Security tester confirms critical QuickTime flaws

Severity of QuickTime flaws 'not exaggerated'

Security researcher Piotr Bania has hit back at claims that he exaggerated the severity of flaws that he discovered in Apple's QuickTime media player. 

As vnunet.com reported yesterday, Bania discovered four flaws in QuickTime versions 6.5.2 and 7.0.1 which he rated "highly critical" as they could be exploited by hackers to remotely execute malicious code.

He notified Apple but then waited until a patched version had been released before publicising his discovery on the Bugtraq security mailing list. 

The flaws were then confirmed and rated highly critical in an advisory by independent security monitoring organisation Secunia. 

But the news generated a storm of protest from Apple loyalists on the vnunet.com comment boards, claiming that the vulnerabilities were either not critical or not capable of being exploited. 

"My rating is the same [as Secunia's]," Bania told vnunet.com after we brought the reader comments to his attention.

"How can you rate 'potential remote code execution vulnerability' as not highly critical? If the vendor confirmed the bug what more do people want? A working worm?"

When asked whether he thought our advice to users of the older QuickTime so ftware to upgrade was misguided, Bania said: "If someone would like to be a potential hacker target, your advice was misguided. All normal users should update the software."

• Security Watchdog Blog: Taking the rough with the smooth