p2pnet - rss feed: iTunes, Quicktime, security flaws
p2p news / p2pnet: A heap overflow vulnerability exists for all current and prior versions of Apple iTunes and Quicktime for Mac OS X and Win32, says indie security researcher Tom Ferris.
It could allow an attacker to cause a crash, and or execute arbitrary code in the context of the user who executes the player, he states
How severe is the flaw? It’s bad, says Ferris – “think about how many ipods sold this year alone”.
He gives links two testcases for the vulnerability and says Apple has been notified.
http://www.security-protocols.com/poc/sp-x21-1.mov <(=-- this one crashes QuickTime
http://www.security-protocols.com/poc/sp-x21-2.mov <(=-- this one will crash iTunes and QuickTime
Ferris told eWeek he flagged the issue to Apple more than a month ago, “but only received a cursory confirmation that the bug was being investigated”.
Attackers can, “rig QuickTime movie files to trigger a denial-of-service crash that may lead to malicious code execution,” says the story.
Also See:
Tom Ferris - Apple QuickTime 7.0.3 & iTunes 6.0.1 Heap Overflow, December 20, 2005
eWeek - Beware of Strange iTunes/QuickTime Movies, December 21, 2005
December 22nd, 2005 at 1:57 pm
With the first link, Firefox also crashed.
December 22nd, 2005 at 4:04 pm
Macs DO NOT HAVE vulnerabilities. It’s a fact you can bank on.
December 22nd, 2005 at 4:26 pm
riiiiiight ;P
December 22nd, 2005 at 8:03 pm
I’m still trying to decide if the original “You’ve got it wrong…” post was serious or they are just trying to throw some gas on the fire. Pretty funny if they really believe it (in a blind loyalty fanboy sort of way). Actually pretty funny either way…
December 22nd, 2005 at 9:42 pm
It’s a joke son. Laugh.
Any platform has security problems if you have the electronic equivalent of an unlocked door.
Identifying those doors, on the other hand, is sometimes very hard.
December 23rd, 2005 at 1:52 am
Hey, son…the laughs on you. Welcome to reality.