Apple Patches Year-Old Windows QuickTime Vulnerability - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Software // Enterprise Applications

Apple Patches Year-Old Windows QuickTime Vulnerability

The flaw, which affects Windows XP and Windows Vista machines, opens up a backdoor that could enable a hacker to break into Firefox.

Apple has taken another swing at fixing a troublesome spate of QuickTime vulnerabilities.

The company released an update for the Windows version of QuickTime media player on Wednesday afternoon to patch what Apple calls a "command injection issue" in the way the media player handles URLs. The flaw, which affects Windows XP and Windows Vista, was first disclosed in September of 2006 by Petko D. Petkov, a penetration tester.

Petkov noted in a blog post this September that he reported two QuickTime bugs in the early fall of 2006. Only one, however, was patched. To bring attention to the year-old vulnerability, Petkov posted several proof-of-concept exploits on his blog last month.

At the time, the researcher wrote in his blog, Gnucitizen, that he posted a demonstration of how the bug could be used to hack into Firefox to make a point. "The first vulnerability was fixed, but the second one was completely ignored," he wrote. "I tried to bring the spotlight on the second vulnerability one more time over here, yet nobody listened. So, I decided to post a demonstration of how a Low risk issue can be turned into a very easy to perform HIGH risk attack."

Petkov also reported that the flaw was a particular problem for the Mozilla Foundation's open-source Firefox browser.

Mozilla soon confirmed that the year-old unpatched QuickTime vulnerability opens up a backdoor that could enable a hacker to break into Firefox. Then just six days after the proof-of-concept code was released, Mozilla updated Firefox to fix the problem. "This will protect Firefox users from the public critical security vulnerability until a patch is available from Apple," wrote Window Snyder, Mozilla's top security executive, in her blog.

Now, nearly a month after the proof-of-concept code was posted, Apple has released a fix for the vulnerability.

Apple noted in an online advisory that by enticing a user to open a specially crafted QTL file, an attacker be able to execute malicious code on the machine. The company reported that it fixed the problem by improving URL handling.

The issue does not affect computers running Mac OS X even if they have a Firefox browser, according to Apple.

Apple has issued at least four separate patch updates for QuickTime in the last several months.

QuickTime is Apple's multimedia technology for dealing with video, sound, animation, text, and music. The technology is widely used. The highly popular iPod uses the iTunes media player, which people run on their PCs and Macs. ITunes, in turn, uses QuickTime.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Can Cloud Revolutionize Business and Software Architecture?
Joao-Pierre S. Ruth, Senior Writer,  1/15/2021
10 IT Trends to Watch for in 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/22/2020
How CDOs Can Build Insight-Driven Organizations
Jessica Davis, Senior Editor, Enterprise Apps,  1/15/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll