February 20, 2009, Keep QuickTime updated, By Charles Miller

Keep QuickTime updated
By Charles Miller
February 20, 2009 San Miguel de Allende

An Atención reader wrote to ask me “what is wrong with Apple’s QuickTime player?”

QuickTime is a multimedia player developed by Apple for playing various types of digital video, media clips, sound, animation, music, and other interactive media. Versions are available for both Microsoft Windows and Mac operating systems and is distributed free of charge.

Last month (as I write this) Apple released version 7.6 of their popular QuickTime viewer to fix at least seven very serious security flaws. All of you OS X users who think your Mac is invulnerable to cyberattack need to pay attention this time because these issues affect both Windows and Mac users.

If you have ever gone to a web site that says you need to download and install QuickTime to view its content, then your Windows computer is probably vulnerable and needs to be updated. QuickTime is integrated into Mac and so all OS X users are at risk.

QuickTime versions prior to 7.3 contained a buffer overflow bug which could compromise the security of a PC. All versions of QuickTime prior to version 7.5.5 are known to be vulnerable to a cross-site scripting problem. Simply playing a video in QuickTime could result in arbitrary code execution or remote code execution attacks.

So what does all that techno babble mean?

A “buffer overflow” is a type of computer bug. Buffer is a space in computer memory reserved for data, and buffer overflow is what you get when the size of the buffer is not properly enforced and input data is too big for the available space. When the buffer overruns, the memory space beyond the end of the buffer is overwritten. This might corrupt other data, but under the right circumstances can be used to sneak malicious data into the memory of your computer.

“Cross-site scripting” (XSS) is another type of computer security vulnerability found on the web. XSS (not to be confused with a similar acronym CSS) is used by malicious programmers to sneak unauthorized content into the web pages of others. This then allows attackers to bypass access controls on the computers of those who visit the site. Cross-site scripting attacks on websites are the most commonly exploited security vulnerabilities. Unfortunately, to the computer user everything often looks normal on their end, while unbeknownst to them their sensitive personal data might be compromised.

Among the many web sites found to have XSS vulnerabilities, and in some cases been exploited are the Google search engine, Gmail, Yahoo mail, Facebook, and MySpace. Commercial sites at PayPal, Nokia and eBay have also been affected. There are undoubtedly many others which have escaped mention in the major media.

And finally, “arbitrary code execution” describes the ability of an attacker to execute commands on your machine. The ability to trigger arbitrary code execution from one machine on another is often referred to as remote code execution.

All of the preceding was the long answer to that Atención reader’s question: “Should I uninstall and stop using QuickTime?”

The short answer to that question is “No, Apple found out there was a problem and they fixed it.”

QuickTime is a great little program, and the only one you can conveniently use for playing certain video files. If you will just keep it updated with the latest version you will not be at risk and will not even have to reread or try to understand any of the preceding explanation.

Charles Miller is a freelance computer consultant, a frequent visitor to San Miguel since 1981 and now practically a full-time resident. He may be contacted at 044-415-101-8528 or email FAQ8 (at) SMAguru.com.