According to Intego, the problem is with the “quicktime type” tag and its inability to handle longs strings. Researchers say any application that uses QuickTime is susceptible to the flaw. This includes applications like iTunes, Safari, Firefox, or Mail, which displays media inline. Even Quick Look, Apple’s Finder preview feature is at risk.
Archives for QuickTime category
The ‘quicktime type=’ tag fails to handle long strings, which can lead to a heap overflow in QuickTime Player, iTunes, or any other program that attempts to display media using a QuickTime plug-in. This can be a browser, such as Apple’s Safari, Microsoft Internet Explorer or Mozilla Firefox, or, on Mac OS X, could be any program that displays graphics or movies inline, such as Mail, or even the Finder if a user tries to view a file with Quick Look.
A security researcher today revealed new and unpatched bugs in the Windows version of Apple Inc. ’s QuickTime , just a week after the company plugged a hole known for nearly a month. Laurent Gaffie posted details of vulnerabilities in five functions of a QuickTime ActiveX control to the Full Disclosure security mailing list yesterday, along with proof-of-concept exploit code.
DRM in latest QuickTime cripples Adobe video editing code
Posted on 2008 under QuickTime | No Comment25 Jan
The latest version of Apple’s QuickTime media player has video production people venting their spleens after discovering that new digital rights management features have crippled the use editing software from Adobe. Shortly after updating to QuickTime 7.4, legions of people charged chat groups to report they were unable to access files created with Premier and After Effects, two pricey Adobe programs used for editing video.
The problem, said Auriemma, is when QuickTime tries to open a Real-Time Streaming Protocol (RTSP) connection and the server has closed TCP Port 544. The player then automatically tries to open an HTTP connection on Port 80. An attacker can exploit the weakness by duping a user into visiting a malicious site that includes an rtsp:// link; when QuickTime fails to connect, it would automatically seek out an HTTP server on the same system.
Get the latest news from Computerworld delivered via email. Security researchers warn that attack code targeting an unpatched bug in Apple’s QuickTime has gone public, and added that in-the-wild attacks against systems running Windows XP and Vista are probably not far behind. There was no word as of last Sunday whether the Mac OS X versions of the media player are also vulnerable.
IPhone Could Give Apple Inroad to Enterprise Sales
Posted on 2007 under QuickTime | No Comment27 Dec
“There are a lot of enterprise users who are going out and buying iPhones,” says Jack E. Gold, president of J. Gold Associates, a technology research and consulting firm.
Apple has released QuickTime 7.3.1, a security update that patches a potentially serious exploit (see ” Protect Yourself from the QuickTime RTSP Vulnerability ,” 2007-09-07). Unlike many recent security issues on the Mac, malicious code that took advantage of the QuickTime RTSP (Real Time Streaming Protocol) vulnerability was active in the wild: a specially crafted Web page could install malicious software on your computer.
1. Quicktime doesn’t ask whether you actually want to install the browser plugin when you install the QT player 2. You HAVE to install Quicktime if you want to use iTunes 3. You (sort of) HAVE to install iTunes if you want to use an iPod (although I strongly recommend people consider Winamp, which has native support now, or the excellent ml_ipod plugin for Winamp) 4. Quicktime’s browser plugin commandeers associations with a whole range of media types whether you want it to or not 5.
QuickTime streaming media exploit targets unpatched bug
Posted on 2007 under QuickTime | No Comment4 Dec
Symantec reports that the exploit might be applied to attack users of the latest version of stand-alone QuickTime players (version 7.3), tricked into opening malicious content on hacker-controlled websites. The same attack only crashes the browser of users of QuickTime browser plugins. Email-based attacks featuring attachments with hostile XML code that open a connection to malicious servers are also possible.