Apple has patched a now infamous flaw in its QuickTime media player first discovered in a hacking contest at the CanSecWest conference last month.Apple updated QuickTime to version 7.1.6 on Tuesday, fixing the vulnerability on Mac OS X versions 10.3.9 and 10.4.9, Windows XP with Service Pack 2 and Windows 2000 with Service Pack 4.
To execute malicious code, an attacker must lure a user to a webpage containing a maliciously crafted Java applet. The update fixes the issue by performing additional bounds checking when creating QTPointerRef objects, according to Apple’s advisory.
The issue, initially believed to exist in Safari, was first disclosed during a "hack-a-Mac" contest at CanSecWest in the US last month.
Researcher Dino Dai Zovi was credited with discovering the flaw.
User interaction is required for successful exploitation in that a victim must visit a malicious page, according to a Tuesday advisory from TippingPoint’s ZeroDay Initiative (ZDI).
ZDI disclosed that a lack of sanity checking on the parameters through the Java Virtual Machine was partially responsible for the flaw.
Vulnerable vectors include Microsoft’s Internet Explorer, Mozilla’s Firefox and Apple’s Safari running on Mac OS X 10.4.9 and Windows Vista, according to the advisory.
Researcher Thomas Ptacek said on the Matasano Chargen blog that the vulnerability appears to be an integer overflow.
"In applet form, this reliably crashes my browsers. It is both deliberately and organically far from being useful to an attacker. Note that without comments, it’s five lines of code," he said. "Get this one patched quickly. From the (ZeroDay Initiative) advisory and the (QuickTime) Java documentation, it looks like it takes very little time to figure this one out."
Jeremiah Grossman, founder and CTO of WhiteHat Security, told SCMagazine.com today that end users and administrators should patch quickly.
"All of the QuickTime vulnerabilities are pretty bad, so it’s one of many and it’s something serious that should be patched quickly," he said. "For us, it was a high-profile issue, and certainly the bad guys saw it as that as well."
Joel Esler, SANS Internet Storm Center handler, credited Apple today for turning out a patch in less than two weeks.
"Twelve days to put out an update for Apple," he said on the organisation’s diary. "Not too bad."
Also on Monday, Apple also fixed a flaw in AirPort for Mac OS X version 10.3.9 that caused AirPort to lose its connection after sleep mode, and a vulnerability in FTPServer for OS X Server version 10.4.9 that allows users with ftp access to navigate directories outside the normal scope.