Unpatched QuickTime Bugs Strike Both Windows And Mac OSes

Welcome Guest. | Log In| Register | Membership Benefits

December 11, 2006 (12:32 PM EST)

Unpatched QuickTime Bugs Strike Both Windows And Mac OSes

The QuickTime flaw that led to phishing attacks on MySpace can be found in both the Windows and Mac OS X versions of the media player, a security company warned Monday. Apple has yet to patch the player.

More than a week ago, MySpace shut down hundreds of user profiles that had been infected by a worm that took victims to a phishing site. The worm, dubbed "Quickspace," exploited a bug in QuickTime JavaScript support.

Finnish security company F-Secure has confirmed that the bug is in the current Windows and Mac editions of Apple Computer's QuickTime. "Any malicious JavaScript code exploiting it would affect the users of both operating systems," said S.G. Masood, F-Secure's phishing analyst, on the security vendor's blog. The Quickspace worm was originally pegged as affecting only Windows users running Microsoft's Internet Explorer browser.

Masood also pointed out that an earlier QuickTime vulnerability remains unpatched; that bug, he said, could be exploited in the same way as the one used by the Quickspace worm.

"With no fix available, the only feasible workaround for these social networking sites, and also other Web sites, is to completely block users from uploading Apple QuickTime content," Masood recommended. "This is not a MySpace only issue. [It] affects every other Web site that allows the embedding of QuickTime content."

Apple has provided a fix for the Quickspace problem to MySpace, which has distributed the patch to its users running IE. However, the computer maker has been mum on a general QuickTime update. Apple did not immediately reply to a request for comment.