 |
Say, do you folks happen to remember that QuickTime vulnerability that surfaced a couple of months ago? Sure you do; after all, it's not like Mac security issues make the news every other day, right? (cough Sasser cough). The flaw we're talking about apparently made it possible for evildoers to "reliably overwrite heap memory with user-controlled data and execute arbitrary code in the context of the user who executed the players or application hosting the QuickTime plug-in." In other words, bad guys can do bad stuff to you from far away. Well, the good news is that Apple has fixed the problem. The bad news (maybe) is that the company doesn't seem to be telling anyone about it.
See, according to TechNewsWorld, the latest version of QuickTime corrects the bug, but Apple has refused to characterize the problem as a security flaw and, accordingly, hasn't exactly been shouting about the fix from the rooftops. Meanwhile, eEye Digital, the firm that discovered the flaw in the first place, baldly states that "Apple is doing a disservice to its customers by incorrectly labeling this vulnerability as a 'crash bug' rather than stating correctly that attackers can compromise systems running the affected Apple software." And "independent security expert" Ryan Russell says that Apple's behavior "hints that there is a real lack of maturity, or inexperience may be a better way to put it, with their response."
Well, duh; the company may release Security Updates every so often (2004-05-03 available now-- get it while it's hot!), but they almost never have to address a flaw that can actually grant scary people the ability to run code on a remote Mac; in contrast, Microsoft generally has literally three or four holes of that severity every month (or week or minute), so those guys are used to dealing with it. Russell implies that Apple will learn the ropes "with a little more experience." More experience? As in, Apple's going to start shipping more and more products with severe security problems? Unless Apple's hiring away all of Microsoft's "programmers," we're not holding our breath.
On the notification front, though, it's not like Russell and eEye don't have a valid point; after all, that Sasser worm that's currently running amok throughout the Wintel universe exploits a security hole that Microsoft plugged three weeks ago. Patches don't help if people don't use them. That said, at least one security expert thinks Apple may have been right not to issue an advisory: iDefense's Ken Dunham notes that "the likelihood of attack is lower" and "there's a benefit to not sending out such advisories, which might lend importance or risk." After all, it's no coincidence that all these Windows worms show up a few weeks after Microsoft has patched the hole they will eventually exploit; Microsoft says "hey, there's this hole, so run this patch," customers say "yeah, whatever, maybe later," virus guys say "neat, look at that hole we had no idea was there waiting to be exploited, let's write a worm because it's not like anyone's going to patch the problem until they have to." So maybe keeping mum's the right strategy for a lowish-risk flaw like this.
Whatever. Luckily, you don't have to wait for Apple to acknowledge the hole before you plug it. Heck, if you're in the U.S. it's likely you already did; the newly-released iTunes 4.5 requires QuickTime 6.5.1 to let you play iTunes Music Store tracks in non-iTunes applications, so the odds are pretty good that you grabbed it as soon as you had a chance. But if you didn't, now you know: 6.5.1 also fixes that security flaw-- er, crash bug-- that might have let the naughty people mess with your Mac. So install it already, because it's good for you.
| |
