The Channel logo


By | Dan Goodin 2nd May 2007 02:04

Apple patches security hole in QuickTime

QuickTime one of four popular apps currently at risk

Apple has patched a high-profile vulnerability in QuickTime eleven days after the flaw allowed a hacker to publicly hijack a brand new MacBook Pro. The Apple media player is just one of four popular applications suffering from security defects that currently require the urgent attention of those who use them.

The three other applications include Adobe Photoshop, the Winamp media player and Trillian, a client that combines the functionality of IRC, AOL Instant Messenger, MSN Messenger and other chat programs. Today's update from Apple means that two of the four applications have patches (Trillian's patched download is here.) Users who care about the security of their machines should install them promptly.

According to an advisory from Secunia, the current version of Winamp contains a flaw in the way the program handles MP4 files that could allow a booby-trapped file to execute arbitrary code on a victim's machine. Secunia rates the flaw highly critical, the site's second most serious rating. Until there is a patch, Winamp users may want to think twice about playing MP4 files unless absolutely sure they originated from reputable sources.

Secunia has also warned of at least two serious vulnerabilities in Photoshop that are also labeled highly critical. One flaw, a buffer overflow vulnerability, affects Adobe Photoshop CS2 and Adobe Photoshop CS3 and involves their handling of Bitmap files. The other affects the same two Photoshop versions as well as Adobe Photoshop Elements 5.x and leaves users open to attack if they open malformed PNG graphics files. Users are advised not to open untrusted PNG or Bitmap files pending the release of a security update from Adobe.

Version of Trillian carries three vulnerabilities related to IRC that could allow for the interception of private conversations or the execution of code with the same privileges as the currently logged on user, according to iDefense Labs. The security provider didn't assign a rating to the vulnerabilities.

Apple describes the patched vulnerability in QuickTime for Java as an implementation issue that "may allow reading or writing out of the bounds of the allocated heap." By luring a victim to a malicious website, a miscreant could hijack a user's machine, Apple warns. The update is available for Mac and Windows platforms.

The QuickTime vulnerability was discovered by Dino Dai Zovi, who spent about nine hours to write code that exploited it and submitted it as part of a contest at the CanSecWest security conference. His discovery, first reported to affect Safari, was later shown to target QuickTime. In either case, the exploit allowed him to take control of a 15-inch MacBook Pro when it visited a website that hosted the malicious code. ®

alert Send corrections


Frank Jennings

What do you do? Use manual typwriters or live in a Scottish croft? Our man advises
A rusty petrol pump at an abandoned gas station. Pic by Silvia B. Jakiello via shutterstock

Trevor Pott

Among other things, Active Directory needs an overhaul
Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella


League of gentlemen poster - Tubbs and Edward at the local shop. Copyright BBC
One reselling man tells his tale of woe