All the latest UK technology news, reviews and analysis


Apple details Quicktime 7.7.3 drive-by vulnerabilities

08 Nov 2012
apple-store-2

Apple has released a fix for a number of vulnerabilities in its QuickTime player, closing critical security holes that had left Windows users vulnerable to drive-by attacks.

The update was initially released on Sunday, though Apple only revealed the reason for the update on Thursday.

According to Apple, the QuickTime update addresses nine vulnerabilities, which could theoretically have been exploited by attackers to crash the application or execute arbitrary code on the user's system.

It is currently unclear whether the vulnerabilities were ever exploited. However speaking to V3, F-Secure security analyst Sean Sullivan warned that the potential damage a successful attack could have done was massive.

"It is really difficult to say exactly how ‘bad' these vulnerabilities are, but based on the names of those that found them, we would make an educated guess: pretty bad indeed," Sullivan told V3.

"There are nine vulnerabilities and they all appear to relate to stuff that would make for good drive-by exploits: PICT; TARGA (image file types); MP4; and flaws in the ActiveX control. So basically, visit a webpage with a maliciously crafted image or movie or HTML and get ‘pwned'," he said.

Sullivan added that  lack of available information regarding the vulnerabilities and whether they had been exploited is systematic of Apple's closed-door approach to security.

"All of the Common Vulnerabilities and Exposures (CVEs) are place holders and none of the sites that track such things have any advanced details, yet," said Sullivan.

"This is modus operandi for Apple. They don't acknowledge that security issues exist until they release a patch."

Sullivan went on to recommend users uninstall Quicktime, clarifying that it is likely there may be more undisclosed vulnerabilities in the media player.

"QuickTime vulnerabilities are why I've never had the software installed on my work computer, and haven't had it installed at home since iTunes no longer required it. The QuickTime plug-in for Windows is a very popular target of Exploit Kits," he said.

"Personally, I would recommend Windows users to uninstall QuickTime if they don't use it much. It isn't required for iTunes anymore, and other than Apple's live-stream the other week, I can't remember the last time I would have needed it."

The QuickTime update is one of many security posts released by Apple over the last few months. Most recently the company released a Safari security update alongside a patch for its iOS mobile operating system on 2 November.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
Alastair Stevenson
About

Alastair has worked as a reporter covering security and mobile issues at V3 since March 2012. Before entering the field of journalism Alastair had worked in numerous industries as both a freelance copy writer and artist.

View Alastair's Google+ profile

More on Security
What do you think?
blog comments powered by Disqus
Poll

BYOD vs CYOD vs BYOC poll

Which approach is your firm taking to managing employees' mobile devices?
22%
13%
4%
22%
28%
11%

Popular Threads

Powered by Disqus
Sony Xperia Z2 Tablet powered by Android KitKat 4.4

Sony Xperia Z2 Tablet video

We take a look at the lightweight, waterproof tablet

Updating your subscription status Loading
Newsletters

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button
hpv33

Data protection: the key challenges

Deduplication is a foundational technology for efficient backup and recovery

rdc2

iPad makes its mark in the enterprise

The iPad can become a supercharged unified communications endpoint, allowing users to enhance their productivity

Software Development Engineer

Develop: Customise: Configure. Maximise your technical...

Retail and Finance Application Developer and Support Analyst

MS Dynamics Nav: Retail and Finance Application Developer...

Senior Database Developer - SQL, WPF

THE COMPANY: Halarose is a dynamic, small...

Technical Analyst: ICT Services

Technical Analyst: ICT Services £21,005 Woking...
To send to more than one email address, simply separate each address with a comma.