Apple patches QuickTime flaw
The consumer technology maker issues a security advisory and fix for a QuickTime flaw that the company describes as a minor issue. The firm that found the flaw says the problem is more serious.
Apple said the flaw in the QuickTime movie player for Mac OS X could cause the player to crash. "Playing a malformed .mov (movie) file could cause QuickTime to terminate," Apple said in an advisory published on late Friday afternoon.
The company that found and reported the flaw to Apple in February, eEye Digital Security, claimed Apple is downplaying the seriousness of the flaw in its advisory. A movie file could be created, the firm maintained, that would cause malicious code to execute when the user opened the file.
"We told them that if you are not able to execute code then talk to us, so we can show you the issues," said Marc Maiffret, chief hacking officer for eEye Digital Security.
An Apple representative could not be reached for comment.
Since movie files are not generally thought to carry code, the flaw could be used to disguise a virus or Trojan horse program and lure unsuspecting Mac users into running the program.
Apple released an update to QuickTime earlier Friday morning but didn't publish a security advisory until eEye discovered that Apple had patched the security flaw in the software update. When the company contacted Apple, the computer maker agreed to issue a security advisory as well.
"You just can't put out a patch without an advisory, because then the bad guys will look at the binary and find the flaw," said Maiffret. "You need to tell people, or else you are doing your customers a disservice."
Unlike a previously discovered spoofing technique, the QuickTime issue actually involves a security flaw in the program. Apple released patches for several other vulnerabilities earlier this month.
The patch for the problem can be downloaded from Apple's download site or through the Mac OS X's automatic update service.