Are Security Researchers Targeting QuickTime? - Page 2

Page 2 of 2

"A large number of the issues we've seen have been atom parsing issues," Hotchkies commented. "That's not to say there aren't other interesting bugs being found, but most of them are only slightly different conceptually despite leading down different code paths."

Quicktime gets more scrutiny

Hotchkies added that in the past year QuickTime has received more scrutiny than it did in previous years. Over time Hotchkies expects that the overall security posture of the product will improve and researchers will move on to other targets.

Apple for its part, he said, is acting responsibly at dealing with the security reports.

"Apple responds immediately with a tracking number, and usually within the same day with a follow-up," Hotchkies said. "During the patch process, Apple has been very good at keeping communication open and letting us know about presumed disclosure dates."

Though QuickTime 7.4.5 fixes a lot of issues, there may still be a few more in the pipeline that have yet to be publicly disclosed or fixed. Hotchkies admitted that there are some more vulnerabilities in TippingPoint's queue that need to get re-verified. That said, the toughest days for QuickTime may well be in the past now.

"Apple was very proactive in this patch to reduce the number of vulnerabilities in QuickTime in the future," Hotchkies said. "In addition to fixing the low level vulnerabilities reported to them one by one, Apple is making higher level design changes to improve the overall security posture of QuickTime."