The whole idea of a big technology corporation fixing a vulnerability in one of their products may sound like nothing special, but this vulnerability is a little different.  This vulnerability, found in Apple’s Quicktime Player, has been susceptible to exploitation for over a year on the Windows Operating System.   The worst part is the person who discovered the vulnerability was completely ignored on multiple occasions.  Heck, this person even had to go as far as to post how this low-level risk could quickly escalate into a high-risk attack.  Unfortunately, situations like this happen all the time in all different types of software-oriented businesses.  Why do they ignore people who are trying to show them proof-of-concept vulnerabilities in their software?  I’d love to hear your feedback about this.

Apple has taken another swing at fixing a troublesome spate of QuickTime vulnerabilities.

The company released an update for the Windows version of QuickTime media player on Wednesday afternoon to patch what Apple calls a “command injection issue” in the way the media player handles URLs. The flaw, which affects Windows XP and Windows Vista, was first disclosed in September of 2006 by Petko D. Petkov, a penetration tester.

Petkov noted in a blog post this September that he reported two QuickTime bugs in the early fall of 2006. Only one, however, was patched. To bring attention to the year-old vulnerability, Petkov posted several proof-of-concept exploits on his blog last month.

At the time, the researcher wrote in his blog, Gnucitizen, that he posted a demonstration of how the bug could be used to hack into Firefox to make a point. “The first vulnerability was fixed, but the second one was completely ignored,” he wrote. “I tried to bring the spotlight on the second vulnerability one more time over here, yet nobody listened. So, I decided to post a demonstration of how a Low risk issue can be turned into a very easy to perform HIGH risk attack.”[more]

Tags: Other