Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Hole in Windows' QuickTime Player

Posted by timothy on from the what-are-you-watching dept.

Zonoprh writes "A Security Hole was found in QuickTime player that allows attackers to compromise a user's system with a malicious URL. The hole is fixed in QuickTime 6.1 available here. Until then, hold off on playing "unusually" enticing QT files."

23 comments

  1. Section? by cappadocius · · Score: 3, Interesting

    How much good will this do in the Apple section if the bug is in the Windows version?

    --

    omnia tua castra sunt nobis

    1. Re:Section? by DarkRecluse · · Score: 5, Funny

      Perhaps there should be a search topic titled "Security" which would check all sections and articles for known security issues...

      http://slashdot.org/search.pl?topic=172

      Or, ya know, we can just stick a huge fricken padlock right next to the slashdot logo...

      :|

      --
      --"It's Bradford Company, slash your last name, dot your first name"
    2. Re:Section? by Enzo90910 · · Score: 1

      Well, it's still an APple product, isn't it?

      --
      I don't have much to add.
  2. Only quicktime on Windows is vulnerable by nebbian · · Score: 2, Informative
    So although it's an Apple product, it's really windows where the fault lies. From the article:

    When processing a QuickTime URL, the application is launched in the following manner as can be seen from the Windows registry key HKEY_CLASSES_ROOT/quicktime:

    %PATH TO QUICKTIME%\QuickTimePlayer.exe -u"%1"

    A URL containing 400 characters will overrun the allocated space on the stack overwriting the saved instruction pointer (EIP). This will thereby allow an attacker to redirect the flow of control. An example URL that will cause QuickTime player to crash is:

    quicktime://127.0.0.1/AAAA...

    Where the character 'A' is repeated 400 times.


    Had windows used a decent method of starting applications (instead of some stupid extension to DOS) then this overflow wouldn't happen. Yes, yes, I know, Apple should have checked for this overflow. However 1 kludge + 1 workaround != 1 good system.
    *sigh*
    --
    I am artificially intelligent.
  3. Also a QuickTime on Mac OS X Software Update by Hi+Larry! · · Score: 4, Informative

    QuickTime 6.1.1 is also available on software update. Seems to container mpeg 4 streaming bug fixes.

  4. Um... a bit dated by RalphBNumbers · · Score: 4, Informative

    Since when do notices of security holes that have been fixed for months rate /. articles?

    --
    "The worst tyrannies were the ones where a governance required its own logic on every embedded node." - Vernor Vinge
    1. Re:Um... a bit dated by nettdata · · Score: 4, Funny

      Since when do notices of security holes that have been fixed for months rate /. articles?

      Dude... are you new here?

      ;)

      --



      $0.02 (CDN)
    2. Re:Um... a bit dated by Anonymous Coward · · Score: 0

      There hasn't been an Apple story in days. They had to do something.

    3. Re:Um... a bit dated by jsmith38 · · Score: 1

      If you haven't noticed, no one has put anything up for Apple in a while (last wed).

      When that happens, they go to old news that was not news worthy the first go around.

  5. Is the Crossover install of Quicktime vulnerable? by repoleved · · Score: 1, Interesting

    Could someone please comment regarding whether the vulnerability affects wine? I saw the other post saying that it had to do with a registry key buffer overflow, so it seems possible that wine might not have this vunerability.

    If so, then, are we Linux users safe from this particular bug? In either case, will the upcoming version of Crossover Plugin support QT6.1?

  6. Hold off? by 90XDoubleSide · · Score: 3, Interesting

    until then, hold off on playing "unusually" enticing QT files.Umm... QuickTime 6.1 was released on January 9th; I would think most people would already have this patched.

    --
    "Reality is just a convenient measure of complexity" -Alvy Ray Smith
  7. FUD alert by slittle · · Score: 5, Interesting

    WTF do you mean "extension to DOS"? You mean command line parameters (arguements)? Unix does the same thing. There are plenty of ways around using parameters under Windows, but they're more trouble to code for (IMO) for such a simple task, and not backward compatible - there is nothing wrong with the parameter method as long as idiot programms check their fucking buffers.

    --
    Opportunity knocks. Karma hunts you down.
    1. Re:FUD alert by Col+Bat+Guano · · Score: 3, Interesting

      "as long as idiot programms check their fucking buffers"

      But then the history of programming is one of people not doing the things they should.

      Yes, they should check their buffers, but clearly they don't.

      A bit of defensive programming goes a long way, in all and every bit of software.

  8. OS X Version Update available as well by coldcup · · Score: 1, Informative

    From software update:
    QuickTime 6.1.1 delivers important bug fixes to MPEG-4 streaming.

  9. hmm... by Enrico+Pulatzo · · Score: 1

    quicktime 6.1 has been available for some time now for the mac, I wonder if this has been the holdup on windows....

  10. Err by Loosewire · · Score: 0, Redundant

    You mean this thing im trying to play here isnt britney spears nude?
    Hmm why is KILL KILL KILL appearing on the screen, must be a stuck key...

    --
    Slashdot - The one stop shop for procrastination
  11. I don't think you Apple guys understand... by Anonymous Coward · · Score: 1, Funny

    What you're telling me is that if somebody goes through this complicated procedure, they can crash my windows computer. Hmmm.

    Where I come from, the complicated procedure is called "powerup", and I usually crash my windows box every damn day. Some days, I can even take it down on command with a bitchin' blue screen and a crunching sound.

    My name is masq, and i'm definitely gonna be a switcher - once the new 15" PowerBooks come out.

  12. For long-term security by Zhe+Mappel · · Score: 4, Funny

    Keep the Quicktime Player. Throw out your copy of Windows.

  13. 6.1 for Windows released yesterday by benwaggoner · · Score: 1

    6.1 for MacOS X was released a few months ago, but 6.1 for Windows was only yesterday (Monday). Also released yesterday was 6.1.1 for MacOS X. MacOS 8/9 is still at 6.0.2. No official word from Apple that I know of, but I imagine that might be the terminal release for classic.

    Alas, the release notes for 6.1 are the same as 6.0, which is odd given the amount of time between releases.

    --

    My video compression blog
  14. Re:Is the Crossover install of Quicktime vulnerabl by GiMP · · Score: 1

    Just use MPlayer, it supports most Quicktime files.