Apple patched several bugs in QuickTime on Thursday, including a three-week-old streaming media vulnerability for which exploit code has been in circulation since the end of November.
At least one security researcher took Apple to task for its slow response and lack of information before Thursday. "In classic Apple style, security researchers have been shouting the warning about this, and Apple has sat quietly, leaving many people wondering when an update might be available," said Andrew Storms, director of security operations at nCircle. "[Then] without any advance notification, we have an update [this afternoon]. There will undoubtedly be some people working late this week to not only catch up from the big Microsoft 'Patch Tuesday' release, but now also to update Apple QuickTime."
Unveiled Thursday afternoon, QuickTime 7.3.1 patches problems in how the program handles three types of media content. The most anticipated fix, however, plugged the Real-Time Streaming Protocol hole first disclosed November 23 by Polish researcher Krystian Kloskowski.
Although the proof-of-concept exploits released by Kloskowski and another researcher who used the alias InTeL fingered only QuickTime running on Windows XP SP2 and Windows Vista as vulnerable, within days other analysts confirmed that the Mac QuickTime was also buggy. By November 29, Symantec was warning clients that Mac exploit code had been published, raising the stakes even higher.
Apple Thursday also patched other media-related vulnerabilities, including a buffer overflow bug in the QuickTime movie file format and an unspecified number of flaws in QuickTime's handling of Flash files. To fix the Flash vulnerabilities, Apple disabled QuickTime's media handler for all Flash content "except for a limited number of existing QuickTime movies that are known to be safe," according to a security advisory the company posted.
The Flash strategy was almost identical to the tack Apple took with Java a month ago when it last patched QuickTime. Then, Apple essentially gave up on Java; rather than patch QuickTime yet again, it simply killed most of its Java-handling skills.
Exploits against any of the vulnerabilities patched Thursday could result in what Apple calls "arbitrary code execution," meaning an attacker can inject malware or hijack the system. Apple does not rank its software mistakes, but other vendors, such as Microsoft, usually label such vulnerabilities as critical.
Existing copies of QuickTime can be updated to 7.3.1 using Mac OS X's built-in Software Update feature, while Windows XP and Vista users can either download the patched version from the Apple Web site or use the Windows-only update tool.
Thursday's update marks the seventh security revision to QuickTime this year. Including the newest flaws, Apple has patched at least 34 vulnerabilities in the player since January 1.
Read up on the latest ideas and technologies from companies that sell hardware, software and services. Refresh your AUP: Top tips to ensure your acceptable use policy is fit for purpose
Gaining Competitive Advantage Through Enterprise Planning
Best Practice in Building an Integrated Information Management Strategy
Taking On Demand CRM Integration to the Next Level
Everything you need to know about email and web security (but were afraid to ask)
Business Intelligence and Enterprise Performance Management: Trends for Emerging Businesses
Strategies for Eliminating .PST Files
Wireless LANs: Is my enterprise at risk?
Zones provide focussed content from Computerworld and leading technology partners.
Discover how SOA can create smarter outcomes for your business.
Attend and learn:
- How SOA is helping leading companies to become more agile
- Where you should be applying SOA processes in your company
- The top SOA implementation mistakes to avoid
Click here for more information.
- +
Computerworld Live Podcast #97: The Future of Enterprise Networking 25/07/2008 09:45:36
This week CW Live chats with Mark Thompson, global sales and marketing manager for HP ProCurve, on the future of the enterprise networking. Mark discusses the trends we can expect to see in the near future and how the right infrastructure can ensure your enterprise network is secure. - +
Computerworld Live Podcast #96: Security at the Edge 11/06/2008 09:22:22
CW Live speaks with Amol Mitra, HP ProCurve Director of Marketing for Asia Pacific and Japan. Today's topic: how enterprises are starting to shift away from simply controlling security via server logins, firewalls and moving to more adaptive security frameworks. - +
Data Management Edition #10: Multi-Petascale Systems 02/05/2008 09:12:33
This week we look at sustainability and the development of multicore technologies to build multi-petascale systems. - +
IT Security Edition #11: How to poison the Storm botnet 01/05/2008 08:51:55
This week CW Live presents a case study on how to poison the notorious Storm botnet . Plus we take a look at Cisco's plans for Ironport. - +
IT Security Edition #10: Cyber-battles fought and won 24/04/2008 11:09:47
Vendors bow to end user pressure to improve product security, and we take a look at the latest concepts shaping the cyber-battlefield of the future.
Mitel Launches Simpler Unified Communications 2008-11-19 17:40:00+11
Symantec Security Products Shine in In-Depth Protection Reviews 2008-11-19 13:01:00+11
Digital Sense opens first stage of the world’s largest data centre complex in Brisbane 2008-11-19 13:00:00+11
RightNow Technologies Delivers RightNow November ’08 Plus New On Demand Enterprise Contact Centre Package 2008-11-19 12:00:00+11
Valorem uniquely deploys RSA SecurID for remote workforce management 2008-11-19 10:16:00+11
Still Sneaking In: The Threats Your Security Tools Aren't Telling You About
Web 2.0 applications are all the rage, offering us tremendous value when it comes to collaboration and communication. They also open us up to new kinds of attacks however, and can cause problems in keeping systems and data secure. Read on to learn about the new attack methods and how you can defend yourself and your business.
Buying Guides
Latest Products
Buying Guides
