RealTime IT News

Are Security Researchers Targeting QuickTime?

Apple is out with its latest security patch release this year for QuickTime. The QuickTime 7.4.5 release addresses 11 vulnerabilities half of which were reported by 3Com's TippingPoint security division.

The latest QuickTime release is the third update to QuickTime this year for security related issues. Over the past year Apple's QuickTime software has been frequently noted for security vulnerabilities, though that's not necessarily an indication that QuickTime itself is fundamentally flawed - or is it?

"I would not say that there is a fundamental flaw in the design of QuickTime," Cameron Hotchkies, security researcher at TippingPoint told InternetNews.com. "Security enhancements at the operating system and compiler level have made server-side vulnerability discovery and exploitation increasingly difficult which is one of the main reasons for the ongoing trend of researchers focusing on client side applications."

For the vulnerabilities discovered by TippingPoint, Hotchkies noted that there are actually two sources for the bugs disclosed. One is TippingPoint's internal researchers and the other is through the company's Zero Day Initiative (ZDI)extended research network.

"All of these QuickTime issues were processed via the Zero Day Initiative program where the target is chosen by the researchers themselves without direction from us," Hotchkies commented. "Most of the researchers who work with the ZDI do so independently, so we see it as more of a trend in the focus of bug finders."

The latest round of vulnerabilities in QuickTime includes issues with PICT files being used for attacks as well as with QuickTime "atoms". According to Apple's developer site, QuickTime stores most of its data using a special memory structure called atoms. Atoms are the basic data containers inside QuickTime.

Discovery through fuzzing

Discovering the flaws in QuickTime does not require any particularly sophisticated attack methodology.

"The majority of these issues and likely most of the recent QuickTime vulnerabilities were discovered through fuzzing," Hotchies said. "After a few bugs are discovered by the same researcher, they tend to find other places with similar problems."

Fuzzing is the technique of throwing garbage input at a program to see what happens.

With the high volume of reported vulnerabilities in QuickTime over the past year, it is also possible to note some trends and commons attack vectors.