Apple patches 17 vulnerabilities in QuickTime, getting by with a little help from its friends
Apple has been given some rare applause from the security community for tackling some critical vulnerabilities in its QuickTime media player.
A total of 17 flaws were patched by Apple, with several of them ranked as critical due to the fact that cyber criminals could have exploited them for remote code execution, according to a security advisory.
Apple had a large batch of external researchers to thank for finding the flaws, with the HP Zero Day Initiative uncovering the majority of them.
Rodrigo Rubira Branco, from Qualys Vulnerability & Malware Research Labs, who discovered a memory corruption flaw in the software, praised Apple for working with him in patching the vulnerability. The threat could have meant that a user viewing a maliciously crafted .pict file in QuickTime could have been hit by “an unexpected application termination or arbitrary code execution”.
“A typical attack would embed such a file into a webpage and use social engineering to drive users into viewing the page. So far, there have been no reports of attackers exploiting this vulnerability yet,” Branco said.
“To put this into context, QuickTime is used by 61 percent of all internet enabled PCs, including 49 percent of all Windows PCs and 98 percent of all Apple computers… Even if you don’t use QuickTime by default to play movies and videos, it can be used as the media player for the PCT format on all web browsers, including Chrome, Safari, Internet Explorer and Firefox.
“All users, consumers and businesses alike, should download the security update as soon as possible since simply browsing to a malicious web page on any web browser can activate this vulnerability.”
Branco said Apple had been “very professional” in giving him consistent updates on the patch development process. “It was great to see a company of Apple’s size taking a proactive role to ensure that their software and their users are protected from major vulnerabilities like this one,” he added.
Apple took a bashing from a number of security professionals over its handling of the Flashback malware saga. After over 600,000 Macs were infected with the malicious software, Apple was criticised for taking too long to issue updates and not being regular enough with them.
Earlier this week, the iPhone maker released a patch giving Flashback cover to Leopard OS users, following criticism that the company had not given full protection to those running its older operating systems.
Following an update in February, it emerged last week that a version of FileVault in Mac OS X Lion stored passwords in a plain text file, meaning they were readable to any user with root or administrative access. That issue has now been fixed.
Are you a security pro? Test yourself with our quiz!