Recent Comments

Tip of the Week: Which Headphones are Right for Your Needs?
23 April 2018
I will recommend Plantronics Backbeat Pro 2 SE Noise cancelling Headset with it's Great features.
Gamification: Make Business Fun for Everyone
27 January 2017
The world is based on the games. There are many types of games as per the aussie essay writing servi...
Let's Talk Tablets
12 January 2017
The concept of tablet is far better than that of PC because you can bring them with you everywhere a...
Tip of the Week: Tweak Your Workday in These 4 Ways and See Major Results
12 January 2017
The only thing will I will say regarding this blog is that it is very helpful at least for me. As I ...
WatchGuard Releases Version 10.2.7 for WSM, Edge, Fireware, and Fireware Pro
23 December 2016
I really needed to know about the fireware but i was confused that where can i find information abou...