A security researcher today revealed new and unpatched bugs in the Windows version of Apple Inc. ’s QuickTime , just a week after the company plugged a hole known for nearly a month. Laurent Gaffie posted details of vulnerabilities in five functions of a QuickTime ActiveX control to the Full Disclosure security mailing list yesterday, along with proof-of-concept exploit code.
Archives for QuickTime category
DRM in latest QuickTime cripples Adobe video editing code
Posted on 2008 under QuickTime | No Comment25 Jan
The latest version of Apple’s QuickTime media player has video production people venting their spleens after discovering that new digital rights management features have crippled the use editing software from Adobe. Shortly after updating to QuickTime 7.4, legions of people charged chat groups to report they were unable to access files created with Premier and After Effects, two pricey Adobe programs used for editing video.
The problem, said Auriemma, is when QuickTime tries to open a Real-Time Streaming Protocol (RTSP) connection and the server has closed TCP Port 544. The player then automatically tries to open an HTTP connection on Port 80. An attacker can exploit the weakness by duping a user into visiting a malicious site that includes an rtsp:// link; when QuickTime fails to connect, it would automatically seek out an HTTP server on the same system.
Get the latest news from Computerworld delivered via email. Security researchers warn that attack code targeting an unpatched bug in Apple’s QuickTime has gone public, and added that in-the-wild attacks against systems running Windows XP and Vista are probably not far behind. There was no word as of last Sunday whether the Mac OS X versions of the media player are also vulnerable.
IPhone Could Give Apple Inroad to Enterprise Sales
Posted on 2007 under QuickTime | No Comment27 Dec
“There are a lot of enterprise users who are going out and buying iPhones,” says Jack E. Gold, president of J. Gold Associates, a technology research and consulting firm.
Apple has released QuickTime 7.3.1, a security update that patches a potentially serious exploit (see ” Protect Yourself from the QuickTime RTSP Vulnerability ,” 2007-09-07). Unlike many recent security issues on the Mac, malicious code that took advantage of the QuickTime RTSP (Real Time Streaming Protocol) vulnerability was active in the wild: a specially crafted Web page could install malicious software on your computer.
1. Quicktime doesn’t ask whether you actually want to install the browser plugin when you install the QT player 2. You HAVE to install Quicktime if you want to use iTunes 3. You (sort of) HAVE to install iTunes if you want to use an iPod (although I strongly recommend people consider Winamp, which has native support now, or the excellent ml_ipod plugin for Winamp) 4. Quicktime’s browser plugin commandeers associations with a whole range of media types whether you want it to or not 5.
QuickTime streaming media exploit targets unpatched bug
Posted on 2007 under QuickTime | No Comment4 Dec
Symantec reports that the exploit might be applied to attack users of the latest version of stand-alone QuickTime players (version 7.3), tricked into opening malicious content on hacker-controlled websites. The same attack only crashes the browser of users of QuickTime browser plugins. Email-based attacks featuring attachments with hostile XML code that open a connection to malicious servers are also possible.
QuickTime Flaw a Potential Threat to Second Life Fans
Posted on 2007 under QuickTime | No Comment3 Dec
While the current exchange rate in Second Life is roughly one U.S. dollar for every 270 Linden dollars, millions of U.S. dollars change hand each day in the virtual world. According to Linden Labs, nearly $1.4 million was exchanged between Second Life users over the past 24 hours. has acknowledged the problem , but said it is has no plans to turn off all videos on the Second Life grid.
QuickTime has been receiving a lot of bad press this year. It has had numerous flaws discovered, many of which are severe security vulnerabilities. As it is a cross-platform application it has the potential to be more of a threat and thus is getting more bad attention, but likely the increased success of OS X since its inception has a lot to do with it. Apple cannot afford to delay on getting fixes for these vulnerabilities out. Unless, of course, they want to be in the same boat as Microsoft.