Security Hole in Windows' QuickTime Player

Catch up on stories from the past week (and beyond) at the Slashdot story archive

Security Hole in Windows' QuickTime Player 23

Posted by timothy on Monday March 31, 2003 @09:54PM from the what-are-you-watching dept.

Zonoprh writes "A Security Hole was found in QuickTime player that allows attackers to compromise a user's system with a malicious URL. The hole is fixed in QuickTime 6.1 available here. Until then, hold off on playing "unusually" enticing QT files."

This discussion has been archived. No new comments can be posted.

Security Hole in Windows' QuickTime Player

Load All Comments

Search 23 Comments Log In/Create an Account

Comments Filter:

Section? (Score:4, Interesting)

by cappadocius ( 555740 ) writes: <cappadocius AT v ... squerade DOT com> on Monday March 31, 2003 @09:59PM (#5635221)

How much good will this do in the Apple section if the bug is in the Windows version?

Share
twitter facebook
- Re:Section? (Score:5, Funny)
  
  by DarkRecluse ( 231992 ) writes: on Tuesday April 01, 2003 @12:16AM (#5635968)
  
  Perhaps there should be a search topic titled "Security" which would check all sections and articles for known security issues...
  
  http://slashdot.org/search.pl?topic=172 [slashdot.org]
  
  Or, ya know, we can just stick a huge fricken padlock right next to the slashdot logo...
  
  :|
  
  Parent Share
  twitter facebook
- Re:Section? (Score:1)
  
  by Enzo90910 ( 547270 ) writes:
  
  Well, it's still an APple product, isn't it?
Only quicktime on Windows is vulnerable (Score:2, Informative)

by nebbian ( 564148 ) writes:

So although it's an Apple product, it's really windows where the fault lies. From the article:
When processing a QuickTime URL, the application is launched in the following manner as can be seen from the Windows registry key HKEY_CLASSES_ROOT/quicktime:

%PATH TO QUICKTIME%\QuickTimePlayer.exe -u"%1"

A URL containing 400 characters will overrun the allocated space on the stack overwriting the saved instruction pointer (EIP). This will thereby allow an attacker to redirect the flow of control. An e
- FUD alert (Score:5, Interesting)
  
  by slittle ( 4150 ) writes: on Monday March 31, 2003 @10:28PM (#5635395) Homepage
  
  WTF do you mean "extension to DOS"? You mean command line parameters (arguements)? Unix does the same thing. There are plenty of ways around using parameters under Windows, but they're more trouble to code for (IMO) for such a simple task, and not backward compatible - there is nothing wrong with the parameter method as long as idiot programms check their fucking buffers.
  
  Parent Share
  twitter facebook
  - Re:FUD alert (Score:3, Interesting)
    
    by Col Bat Guano ( 633857 ) writes:
    
    "as long as idiot programms check their fucking buffers"
    
    But then the history of programming is one of people not doing the things they should.
    
    Yes, they should check their buffers, but clearly they don't.
    
    A bit of defensive programming goes a long way, in all and every bit of software.
Also a QuickTime on Mac OS X Software Update (Score:4, Informative)

by Hi Larry! ( 553285 ) writes: on Monday March 31, 2003 @10:06PM (#5635267)

QuickTime 6.1.1 is also available on software update. Seems to container mpeg 4 streaming bug fixes.

Share
twitter facebook
Um... a bit dated (Score:5, Informative)

by RalphBNumbers ( 655475 ) writes: on Monday March 31, 2003 @10:08PM (#5635290)

Since when do notices of security holes that have been fixed for months rate /. articles?

Share
twitter facebook
- Re:Um... a bit dated (Score:5, Funny)
  
  by nettdata ( 88196 ) writes: on Monday March 31, 2003 @11:09PM (#5635586) Homepage
  
  Since when do notices of security holes that have been fixed for months rate /. articles?
  
  Dude... are you new here?
  
  ;)
  
  Parent Share
  twitter facebook
- Re:Um... a bit dated (Score:1)
  
  by jsmith38 ( 629490 ) writes:
  
  If you haven't noticed, no one has put anything up for Apple in a while (last wed).
  
  When that happens, they go to old news that was not news worthy the first go around.
Is the Crossover install of Quicktime vulnerable? (Score:2, Interesting)

by repoleved ( 569427 ) writes:

Could someone please comment regarding whether the vulnerability affects wine? I saw the other post saying that it had to do with a registry key buffer overflow, so it seems possible that wine might not have this vunerability.

If so, then, are we Linux users safe from this particular bug? In either case, will the upcoming version of Crossover Plugin support QT6.1?
- Re:Is the Crossover install of Quicktime vulnerabl (Score:2)
  
  by GiMP ( 10923 ) writes:
  
  Just use MPlayer, it supports most Quicktime files.
Hold off? (Score:4, Interesting)

by 90XDoubleSide ( 522791 ) writes: <ninetyxdoublesid ... minus herbivore> on Monday March 31, 2003 @10:14PM (#5635321)

until then, hold off on playing "unusually" enticing QT files.Umm... QuickTime 6.1 was released on January 9th; I would think most people would already have this patched.

Share
twitter facebook
- 6.1 for Windows released yesterday (Score:2)
  
  by benwaggoner ( 513209 ) writes:
  
  6.1 for MacOS X was released a few months ago, but 6.1 for Windows was only yesterday (Monday). Also released yesterday was 6.1.1 for MacOS X. MacOS 8/9 is still at 6.0.2. No official word from Apple that I know of, but I imagine that might be the terminal release for classic.
  
  Alas, the release notes for 6.1 are the same as 6.0, which is odd given the amount of time between releases.
OS X Version Update available as well (Score:1, Informative)

by coldcup ( 15234 ) writes:

From software update:
QuickTime 6.1.1 delivers important bug fixes to MPEG-4 streaming.
hmm... (Score:2)

by Enrico Pulatzo ( 536675 ) writes:

quicktime 6.1 has been available for some time now for the mac, I wonder if this has been the holdup on windows....
I don't think you Apple guys understand... (Score:1, Funny)

by Anonymous Coward writes:

What you're telling me is that if somebody goes through this complicated procedure, they can crash my windows computer. Hmmm.

Where I come from, the complicated procedure is called "powerup", and I usually crash my windows box every damn day. Some days, I can even take it down on command with a bitchin' blue screen and a crunching sound.

My name is masq, and i'm definitely gonna be a switcher - once the new 15" PowerBooks come out.
For long-term security (Score:4, Funny)

by Zhe Mappel ( 607548 ) writes: on Tuesday April 01, 2003 @07:24AM (#5637148)

Keep the Quicktime Player. Throw out your copy of Windows.

Share
twitter facebook

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

Security Hole in Windows' QuickTime Player 23

Security Hole in Windows' QuickTime Player More Login

Security Hole in Windows' QuickTime Player

Section? (Score:4, Interesting)

Re:Section? (Score:5, Funny)

Re:Section? (Score:1)

Only quicktime on Windows is vulnerable (Score:2, Informative)

FUD alert (Score:5, Interesting)

Re:FUD alert (Score:3, Interesting)

Also a QuickTime on Mac OS X Software Update (Score:4, Informative)

Um... a bit dated (Score:5, Informative)

Re:Um... a bit dated (Score:5, Funny)

Re:Um... a bit dated (Score:1)

Is the Crossover install of Quicktime vulnerable? (Score:2, Interesting)

Re:Is the Crossover install of Quicktime vulnerabl (Score:2)

Hold off? (Score:4, Interesting)

6.1 for Windows released yesterday (Score:2)

OS X Version Update available as well (Score:1, Informative)

hmm... (Score:2)

I don't think you Apple guys understand... (Score:1, Funny)

For long-term security (Score:4, Funny)

Related Links Top of the: day, week, month.

Slashdot Top Deals

Slashdot