Apple patches 10 critical QuickTime bugs

TippingPoint unknowingly pays for bug revealed in Mac Hacker's Handbook

Apple on Monday patched 10 critical vulnerabilities in QuickTime, including one that was hinted at in a Mac hacking book three months ago.

Eight of the bugs patched by QuickTime 7.6.2 affect both the Mac and Windows versions, while two others affect only QuickTime for Windows XP and Vista. Apple described all 10 as allowing "arbitrary code execution," a phrase it uses to describe the most serious threats that if exploited, could result in a PC or Mac hijacking. Unlike vendors such as Microsoft and Oracle, Apple doesn't rank the bugs it fixes with a scoring or labeling system.

Monday's update was Apple's second this year for the player, which has been patched a total of 17 times in 2009; last year, Apple patched 30 QuickTime vulnerabilities.

"They're what one would expect for QuickTime, file format processing bugs," said Andrew Storms, director of security operations at nCircle Network Security, in an instant message.

Storms had it right: All 10 vulnerabilities involved a file format issue of one sort or another. Three of the bugs were in how QuickTime parses movie files, two were in its handling of PICT image files and others were traced to problems dealing with JP2 (JPEG 2000), MS ADPCM-encoded (Adaptive Differential Pulse Code Modulation) audio, PhotoShop and animation file formats.

Apple has patched dozens of file format flaws in QuickTime over the years. Last September, for instance, it dealt out patches for problems in parsing PICT images, QTVR (QuickTime Virtual Reality) files, QuickTime movies, H.264-encoded movies and Indeo-encoded video.

File format vulnerabilities, and lots of them, are to be expected with a program like QuickTime, said Pedram Amini, manager of security research at 3com's Austin, Texas-based TippingPoint. "QuickTime has a huge attack surface," said Amini, "because of all the file formats it supports."

Six of the vulnerabilities were reported or co-reported to Apple by TippingPoint's bug bounty program, the second time in the last three weeks that a cash-for-bugs scheme has contributed the majority of a vendor's flaws. Last month, TippingPoint's rival, VeriSign's iDefense, reported 10 of the 14 PowerPoint vulnerabilities patched by Microsoft.

The large number of bugs attributed to TippingPoint were a timing conicidence, said Amini. Although the company typically passes along vulnerability reports to vendors as soon as it's vetted the bugs, there are times it holds them, then presents a batch to the vendor. "If we have several submitted for the same application, we like to get a full view of all the vulnerabilities to make sure there aren't any that overlap," said Amini.

One of TippingPoint's half-dozen, the JP2 handling bug, was credited to Charlie Miller, a researcher with Independent Security Evaluators, and to Damian Put, a researcher who has sold bugs to TippingPoint in the past. Miller is undoubtedly the better known of the pair, having won large cash prizes two years running at the Pwn2Own hacking contest, held every March at the CanSecWest security conference.

Miller had revealed information about the JP2 bug in The Mac Hacker's Handbook, a how-to book he and Dino Dai Zov published in March. In an earlier interview, Miller said that he had not actually disclosed the vulnerability, but he had provided all the information a competent researcher needed to root it out.

TippingPoint, which was unaware of the clues Miller had given, paid Put for the bug, said Amini. "We got that bug about a month after the book came out," said Amini Monday. "That happens about once every two months, where we end up paying twice for the same bug."

However, Put used a slightly different approach to find the vulnerability, Amini argued. "His research was unique and he did some original work. And this wasn't his first Apple bug," he said.

nCircle's Storms warned users to take the QuickTime vulnerabilities seriously, even if bugs in the player have rarely been exploited. "Anytime you can simply open a movie file and inject malware is bad news," Storms said. "Especially given how much of the Internet is now used for multimedia. Most people don't expect to be attacked watching a movie -- unless it's a horror movie."

Apple also updated iTunes Monday, releasing Version 8.2 to fix a single critical vulnerability in parsing "itms:" URLs, and to prep the software for iPhone 3.0, the new operating system expected to launch next week at Apple's annual Worldwide Developers Conference.

As is its practice, Apple skimped on details of the changes rolled into iTunes, although the Mac OS X Software Update noted: "iTunes 8.2 now supports iPhone or iPod touch with the iPhone 3.0 Software Update."

Mac users can upgrade to QuickTime 7.6.2 and iTunes 8.2 using the operating system's built-in Software Update feature, while Windows users can either download the new QuickTime and iTunes from the Apple support site or use the optional Windows update tool.

Join the CSO newsletter!

Error: Please check your email address.

Tags security patchapple macquicktime

More about Amazon.comAmazon Web ServicesAppleetworkiDefenseMicrosoftnCirclenCircle Network SecurityOracleT3TippingPointTippingPointVeriSign Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts