Apple patches QuickTime flaw

Apple has issued a security patch for its QuickTime application nearly 11 days after the disclosure of a highly-publicised vulnerability.

The vulnerability occurs in the way QuickTime handles JavaScript code. An attacker could use a specially-crafted Java applet embedded in a web page to execute code on a machine with the permissions of the current user.

The vulnerability was discovered by independent security researcher Dino Dai Zovi, who developed a working exploit in a matter of hours.

Dai Zovi and partner Shane Macauley used the exploit to win a MacBook Pro and $10,000 prize at the CanSecWest security conference.

The vulnerability was originally reported to exist only in Safari. However, Dai Zovi and Tipping Point later disclosed that the vulnerability affected all Mac and PC Java-enabled browsers on systems with QuickTime installed.


Report a problem with article
Previous Story

Nvidia takes lead in desktop graphics market

Next Story

DRM lobby scrambles to block HD DVD crack


Commenting is disabled on this article.

Incidentally, neither Windows XP (SP1a or newer), nor Vista are vulnerable by default.

A clean install of Windows XP (SP1a or newer) doesn't include Java. No Java, no exploit. :)

Vista doesn't include Java either, and on top of that, it runs IE7 in Protected Mode, which is sandboxed and prevents anything running inside IE from changing anything on your system. So even if Quicktime gets exploited, it can't damage any of your files.

... if only they'd fix all the bugs with iTunes on Vista this fast. If they even know how to fix them, without rewriting the entire application (which probably wouldn't be such a bad idea).

For some reason for me the patch seemed awfully heavy. As soon as Software Update finished my system's performance tanked fast and it took a strange amount of time to restart. It felt like a 10.4.x update. But after the restart my system is running fine, I'm glad that the Safari exploit is gone. Thank you Apple!