Apple QuickTime and iTunes users may yet again be at risk from a currently
According to security firm, eEye, there is a pair of overflow conditions —
one an integer overflow and the other heap-based — that could enable a malicious
user to execute arbitrary code.
There is currently no patch available from
Apple that fixes the exploit, which allegedly affects current versions of
iTunes and QuickTime, including the versions the company patched in January.
Steve Manzuik, security product manager for eEye Digital Security, said
that the vulnerabilities are critical, as they allow for the execution of
remote code. That said, the impact currently may well be quite limited.
“At this time we have not seen any evidence that these are being used in the
wild, as our researchers discovered these bugs in our research lab,” Manzuik
An Apple spokesperson was not immediately available for comment by
internetnews.com. Manzuik claimed however that eEye notified Apple
twice about the alleged vulnerabilities.
“The first notification did not receive a response so we waited two days then
sent a second notice. They responded to that, saying they are looking into
the issue,” Manzuik said.
“The second report, which they responded to, was
made on March 7, 2006. I have not had any additional contact from Apple but
they are typically very quiet when dealing with vulnerabilities.”
In addition to the January iTunes-QuickTime fix, Apple
recently fixed a laggard zero day exploit, which remained open for over a week.
Apple was not singled out by Manzuik as being particularly responsive or
Unresponsive; however, he did praise Microsoft for the way it handles security
“This leads me to point toward Microsoft and how they address security
reports from us and other researchers as actually a model that other vendors
should be looking at,” Manzuik commented.
“There is still room for
improvement in the Microsoft model but their communication is better than
any other vendor we have worked with.”
Microsoft is expected to provide two update patches as part of its monthly patch Tuesday tomorrow.