QuickTime, iTunes Users at Risk (Again)? Currently Unpatched Exploit Puts Users at Risk Again Sean Michael Kerner
Apple QuickTime and iTunes users may yet again be at risk from a currently unpatched exploit.
According to security firm, eEye, there is a pair of overflow conditions — one an integer overflow and the other heap-based — that could enable a malicious user to execute arbitrary code.
There is currently no patch available from Apple that fixes the exploit, which allegedly affects current versions of iTunes and QuickTime, including the versions the company patched in January.
Steve Manzuik, security product manager for eEye Digital Security, said that the vulnerabilities are critical, as they allow for the execution of remote code. That said, the impact currently may well be quite limited.
"At this time we have not seen any evidence that these are being used in the wild, as our researchers discovered these bugs in our research lab," Manzuik told internetnews.com.
An Apple spokesperson was not immediately available for comment by internetnews.com. Manzuik claimed however that eEye notified Apple twice about the alleged vulnerabilities.
"The first notification did not receive a response so we waited two days then sent a second notice. They responded to that, saying they are looking into the issue," Manzuik said.
"The second report, which they responded to, was made on March 7, 2006. I have not had any additional contact from Apple but they are typically very quiet when dealing with vulnerabilities."
In addition to the January iTunes-QuickTime fix, Apple recently fixed a laggard zero day exploit, which remained open for over a week.
Apple was not singled out by Manzuik as being particularly responsive or unresponsive; however, he did praise Microsoft for the way it handles security reports.
"This leads me to point toward Microsoft and how they address security reports from us and other researchers as actually a model that other vendors should be looking at," Manzuik commented.
"There is still room for improvement in the Microsoft model but their communication is better than any other vendor we have worked with."
Microsoft is expected to provide two update patches as part of its monthly patch Tuesday tomorrow.
