All the latest UK technology news, reviews and analysis

Apple details Quicktime 7.7.3 drive-by vulnerabilities

08 Nov 2012

Apple has released a fix for a number of vulnerabilities in its QuickTime player, closing critical security holes that had left Windows users vulnerable to drive-by attacks.

The update was initially released on Sunday, though Apple only revealed the reason for the update on Thursday.

According to Apple, the QuickTime update addresses nine vulnerabilities, which could theoretically have been exploited by attackers to crash the application or execute arbitrary code on the user's system.

It is currently unclear whether the vulnerabilities were ever exploited. However speaking to V3, F-Secure security analyst Sean Sullivan warned that the potential damage a successful attack could have done was massive.

"It is really difficult to say exactly how ‘bad' these vulnerabilities are, but based on the names of those that found them, we would make an educated guess: pretty bad indeed," Sullivan told V3.

"There are nine vulnerabilities and they all appear to relate to stuff that would make for good drive-by exploits: PICT; TARGA (image file types); MP4; and flaws in the ActiveX control. So basically, visit a webpage with a maliciously crafted image or movie or HTML and get ‘pwned'," he said.

Sullivan added that  lack of available information regarding the vulnerabilities and whether they had been exploited is systematic of Apple's closed-door approach to security.

"All of the Common Vulnerabilities and Exposures (CVEs) are place holders and none of the sites that track such things have any advanced details, yet," said Sullivan.

"This is modus operandi for Apple. They don't acknowledge that security issues exist until they release a patch."

Sullivan went on to recommend users uninstall Quicktime, clarifying that it is likely there may be more undisclosed vulnerabilities in the media player.

"QuickTime vulnerabilities are why I've never had the software installed on my work computer, and haven't had it installed at home since iTunes no longer required it. The QuickTime plug-in for Windows is a very popular target of Exploit Kits," he said.

"Personally, I would recommend Windows users to uninstall QuickTime if they don't use it much. It isn't required for iTunes anymore, and other than Apple's live-stream the other week, I can't remember the last time I would have needed it."

The QuickTime update is one of many security posts released by Apple over the last few months. Most recently the company released a Safari security update alongside a patch for its iOS mobile operating system on 2 November.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
Alastair Stevenson

Alastair has worked as a reporter covering security and mobile issues at V3 since March 2012. Before entering the field of journalism Alastair had worked in numerous industries as both a freelance copy writer and artist.

View Alastair's Google+ profile

More on Security
What do you think?
blog comments powered by Disqus

Windows 10 poll

What are your first impressions of Windows 10?

Popular Threads

Powered by Disqus
V3 Sungard roundtable event - Cloud computing security reliability and scalability discussion

CIOs debate how to overhaul businesses for the digital era

V3 hosts roundtable with Sungard Availability Services

Updating your subscription status Loading

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button

Getting started with virtualisation

Virtualisation can help you reduce costs, improve application availability, and simplify IT
management. However, getting started can be challenging


Converting big data and analytics insights into results

Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes

Junior Software / App Developer - VC Backed Medical Tech Start-Up

Junior Software / App Developer - University Spin Off...

Web Developer - £30k - £37k, Manchester city centre, PHP, MVC, Python

PHP Web Developer - Manchester city centre, £30k - £37k...

IT Systems Administrator - Warrington, £40k - £45k basic, Concept

IT Systems Administrator - Birchwood, Warrington, £40k...
To send to more than one email address, simply separate each address with a comma.