November 8, 2005 11:46 AM PST
Another QuickTime flaw found
- Related Stories
-
Apple criticized for security advisories
May 4, 2004 -
Apple patches QuickTime flaw
April 30, 2004 -
OS X flaw may leave Macs open to virus attacks
April 9, 2004
The unpatched vulnerability could allow remote execution of code, according to an advisory published Monday by eEye Digital Security. It affects various versions of Apple QuickTime running on all types of operating systems, the company said, but did not specify which versions in particular were at risk.
eEye said it notified Apple of the flaw on Oct. 31, when it outlined vulnerabilities that were not addressed in Apple's update of Oct. 12. And although Apple issued a security advisory Nov. 3 regarding its patch and the four flaws, that advisory did not address the new flaw eEye discovered, said Mike Puterbaugh, eEye's senior product marketing director.
"We don't feel this flaw could result in an Internet worm, as it does require end-user interaction (such as clicking on a link to a malicious Web site or chat session). The affected component is, however, enabled by default," Puterbaugh said.
This newly discovered flaw could allow an attacker to pose as the logged-in user and launch remotely executable code. An intruder, for example, could access and do everything that a user could do on his computer. If the user had administrator rights, the hacker could also access everything that the administrator could.
"The Apple flaw works with their latest version of QuickTime," said Steve Manzuik, eEye product manager. "The only similarity with the earlier flaws is it's in QuickTime."
The new issue affects a different QuickTime function than the four earlier flaws, which included a missing movie attribute that could be interpreted as an extension. The absence of the actual extension is not detected, resulting in a "dereference of a null pointer."
Another of the earlier four flaws included an integer overflow that could be remotely exploited through a specially crafted video file.
eEye has declined to provide more specifics in its security advisories until the vendor has issued a patch. That policy is designed to prevent hackers from reverse engineering the problem to launch an attack while the vendor works to fix the flaw.
Apple's earlier patch, version 7.0.3, addressed vulnerabilities found in QuickTime 6.5.2 and 7.0.1 for the Mac OS X operating system and some versions running on Windows. One of those flaws allowed a malicious attacker to launch a denial-of-service attack, while the other three flaws allowed an attacker to remotely execute code and take over users' computers.
Apple told CNET News.com that it was not prepared to comment at this time. Manzuik said that on Monday Apple acknowledged receipt of eEye's advisory, but gave no indication of when, or if, it plans to patch the flaw.
"It is something they will undoubtedly have to patch," he added.
facts that are current, I have to show you that it's not.
You said that the START one is a virus? I'll quote:
Affects: PowerPC Macintoshes and compatibles, typically running
QuickTime v2.0 with the "Enable CD-ROM AutoPlay" option
enabled
Okay - First, Quicktime 2.0? There is not one copy of OSX
running Quicktime 2.0. Not one. OSX Started with Quicktime
5.5 I believe Quicktime now is on 7.x. Enable CD-ROM
autoplay? There is none is in OSX.
2. viruses specifically for apple.
3. more and more flaws in apple software and OS found quicker.
People all try to say virus/spyware writers do it for fame. NO. They do it for Money. Selling information stolen by a worm/virus/spyware on a windows box is worth a hell of a lot more than bothering to hit 5% of the world market for the same reason.
Face it, what home users are going to use will have viruses written for it. Everyone knows that as soon as the OS is out of beta home users will use a version of it. It will ship with the new pcs. Dell, Gateway, HP, etc will throw the OS on their systems and let the home users have at it.
Cal me a liar about the audio proof if ya want. But, proof is proof.
Its basically like this: ANY windows OS, beta or not, is going to have its flaws exposed because until windows is no longer the main OS of the world, people will use its flaws and holes to make money.
MAC OSX? Not a major player in the world market, thus not worth a virus/spyware writer's time.
Fame is way overrated.
- APPLE HAVE A FLAW! NO!!! NONONO!!!
-
by laroberts
November 11, 2005 5:29 AM PST
- Whats this... Apple have a flaw? Can it be? But Apple and its users are so.... perfect. Is this possible? LMAO.... I really do Apple gets a little popular again so that it will start getting targeted for every bug and virus under the sun. Bill Gates is miles ahead of Apple and it will stay that way. Apple just needs to stick to its teenagers who like Ipods and leave the OS stuff to the big boys.
-
Reply to this comment
View
reply
-
-
See all 31 Comments >>