Are Security Researchers Targeting QuickTime?

Apple is out with its latest security patch release this year for
QuickTime. The QuickTime 7.4.5 release addresses 11 vulnerabilities half of
which were reported by 3Com’s TippingPoint security division.

The latest QuickTime release is the third update to QuickTime this year for
security related issues. Over the past year Apple’s QuickTime software has
been frequently noted for security vulnerabilities, though that’s not necessarily an indication that QuickTime itself is fundamentally flawed – or is it?

“I would not say that there is a fundamental flaw in the design of
QuickTime,” Cameron Hotchkies, security researcher at TippingPoint told “Security enhancements at the operating system and
compiler level have made server-side vulnerability discovery and
exploitation increasingly difficult which is one of the main reasons for the
ongoing trend of researchers focusing on client side applications.”

For the vulnerabilities discovered by TippingPoint, Hotchkies noted that
there are actually two sources for the bugs disclosed. One is TippingPoint’s
internal researchers and the other is through the company’s Zero Day Initiative (ZDI)extended research network.

“All of these QuickTime issues were processed via the Zero Day Initiative
program where the target is chosen by the researchers themselves without
direction from us,” Hotchkies commented. “Most of the researchers who work
with the ZDI do so independently, so we see it as more of a trend in the
focus of bug finders.”

The latest round of vulnerabilities in QuickTime includes issues with PICT
files being used for attacks as well as with QuickTime “atoms”. According to
Apple’s developer site, QuickTime stores most of its data using a special
memory structure called atoms. Atoms are the basic data containers inside

Discovery through fuzzing

Discovering the flaws in QuickTime does not require any particularly
sophisticated attack methodology.

“The majority of these issues and likely most of the recent QuickTime
vulnerabilities were discovered through fuzzing,” Hotchies said. “After a
few bugs are discovered by the same researcher, they tend to find other
places with similar problems.”

is the technique
of throwing garbage input at a program to see what

With the high volume of reported vulnerabilities in QuickTime over the past
year, it is also possible to note some trends and commons attack vectors.

Page 2 of 2

“A large number of the issues we’ve seen have been atom parsing issues,”
Hotchkies commented. “That’s not to say there aren’t other interesting bugs
being found, but most of them are only slightly different conceptually
despite leading down different code paths.”

Quicktime gets more scrutiny

Hotchkies added that in the past year QuickTime has received more scrutiny
than it did in previous years. Over time Hotchkies expects that the
overall security posture of the product will improve and researchers will
move on to other targets.

Apple for its part, he said, is acting responsibly at dealing with the security reports.

“Apple responds immediately with a tracking number, and usually within the
same day with a follow-up,” Hotchkies said. “During the patch process, Apple
has been very good at keeping communication open and letting us know about
presumed disclosure dates.”

Though QuickTime 7.4.5 fixes a lot of issues, there may still be a few more
in the pipeline that have yet to be publicly disclosed or fixed. Hotchkies
admitted that there are some more vulnerabilities in TippingPoint’s queue
that need to get re-verified. That said, the toughest days for QuickTime may
well be in the past now.

“Apple was very proactive in this patch to reduce the number of
vulnerabilities in QuickTime in the future,” Hotchkies said. “In addition to
fixing the low level vulnerabilities reported to them one by one, Apple is
making higher level design changes to improve the overall security posture
of QuickTime.”

News Around the Web