Apple Bug Bites OS X, Windows

An exploit for a newly discovered critical flaw in Apple's QuickTime video app could mean trouble for Mac, PC users

Dark Reading logo in a gray background | Dark Reading

The Month of Apple Bugs (MOAB) kicked off this week with a new and potentially critical bug in Apple's popular QuickTime application that affects both Mac OS X and Windows users. (See An Apple (Bug) a Day.)

LMH, who heads up the MOAB research project, released an OS X-based exploit for the bug and says he may also unleash one for Windows. The vulnerability in QuickTime's URL handler lets an attacker execute a stack-based buffer overflow, which would then allow them to run arbitrary code on the victim's machine. And when combined with another flaw, the attacker can "own" the machine, according to LMH.

Meanwhile, researcher HD Moore says a Metasploit contributor has built a Metasploit 3 module for the Windows version of the exploit. "Just about everyone has to install QuickTime at some point, and since the bug applies to the Windows version as well, it's just as critical as an Office or browser bug."

The QuickTime vulnerability is trivial to exploit, says David Maynor, CTO of Errata Security. "This is one of the most dangerous bugs in Apple I have ever seen. The debate about if this bug is real and exploitable has pretty much been made null and void by the exploit being released," he says. "Apple users should worry a lot."

But not all researchers are enamored of MOAB's work, especially since it does not alert Apple in advance of a bug or exploit. Thomas Ptacek, a researcher with Matasano Security, says there's a growing consensus among the research community that the month-of-bugs approach is no longer effective.

"It is impossible to argue that you're working to improve security if you spring vulnerabilities on vendors, with exploits, via a blog post," says Ptacek. He notes that the original Month of Browser Bugs (MOBB) made sense because it shed light on how browser security was ignored.

"The MOBB thing was a 'shock and awe' move designed to highlight the fact that people were ignoring browser security, and people sort of were ignoring browser security," he says. "But be serious -- nobody is ignoring Apple security and nobody is ignoring kernel security."

MOBB creator Moore says he believes the MOAB is raising Apple security awareness. "[It] seems to be the answer to a ton of denial and hubris about whether Apple products are more secure than any other vendor."

Meanwhile, the QuickTime bug is in Version 7.1.3, Player Version 7.1.3, but the MOAB site says older versions are likely vulnerable as well. How can you protect yourself from this QuickTime bug? Uninstall QuickTime and de-activate the rstp://URL handler, LMH says, and don't trust any QTL files, or use Mozilla's Firefox browser.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

About the Author

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights