• This forum is for posting news stories or links from rumor sites. When you start a thread, please include a link to the site you're referencing.

    THIS IS NOT A FORUM TO ASK "WHAT IF?" TYPE QUESTIONS.

    THIS IS NOT A FORUM FOR ASKING QUESTIONS ABOUT HOW TO USE YOUR MAC OR SOFTWARE.

    This is a NEWS and RUMORS forum as the name implies. If your thread is neither of those things, then please find the appropriate forum to ask your question.

    If you don't have a link to a news story, do not post the thread here.

    If you don't follow these rules, then your post may be deleted.

Quicktime Security Issue...

Joined
Oct 27, 2002
Messages
13,172
Reaction score
348
Points
83
Location
Cleveland, Ohio
Your Mac's Specs
MacBook Pro | LED Cinema Display | iPhone 4 | iPad 2
Source: News.com

Just as streaming video and audio are hitting the mainstream, researchers have sounded the alarm about serious security holes in two popular digital media players.
The vulnerabilities have cropped up in RealNetworks' RealPlayer and Apple Computer's QuickTime. While unrelated, the weak spots could allow an intruder to execute damaging arbitrary code on a victim's computer.

Security experts are increasingly concerned about hackers exploiting digital media players, which are designed to accept Web addresses and scripts--a key route for self-propagating, hostile code.




The current vulnerabilities come at a time when streaming content has gained momentum, providing news and entertainment to a growing number of people accessing the Internet via broadband connections.

RealNetworks has issued an advisory, warning that by creating a specifically corrupted Portable Network Graphics file, an attacker could cause "heap corruption." Doing so would allow the attacker to execute code on the victim's machine. The vulnerable software uses an older data-compression library within the RealPix component of the player, leaving the system vulnerable. The company said it has fixed the vulnerability by using an updated version of the data-compression library.

RealNetworks said it had not received any reports of anyone's computer actually being attacked via this exploit.

The vulnerability affected the following popular versions of its digital media players: RealOne Player, RealOne Player v2 for Windows, RealPlayer 8 for Windows, RealPlayer 8 for Mac OS 9, RealOne Player for Mac OS X, RealOne Enterprise Desktop Manager and RealOne Enterprise Desktop

The Helix DNA Client was not affected, RealNetworks noted.

Meanwhile, security firm iDefense warned this week that it has discovered an exploitable buffer overflow vulnerability in Apple's QuickTime Player that could affect computers with Microsoft's Windows but not those with Apple's Macintosh OS.

Buffer overflows occur when an application is flooded with information and as a result cannot handle memory correctly. By causing a buffer overflow, attackers can insert their own code into the execution of the application.

In this case, a URL containing 400 characters will overrun the allocated space on the system, allowing the attacker to assume control of the system, iDefense said. All the attacker needs to do is to convince a Web surfer to click on a specially crafted URL.

iDefense said that QuickTime Player versions 5.x and 6.0 for Windows are vulnerable. The workaround suggested by iDefense is to remove the QuickTime handler from the Web browser or remove the registry key (HKEY_CLASSES_ROOT/quicktime).

Another option is to download Apple's QuickTime 6.1, which addresses this vulnerability, according to iDefense.

Apple was not immediately available for comment
 

Shop Amazon


Shop for your Apple, Mac, iPhone and other computer products on Amazon.
We are a participant in the Amazon Services LLC Associates Program, an affiliate program designed to provide a means for us to earn fees by linking to Amazon and affiliated sites.
Top