Apple patches QuickTime bug that was hidden in book
Apple has issued patches for its QuickTime and iTunes software, fixing critical security flaws along with a bug that was first hinted at earlier this year in a book on Macintosh computer hacking.
The updates fix 10 QuickTime vulnerabilities and a single bug in iTunes. The flaws affect both Windows and Mac users and have been patched in the QuickTime 7.6.2 and iTunes 8.2 releases, published Monday.
Most of the bugs were not publicly known of before today's updates, so it's unlikely that they were exploited by cyber-criminals. However, it turns out that one flaw -- a bug in the way QuickTime reads files that are compressed using the JPEG 2000 (JP2) compression standard -- was partially disclosed in Charlie Miller and Dino Dai Zovi's book, "The Mac Hacker's Handbook," released in March.
In an interview Monday, Miller said he put instructions for finding the bug in a section of the book that describes how to find flaws in Apple's software. "If you followed all the steps you would find ... the bug," he said. "I didn't show the bug, but I gave the recipe for how to find it."
Miller disclosed during a talk at the CanSecWest conference in March that he had hidden instructions for finding the flaw in his book. After members of Apple's security team approached him at the conference to ask about the issue, he handed over the exploit code, he said Monday.
Coincidentally, another Mac hacker, Damian Put, sold the same flaw one month later to 3Com's TippingPoint division, which also reported the issue to Apple. Although TippingPoint wouldn't say what it paid Put for the flaw, companies typically pay thousands of dollars for bugs like this. Miller and Dai Zovi's book lists for US$50.
Although Put used a different technique from Miller and Dai Zovi to find the issue, TippingPoint didn't know that it had bought the bug in "The Mac Hacker's Handbook" until Apple informed it about a week ago, according to TippingPoint's security research manager, Pedram Amini.
It's not unusual for two hackers to discover the same bug, Amini said. Recently three separate researchers submitted identical Internet Explorer flaws within a six-month period. However, he added, "Had we read the book prior to receiving this issue from Damian, we probably would not have made an offer."
In its security advisory, Apple credited both Miller and Put with finding the issue.
In addition to the security fix, the iTunes 8.2 release includes support for the upcoming iPhone 3.0 software, which is expected to be unveiled at Apple's Worldwide Developer Conference next week in San Francisco.
IDG News Service
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
apple
Powered by Twitter
jfruh
Apple syncing patent can't come soon enough
pasmith
New Twitter features borrow from 3rd party clients
Esther Schindler
Open Source Changes the Software Acquisition Process
mikelgan
How to set up continuous podcast play on the new iTunes
David Strom
Five important Windows 7 mobility features
sjvn
Guard your Wi-Fi for your own sake
Sandra Henry-Stocker
Grepping on Whole Words
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
