All the latest UK technology news, reviews and analysis


Apple details Quicktime 7.7.3 drive-by vulnerabilities

08 Nov 2012
apple-store-2

Apple has released a fix for a number of vulnerabilities in its QuickTime player, closing critical security holes that had left Windows users vulnerable to drive-by attacks.

The update was initially released on Sunday, though Apple only revealed the reason for the update on Thursday.

According to Apple, the QuickTime update addresses nine vulnerabilities, which could theoretically have been exploited by attackers to crash the application or execute arbitrary code on the user's system.

It is currently unclear whether the vulnerabilities were ever exploited. However speaking to V3, F-Secure security analyst Sean Sullivan warned that the potential damage a successful attack could have done was massive.

"It is really difficult to say exactly how ‘bad' these vulnerabilities are, but based on the names of those that found them, we would make an educated guess: pretty bad indeed," Sullivan told V3.

"There are nine vulnerabilities and they all appear to relate to stuff that would make for good drive-by exploits: PICT; TARGA (image file types); MP4; and flaws in the ActiveX control. So basically, visit a webpage with a maliciously crafted image or movie or HTML and get ‘pwned'," he said.

Sullivan added that  lack of available information regarding the vulnerabilities and whether they had been exploited is systematic of Apple's closed-door approach to security.

"All of the Common Vulnerabilities and Exposures (CVEs) are place holders and none of the sites that track such things have any advanced details, yet," said Sullivan.

"This is modus operandi for Apple. They don't acknowledge that security issues exist until they release a patch."

Sullivan went on to recommend users uninstall Quicktime, clarifying that it is likely there may be more undisclosed vulnerabilities in the media player.

"QuickTime vulnerabilities are why I've never had the software installed on my work computer, and haven't had it installed at home since iTunes no longer required it. The QuickTime plug-in for Windows is a very popular target of Exploit Kits," he said.

"Personally, I would recommend Windows users to uninstall QuickTime if they don't use it much. It isn't required for iTunes anymore, and other than Apple's live-stream the other week, I can't remember the last time I would have needed it."

The QuickTime update is one of many security posts released by Apple over the last few months. Most recently the company released a Safari security update alongside a patch for its iOS mobile operating system on 2 November.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
Alastair Stevenson
About

Alastair has worked as a reporter covering security and mobile issues at V3 since March 2012. Before entering the field of journalism Alastair had worked in numerous industries as both a freelance copy writer and artist.

View Alastair's Google+ profile

More on Security
What do you think?
blog comments powered by Disqus
Poll

Green IT poll

How important is it to your business that a cloud provider uses renewable energy like solar or wind to power their data centres?
21%
6%
4%
3%
66%

Popular Threads

Powered by Disqus
Xperia Z2 vs Galaxy Note 3 video review.jpg

Xperia Z2 vs Galaxy Note 3 video review

We pit Sony's 2014 flagship against Samsung's ruling phablet

Updating your subscription status Loading
Newsletters

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button
hpv3may

Getting started with virtualisation

Virtualisation can help you reduce costs, improve application availability, and simplify IT
management. However, getting started can be challenging

ibmv3may

Converting big data and analytics insights into results

Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes

Redhat Linux Engineering - Financial Services

Skills:- - Redhat Linux - Engineering - Automation...

UX Designer - Nottingham

UX Designer - Nottingham - A talented Web Designer...

Windows Systems Administrator IIS - eCommerce

Windows Systems Administrator IIS Surrey / South West...

PHP Developer

PHP Developer - London, My client has an immediate need...
To send to more than one email address, simply separate each address with a comma.