Updates released by Apple on Tuesday include security fixes for its iPod Touch, iPhone, and QuickTime media software, but QuickTime remains vulnerable to a recently disclosed Real-Time Streaming Protocol (RTSP) exploit.
"The noteworthy areas of this are the QuickTime fixes," said Andrew Storms, director of security operations at NCircle, a network security company. "Probably more interesting than what they fixed is the fact that these weren't previously known vulnerabilities. ... They fixed three things we didn't know about but didn't fix the thing everybody wished would get fixed."
QuickTime 7.4 addresses four issues that affect Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista, and Windows XP SP2. The vulnerabilities are related to possible memory corruption arising from the way QuickTime handles Sorenson 3 video files, Image Descriptor atoms, PICT files, and Macintosh Resource records in movie files.
"The QuickTime updates address four vulnerabilities, all of which could permit arbitrary code execution," Storms said in an e-mail. "In addition, in each vulnerability pertains to file parsing/handling bugs, and this is a problem that both Apple and Microsoft have been battling for a number of years. These types of vulnerabilities continue a trend away from older network-style attacks and toward client-side attacks utilizing multimedia delivery methods for malware."
"Apple QuickTime contains a buffer overflow vulnerability in the way QuickTime handles RTSP response messages," US-CERT said in a vulnerability note published last week, adding that maliciously crafted response messages can crash the QuickTime Player, giving the attacker control over the victim's system.
In order to exploit the vulnerability, a QuickTime user needs to be convinced to open a malicious RTSP stream. Apple Mac OS X and Microsoft Windows versions of QuickTime are affected, according to US-CERT. Among other precautions, US-CERT recommends uninstalling QuickTime and blocking the rtsp:// protocol until a fix is made available.
Apple also patched three vulnerabilities affecting its iPod Touch and iPhone. Two of the fixes address browser flaws (one in Safari and one in WebKit, Safari's browser engine) and the third repairs a flaw in the iPhone's Passcode Lock, which could have allowed an attacker in physical possession of a locked iPhone to bypass the lock.
According to Storms, Apple fixed a similar vulnerability in Mac OS X 10.2 that allowed users to bypass the screen lock.