Another QuickTime flaw found

Soon after a patch for four security flaws is issued, a new "critical" hole is found in Apple's popular media player.

Dawn Kawamoto Former Staff writer, CNET News

Dawn Kawamoto covered enterprise security and financial news relating to technology for CNET News.

Dawn Kawamoto

Nov. 18, 2005 2:20 p.m. PT

2 min read

Less than three weeks after Apple Computer issued an update to patch four security flaws in its QuickTime media player, a new "critical" problem has been discovered.

The unpatched vulnerability could allow remote execution of code, according to an advisory published Monday by eEye Digital Security. It affects various versions of Apple QuickTime running on all types of operating systems, the company said, but did not specify which versions in particular were at risk.

eEye said it notified Apple of the flaw on Oct. 31, when it outlined vulnerabilities that were not addressed in Apple's update of Oct. 12. And although Apple issued a security advisory Nov. 3 regarding its patch and the four flaws, that advisory did not address the new flaw eEye discovered, said Mike Puterbaugh, eEye's senior product marketing director.

"We don't feel this flaw could result in an Internet worm, as it does require end-user interaction (such as clicking on a link to a malicious Web site or chat session). The affected component is, however, enabled by default," Puterbaugh said.

This newly discovered flaw could allow an attacker to pose as the logged-in user and launch remotely executable code. An intruder, for example, could access and do everything that a user could do on his computer. If the user had administrator rights, the hacker could also access everything that the administrator could.

"The Apple flaw works with their latest version of QuickTime," said Steve Manzuik, eEye product manager. "The only similarity with the earlier flaws is it's in QuickTime."

The new issue affects a different QuickTime function than the four earlier flaws, which included a missing movie attribute that could be interpreted as an extension. The absence of the actual extension is not detected, resulting in a "dereference of a null pointer."

Another of the earlier four flaws included an integer overflow that could be remotely exploited through a specially crafted video file.

eEye has declined to provide more specifics in its security advisories until the vendor has issued a patch. That policy is designed to prevent hackers from reverse engineering the problem to launch an attack while the vendor works to fix the flaw.

Apple's earlier patch, version 7.0.3, addressed vulnerabilities found in QuickTime 6.5.2 and 7.0.1 for the Mac OS X operating system and some versions running on Windows. One of those flaws allowed a malicious attacker to launch a denial-of-service attack, while the other three flaws allowed an attacker to remotely execute code and take over users' computers.

Apple told CNET News.com that it was not prepared to comment at this time. Manzuik said that on Monday Apple acknowledged receipt of eEye's advisory, but gave no indication of when, or if, it plans to patch the flaw.

"It is something they will undoubtedly have to patch," he added.