Apple sounds alarm over QuickTime flaws

"Highly critical" bug in media player could open door for a denial-of-service attack, security company says.

Dawn Kawamoto Former Staff writer, CNET News

Dawn Kawamoto covered enterprise security and financial news relating to technology for CNET News.

Dawn Kawamoto

Nov. 4, 2005 10:31 a.m. PT

2 min read

Apple Computer late Thursday issued an alert about flaws in its QuickTime media player that could allow a malicious attacker to launch a denial-of-service attack or remote code execution.

QuickTime versions 6.5.2 and 7.0.1 for the Mac OS X operating system are affected by the vulnerabilities, as well as some versions for Microsoft Windows, according to a Friday report by security company Secunia, which rated the vulnerabilities "highly critical."

Apple has issued an update, QuickTime 7.0.3, to fix the four flaws. The patch was posted to Apple's Web site on Oct. 12.

One vulnerability can result in a denial-of-service, or DOS, attack against any application loading remotely originated content. The flaw involves a missing movie attribute, which is interpreted as an extension. The absence of the actual extension, however, is not detected, resulting in a "dereference of a null pointer," Apple warned.

Another security hole involves an integer overflow that may be remotely exploited through a specially crafted video file. This could lead to an arbitrary execution of code.

"Three of the vulnerabilities can launch malicious code that allows an attacker to snoop on users," said Thomas Kristensen, Secunia's chief technology officer. "The other vulnerability is a DOS attack that will only work in a few cases and crash the media player when it tries to open a file."

Last June, Apple released QuickTime 7.0.1 to address a security flaw and deliver several improvements to its media player. The update was designed to modify the Quartz Composer plug-in, which previously could allow an attacker to tap into local data and distribute it to an arbitrary Web site.