Apple Fixes QuickTime Flaw, But Doesn't Advise

Apple (Nasdaq: AAPL) is being criticized for its handling of a reported security vulnerability that -- although addressed in an updated version of the QuickTime media player -- was downplayed by the Cupertino, California-based company and denied security advisory status.

eEye Digital Security, a frequent finder of flaws in software from Microsoft (Nasdaq: MSFT), Apple and other leading vendors -- including Symantec (Nasdaq: SYMC) -- reported the QuickTime flaw as a critical vulnerability because it allows a remote attacker to overwrite heap memory with user-controlled data and execute arbitrary code, according to eEye's advisory.

eEye said the media player flaw was in the QuickTime .qts file that is used by many applications to access the media player and insisted it was not an issue that would simply crash the program. eEye said an attacker could use a movie file to trigger a direct heap overwrite, which would then allow execution of code.

"It is difficult to express just how textbook this vulnerability scenario really is," said eEye's advisory. "Successful exploitation of the vulnerability is self-evident, and therefore, no further discussion is warranted. It is our sincere hope that the vendor will make an earnest effort to increase the maturity of its security response capabilities, so that researchers will be encouraged to continue to work with them amicably on future security issues."

Confirmation Crucial

Apple is generally credited with strong security in its software and solid security response to vulnerability issues, which arise far more seldom than Microsoft Windows holes. However, independent security expert Ryan Russell agreed with eEye's call for an advisory on the latest issue.

"Most people won't update, and that's a danger," Russell told TechNewsWorld. "It's a big, long download and a lot of people would not normally undertake that update if they're not aware."

Russell, who praised Apple for its speed in responding to issues, said most companies that go through security problems arrive at a process that includes free reporting avenues and disclosure through advisories.

"I believe that most companies that have a security issue with their software should issue an advisory just to confirm there is a problem," Russell said, adding that notification should be accompanied by prompt patching and confrontation of the vulnerability in future iterations.

Ripeness of Apple's Security

In its advisory, eEye argued Apple "is doing a disservice to its customers by incorrectly labeling this vulnerability as a 'crash bug' rather than stating correctly that attackers can compromise systems running the affected Apple software."

Russell referred to Apple's support of fixes for newer versions of its software that have been known to leave out older versions and said the latest Apple security response may highlight the company's limited security experience.

"This hints that there is a real lack of maturity, or inexperience may be a better way to put it, with their response," Russell said. "Most companies have arrived at that process [of releasing advisories]. Apple, I believe, will arrive there with a little more experience."

Reasons To Hold Off

Ken Dunham, iDefense director of malicious code research, said that there have been so few significant security issues with Apple's software that the company may have a point in holding back on an advisory.

"The fact that they have not had to deal with as large of a problem or as high of a level problem does lend credibility in saying the likelihood of attack is lower," Dunham told TechNewsWorld. "Right now, there's a benefit to not sending out such advisories, which might lend importance or risk.

"If they don't really need to send one out, they might not want to, and they may not need to in this case," Dunham added. "Because it's so rare and so unlikely compared to all of the other threats that are out there, it's a totally different environment."