With all the hype surrounding Apple this week and its MacWorld event it’s easy to forget that Apple is a company under a security siege.
More specifically, Apple’s QuickTime software has faced far more than its fair share of security woes over the past year. The software plays a critical role in Apple’s ability to deliver multimedia content on its Mac and iTunes platforms.
Though not quite as high-profile as Apple’s launch of the new Mac Air notebook, QuickTime didn’t go ignored by Apple this week, receiving an update to version 7.4.
While the update fixed at least four known security vulnerabilities, it left at least one known hole still open.
The first of the fixes in QuickTime 7.4 involves memory corruption with video files that have been compressed with the popular Sorenson 3 compression technology. The flaw could have led to arbitrary code execution or an application crash.
QuickTime 7.4 also contains a fix for a memory corruption issue related to its handling of Macintosh Resource records in movie files.
The third issued addressed in the QuickTime 7.4 update also relates to memory corruption — this time in QuickTime’s parsing of Image Descriptor (IDSC) atoms. For the first three memory corruption vulnerabilities fixed by QuickTime 7.4, Apple addresses each by performing additional validation to ensure files are not corrupt.
The fourth fixed issue stems from QuickTime’s handing of PICT images. Apple noted in its advisory that, “A buffer overflow may occur while processing a compressed PICT image.”
Apple’s advisory explains that the fix for the PICT issue is to terminate the decoding of the PICT image when the result would extend beyond the end of the destination buffer.
The QuickTime 7.4 release does not address a Real Time
Streaming Protocol (RTSP) problem with QuickTime, first reported last week.
With the QuickTime 7.4 release, Apple has now issued five QuickTime updates for security issues since October. It’s a dark trend that may not necessarily mean that QuickTime is less secure than it once was.
Instead, it may just be a symptom of Apple’s increasing popularity.
“I think more researchers are investigating OS X software for vulnerabilities as their market share, especially among the information security community, is increasing,” said Jeremiah Grossman, founder and CTO at WhiteHat Security. “This answer may sound overly simplistic, but I believe it to be accurate.”
Apple itself may be partially to blame — especially with regard to how it deals with security research. Grossman suggested that the company could work better with researchers and the information security industry in general.
“To contrast, Microsoft is a good example as a company [that] used to be highly abrasive in the area of vulnerability disclosure,” Grossman told InternetNews.com.”Then over the last several years, Microsoft really turned things around culturally with respect to security, and is now considered by most to be a model citizen in the community.”
Apple spokespeople were not available for comment by press time.