Security Firm: Apple Is Trying to Downplay the Importance of a Flaw in QuickTime

Security Explorations, the company that has recently found vulnerabilities in digital satellite TV equipment, has identified a bug in QuickTime. The firm catalogs it as a security hole, but the results of Apple’s evaluation state otherwise.

The organization has made available a proof of concept, calling out to other members of the industry to share some insight on whether they agree that it’s a vulnerability, or simply a “hardening issue,” as Apple calls it.

The researchers state that the flaw, reported on April 12, 2012, could allow an attacker to bypass a couple of security checks in QuickTime’s code.

Furthermore, they believe that if it’s combined with another vulnerability that impacts Oracle’s Java SE, it could lead to the complete compromise of a Java VM environment, even on a fully patched system.

“The problem is that Apple seems to be downplaying the importance of a bug. They stick to treating it as a ‘security hardening’ issue or as a ‘security hardening enhancement’,” Adam Gowdiak, CEO of Security Explorations, told Softpedia.

“Since they do not treat it as a bug, they neither inform users about the fixes / nor credit reporting researchers for bringing the issue to company's attention.”

He claims that such issues shouldn’t be taken lightly, especially because many of today’s attacks leverage multiple weaknesses in order to completely bypass a product’s protection measures.

“The reasons for Apple to treat Quicktime issue as a ‘hardening issue’ is that it depends on another Oracle's issue we found. That reasoning is however wrong. Both Oracle's and Apple's issues are not worth much when used alone,” Gowdiak added.

“The issues become powerful only when they are combined together. At that point they can lead to a complete JVM security sandbox compromise.”

Because the problem hasn’t been fixed in the Windows version of QuickTime, the firm has only made available a part of the complete POC.

“Windows users should be safe as for now as we didn't publish the details of Oracle's issue. It is missing from our exploit code. Instead we mimic Oracle's issue in it, so that people could be able to evaluate the Apple issue on their own,” he concluded.

We’ve requested comment from Apple and we’ll update this article as soon as they respond. In the meantime, feel free to take a look at the presentation and share your opinion on the matter.

The POC for the vulnerability is available here.

The vendor responses are available here (starting with June 15) and a short presentation of the security hole and its implications can be found here.