Apple’s security reputation takes another dent this week with yet another zero-day exploit in its QuickTime media player. There is now proof-of-concept code out there which uses this exploit to remotely compromise computers running both Windows and Mac OS X. The vulnerability exists in QuickTime’s handling of media streamed over the RTSP protocol. If you are a bad guy all you have to do to use this exploit to attack someone is to get them to open a specially crafted RTSP URL (a url starting with rtsp://). If the victim’s browser has JavaScript enabled you can make things even easier for yourself, you can get JavaScript to open the RTSP URL for you! What this all means is that you can now have your Mac compromised by simply visiting a web page. This is a lot worse than the Trojan that I discussed a few weeks ago where you had to actually download and install a program giving it admin access in the process in order to be compromised. I should mention that this exploit does NOT give the attacker admin access to your machine, it ‘just’ lets the attacker run any code they want as the user running QuickTime. This is not as bad as an exploit which would allow the attacker to execute any command as root/admin but it’s still very bad.

You can get more details from US-CERT. That page also gives you some guidance on protecting yourself. However, those instructions are very windows-centric.

[tags]Apple, QuickTime, Zero Day Exploit[/tags]

Read more

Tagged with:

It’s not long ago that I posted about Apple not patching their SAMBA implementation for months after a patch became available. Now there is a Quick Time vulnerability in the wild that was apparently reported to Apple about a year ago. I constantly give off to Microsoft for this kind of carry-on, so, each time I catch Apple at it I’m going to highlight it too. The Mac user experience is currently fantastic but Apple’s continued complacency about security is putting that experience at serious risk. How bad will things have to get before Apple cop on to themselves?

For more details on this vulnerability (which affects Windows too) check out this Mac World article

[tags]Apple, Security, QuickTime[/tags]

Tagged with:

There are some things we expect every media player to do out of the box, you know, the basics, actually playing media and that kind of thing. Most people would consider a full-screen mode to be one of these core features that all media players must have. Apple didn’t think so. Past versions of QuickTime made you upgrade to the pro version for $30 if you wanted full-screen playback. Needless to say this annoyed a lot of people. It just looked like greed on Apple’s part and drove people away from Quicktime towards free alternatives like VLC. However, as of QuickTime 7.2 which was released this week you get free full-screen playback. Great to see common-sense finally winning out in the QuickTime division of Apple. THANKYOU!

Tagged with: