A critical vulnerability in QuickTime that was reported to the company by a “bug bounty” program a few months ago was finally patched Wednesday by Apple . The update Apple released also patched a “DLL load hijacking” issue which went public in August of this year. The update, known as the QuickTime 7.6.8 update, is for Windows only and fixes a few flaws in the QuickTime media player. The most notable bug the patch fixes is a problem with the QuickTime plug-in used by Microsoft’s Internet Explorer.
Back on August 30, 2010, Spanish researcher Ruben Santamarta published info on a bug that hackers could manipulate to hijack Windows XP, Vista or Windows 7 computers that were running Internet Explorer with the QuickTime ActiveX control in place. According to Santamarta, the vulnerability was completely Apple’s fault because “the company’s developers had neglected to clean up the old code, leaving an opening for attackers.”
Santamarta also posted a sample of an attack code on the internet that bypassed two very important defense technologies Microsoft has added to Windows. The protections, known as ASLR (address space layout randomization) and DEP (data execution prevention), are specifically designed to to make it harder for hackers to pull off attacks. If hackers do manage to manipulate the system, the protections then isolate the malware from the rest of the machine.
The day after Santamarta unleashed his findings, HP’s TippingPoint announced that it had reported the exact same bug to Apple on June 30, 2010, two months earlier than Santamarta. The head of TippingPoint’s Zero Day Initiative (ZDI) bug bounty program, Aaron Portnoy, used the QuickTime example to additionally urge vendors to patch faster, stating that it is now common for bugs to be found independently by multiple researchers, including criminals looking for new exploits.
It doesn’t really make sense why Apple, who was warned twice about the exact same problem, didn’t do anything sooner. Had it been a simpler, smaller, insignificant problem then maybe the delay by Apple would be justified. However, this is just the opposite. This is a major security risk that could affect a lot of people. While it is good to see Apple fixing the problem, it is scary to see how little they seem to care about certain, pressing issues.