Security
SHARE
Facebook X Pinterest WhatsApp

QuickTime Exploit Greets ‘Month of Apple Bugs’

Written By
thumbnail
Ed Sutherland
Ed Sutherland
Jan 2, 2007

UPDATED: A quick and easy exploit of a flaw in Apple’s QuickTime application may have
Mac and Windows users beginning the New Year with a fresh round of security
concerns. The exploit kicks off the Month of Apple Bugs (MOAB) project, the goal of which is to reveal problems with the Mac OS X operating system before informing
vendors.

A problem in how QuickTime handles URLs could pose a risk, according to MOAB, which described the vulnerability as being “trivial” to exploit and
released code displaying “Happy New Year” on systems running QuickTime and
QuickTime Player versions 7.13 and earlier.

Apple was not immediately available for comment.

Using the flaw in how QuickTime handles the “rtsp://” URL, a
specially crafted string could overflow a stack’s buffer, “leading to an
exploitable remote arbitrary code execution condition,” according to the MOAB bulletin.

The bulletin said users have only two options to avoid the flaw:
“uninstalling Quicktime or simply live with the feeling of being a potential
target.”

A security error in an application is “absolutely potentially more
serious” than one involving just the operating system, according to Andrew
Jaquith, a Yankee Group security analyst. QuickTime is frequently used by
both Mac and Windows users.

The group announced an exploit, explaining it preferred to release the security
vulnerability prior to notifying vendors.

Traditionally, security vendors first alert vendors and then the public, allowing
companies to learn of a problem before a vulnerability is widely disclosed.
Eeye Digital Security, for instance, publishes the date a problem was
reported, as well as when a fix was released.

“The problem with so-called ‘responsible disclosure’ is that for some
people, it means keeping others on hold for insane amounts of time, even
when the fix should be trivial,” the group explained.

Releasing exploits before notifying vendors is “irresponsible,” Jaquith
said.

The MOAB project is similar to other projects, such as the
Month of
Kernel Bugs, which exposed a flaw in Broadcom’s wireless driver, and the
Month of Browser
Bugs, which began with an Internet Explorer vulnerability.

Not since another security group threatened to launch a month of Oracle bugs,
has an effort concentrated on one vendor, said Jaquith.

thumbnail
Ed Sutherland

Recommended for you...

thumbnail
Best Internet Security Software
Security
Best Internet Security Software
Devin Partida
Mar 23, 2022
thumbnail
HP Wolf Security Report Shows Threat Landscape Getting Scarier
Security
HP Wolf Security Report Shows Threat Landscape Getting Scarier
Rob Enderle
Oct 15, 2021
thumbnail
Microsoft Gets Rid Of Passwords: I Can Almost Hear Angels Singing
Blog
Microsoft Gets Rid Of Passwords: I Can Almost Hear Angels Singing
Rob Enderle
Sep 17, 2021
thumbnail
The Coming AI Threats We Aren’t Prepared For
Security
The Coming AI Threats We Aren’t Prepared For
Rob Enderle
Aug 27, 2021
Internet News Logo

InternetNews is a source of industry news and intelligence for IT professionals from all branches of the technology world. InternetNews focuses on helping professionals grow their knowledge base and authority in their field with the top news and trends in Software, IT Management, Networking & Communications, and Small Business.

facebook
x

Company

Contact us Advertise with us

Categories

News Enterprise Small Business Reviews Podcasts Blog Research

Property of TechnologyAdvice. © 2025 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

Terms of Service Privacy Policy California - Do Not Sell My Information