Does the new QuickTime 0-day mean Apple has Problems with Patching?
In the past Microsoft has been criticised for poor vulnerability patching (by not patching the underlying vulnerability that is causing a problem and then having to reissue patches as attackers adjust and attack), and it is a criticism that has also been levied against Apple with the handling of different mDNSResponder vulnerabilities. Recently disclosed vulnerability information regarding another RTSP handling problem in QuickTime could be a sign of a similar problem brewing. RTSP vulnerabilities were patched no less than four times in the last twelve months (Security Update 2007-001, Security Update 2007-004, Darwin Streaming Server 5.5.5, and QuickTime 7.3.1), and it seems that there are still opportunities for remote code execution within the RTSP code handling routines.
A minor blessing with the latest vulnerability disclosure seems to be that the vulnerability does not appear to affect the latest version of OS X (10.5.1), at least according to early reports from third party testers. It is known that there is partial exploit functionality on the Windows QuickTime version, but with increased attention sure to be focussed on the product it may yet be found that the vulnerability can be extended to the OS X versions. As in the past, it is recommended that users avoid RTSP data streams until Apple is able to issue a patch for this latest problem.
12 January 2008
Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.
Comments will soon be available for registered users.
Subscribe to our feed.