Apple on Monday patched 10 critical vulnerabilities in QuickTime, including one that was hinted at in a Mac hacking book three months ago.
Eight of the bugs patched by QuickTime 7.6.2 affect both the Mac and Windows versions, while two others affect only QuickTime for Windows XP and Vista. Apple described all 10 as allowing "arbitrary code execution," a phrase it uses to describe the most serious threats that if exploited, could result in a PC or Mac hijacking. Unlike vendors such as Microsoft and Oracle, Apple doesn't rank the bugs it fixes with a scoring or labeling system.
Monday's update was Apple's second this year for the player, which has been patched a total of 17 times in 2009; last year, Apple patched 30 QuickTime vulnerabilities.
"They're what one would expect for QuickTime, file format processing bugs," said Andrew Storms, director of security operations at nCircle Network Security, in an instant message.
Storms had it right: All 10 vulnerabilities involved a file format issue of one sort or another. Three of the bugs were in how QuickTime parses movie files, two were in its handling of PICT image files and others were traced to problems dealing with JP2 (JPEG 2000), MS ADPCM-encoded (Adaptive Differential Pulse Code Modulation) audio, PhotoShop and animation file formats.
Apple has patched dozens of file format flaws in QuickTime over the years. Last September, for instance, it dealt out patches for problems in parsing PICT images, QTVR (QuickTime Virtual Reality) files, QuickTime movies, H.264-encoded movies and Indeo-encoded video.
File format vulnerabilities, and lots of them, are to be expected with a program like QuickTime, said Pedram Amini, manager of security research at 3com's Austin, Texas-based TippingPoint. "QuickTime has a huge attack surface," said Amini, "because of all the file formats it supports."
Six of the vulnerabilities were reported or co-reported to Apple by TippingPoint's bug bounty program, the second time in the last three weeks that a cash-for-bugs scheme has contributed the majority of a vendor's flaws. Last month, TippingPoint's rival, VeriSign's iDefense, reported 10 of the 14 PowerPoint vulnerabilities patched by Microsoft.
The large number of bugs attributed to TippingPoint were a timing conicidence, said Amini. Although the company typically passes along vulnerability reports to vendors as soon as it's vetted the bugs, there are times it holds them, then presents a batch to the vendor. "If we have several submitted for the same application, we like to get a full view of all the vulnerabilities to make sure there aren't any that overlap," said Amini.
One of TippingPoint's half-dozen, the JP2 handling bug, was credited to Charlie Miller, a researcher with Independent Security Evaluators, and to Damian Put, a researcher who has sold bugs to TippingPoint in the past. Miller is undoubtedly the better known of the pair, having won large cash prizes two years running at the Pwn2Own hacking contest, held every March at the CanSecWest security conference.