Apple Fixes Year-old Windows Quicktime Flaw
On Wednesday, Apple issued an update to the Windows version of QuickTime to make void a 13-month old bug, which according to critics was overlooked by the Cupertino, CA-based company whilst fixing the media player in March.
The latest update sets right a vulnerability in QuickTime for Windows XP and Vista. The flaw, which allows malicious manipulation of QuickTime Media Link (.qtl) files, has been described by Apple as a “command injection issue” in the way the media player tackles URLs.
Last year in the month of September, U.K Security Expert Petko D. Petkov pointed out a vulnerability in the QuickTime for Windows XP and Vista version. The latest update fixes that problem. Just a few days back, Petkov posted proof-of-concept code for the vulnerability after stating that Apple had not given any cognizance to his messages. A number samples posted to the internet forced the QuickTime bug as well as one in the open-source Firefox browser to create a drive-by attack capable of invisibly hijacking a PC.
Apple states that the vulnerability is not present in the Mac OS X version of QuickTime. This is the second time that Apple has issued a fix for the flaw. Way back in March, after the issue was discussed in the Month of Apple Bugs project, Apple shipped QuickTime 7.1.5 with a fix that turned out to be insufficient.
Users can either download the 7MB sized patched QuickTime from Apple’s site, or by using the optional Software Update utility packaged with the Windows versions of the player and Apple’s iTunes music store. It requires a restart of Windows.
Sometime back, security researches Petko D. Petkov and Aviv Raff published proof-of-concept exploits to show that QuickTime still had a big protocol handling problem.
Six days after the release of Petkov’s proof-of-concept that affected users of Firefox, Mozilla released Firefox 2.0.0.7 to patch the QuickTime flaw
RSS |
Permanent Link
|
Del.icio.us
|
Cosmos
|
Digg
|
|
