main

Apple patches QuickTime flaw

Tom Warren   on 02 May 2007 - 13:08 · 11 comments & 5022 views

Advertisement (Why?)
Apple has issued a security patch for its QuickTime application nearly 11 days after the disclosure of a highly-publicised vulnerability.

The vulnerability occurs in the way QuickTime handles JavaScript code. An attacker could use a specially-crafted Java applet embedded in a web page to execute code on a machine with the permissions of the current user.

The vulnerability was discovered by independent security researcher Dino Dai Zovi, who developed a working exploit in a matter of hours.

Dai Zovi and partner Shane Macauley used the exploit to win a MacBook Pro and $10,000 prize at the CanSecWest security conference.

The vulnerability was originally reported to exist only in Safari. However, Dai Zovi and Tipping Point later disclosed that the vulnerability affected all Mac and PC Java-enabled browsers on systems with QuickTime installed.

View: Vnunet.com

Share this Article

About the Author

Full name: Tom Warren
User name: creamhackered
Contact: via forum PM
Submissions: View All
More: View Bio   New!

Related news

Post a comment · Send to friend Comments · There are 11 additional comments
#1 leesmithg on 02 May 2007 - 13:46
Apple QuickTime Player v7.1.6.200 I installed 5 hours ago, so I guess this is the fix.

(2 replies) #2 SimpleRules on 02 May 2007 - 14:34
hmm, I got this error when I tried to install it:

Windows Installer Error 2738
#2.1 virtorio on 02 May 2007 - 21:18
I've been unable to install QuickTime due to this error ever since I installed Vista.
#2.2 daveoc64 on 02 May 2007 - 22:08
Right click on the installer file and click "Run as Administator".

I only figured it out today.
(1 reply) #3 LTD on 02 May 2007 - 14:41
Just installed on OS X Tiger. No problems at all - quick and easy.

Wow, that was a fast patch release.
#3.1 whocares78 on 03 May 2007 - 03:00
umm no it was rather slow, 11 days for a zero say flaw meant that people were vulnerable for 11 days.
#4 +Axon on 02 May 2007 - 14:46
Update was a breeze on 10.4.9 =)
#5 PsykX on 02 May 2007 - 17:09
Updated yesterday.
#6 AeronPrometheus on 02 May 2007 - 19:19
For some reason for me the patch seemed awfully heavy. As soon as Software Update finished my system's performance tanked fast and it took a strange amount of time to restart. It felt like a 10.4.x update. But after the restart my system is running fine, I'm glad that the Safari exploit is gone. Thank you Apple!
#7 Justin- on 02 May 2007 - 20:15
... if only they'd fix all the bugs with iTunes on Vista this fast. If they even know how to fix them, without rewriting the entire application (which probably wouldn't be such a bad idea).
#8 aaaaa0 on 03 May 2007 - 09:24
Incidentally, neither Windows XP (SP1a or newer), nor Vista are vulnerable by default.

A clean install of Windows XP (SP1a or newer) doesn't include Java. No Java, no exploit.

Vista doesn't include Java either, and on top of that, it runs IE7 in Protected Mode, which is sandboxed and prevents anything running inside IE from changing anything on your system. So even if Quicktime gets exploited, it can't damage any of your files.

Last edited by aaaaa0 on 03 May 2007 - 09:29

Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!

Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.

Advertisement (Why?)
News powered by Neowin Management System (Build - 5.0.897) © 2000 - 2008 Neowin.net