Threat Alert: Pictures and Videos Pose a Threat to Quicktime for Windows and Mac

Severity: Medium

Summary:

  • These vulnerabilities affect: Quicktime 7.6.8 and earlier for Windows and Mac
  • How an attacker exploits them:  by enticing you into viewing a maliciously crafted movie or image file
  • Impact: An attacker could execute code on your computer, potentially gaining control of it
  • What to do: Download and install QuickTime 7.6.9 as quickly as possible, or let Apple’s Software Update do it for you

 

Exposure:
Late Yesterday, Apple released a security update to fix 15 media handling vulnerabilities that affect both the Windows and Mac version of QuickTime, their popular media player.

The flaws vary quite a bit technically, but most of them share the same general scope and impact. If an attacker can lure one of your users into viewing malicious media, such as an image or video file, he can exploit many of these vulnerabilities to execute code on that user’s computer, with that user’s privileges. Since most Windows users have local administrative privileges, attackers could often leverage this flaw to gain complete control of Windows machines. Macs, on the other hand, separate your user privileges from the superuser account. So an attacker could only leverage these flaws to gain limited privileges on a Mac (though still enough privilege to do significant damage).

If you use Quicktime within your network, we highly recommend you download and install Apple’s update as quickly as you can. 

Solution Path:
Apple has released QuickTime 7.6.9 to fix this security issue. Administrators who allow QuickTime in their network should download, test, and deploy the updated version at their earliest convenience. By default, Apple’s download bundles iTunes with QuickTime, but because iTunes often has security issues of its own, we recommend that you select the option of downloading QuickTime alone (unless you need iTunes). If you like, you can also let Apple’s Software Update tool download and install the update for you.

If you have any questions regarding this information, or if you need assistance mitigating these threats for your company’s network, feel free to contact our technical support team by calling (800) 481-4369 or by emailing support@teamaccent.com.

Provided by WatchGuard LiveSecurity Service

References: Apple’s December 2010 QuickTime Advisory

This alert was researched and written by Corey Nachreiner, CISSP.