Patched QuickTime bug was hidden in book
The patches Apple issued for its QuickTime and iTunes software Monday fixed critical security flaws, along with a bug that was first hinted at earlier this year in a book on Macintosh computer hacking.
The updates fix 10 QuickTime vulnerabilities and a single bug in iTunes. The flaws affect both Windows and Mac users and have been patched in the QuickTime 7.6.2 and iTunes 8.2 releases, published Monday.
Most of the bugs were not publicly known of before today’s updates, so it’s unlikely that they were exploited by cyber-criminals. However, it turns out that one flaw—a bug in the way QuickTime reads files that are compressed using the JPEG 2000 (JP2) compression standard—was partially disclosed in Charlie Miller and Dino Dai Zovi’s book, The Mac Hacker’s Handbook, released in March.
In an interview Monday, Miller said he put instructions for finding the bug in a section of the book that describes how to find flaws in Apple’s software. “If you followed all the steps you would find ... the bug,” he said. “I didn’t show the bug, but I gave the recipe for how to find it.”
Miller disclosed during a talk at the CanSecWest conference in March that he had hidden instructions for finding the flaw in his book. After members of Apple’s security team approached him at the conference to ask about the issue, he handed over the exploit code, he said Monday.
Coincidentally, another Mac hacker, Damian Put, sold the same flaw one month later to 3Com’s TippingPoint division, which also reported the issue to Apple. Although TippingPoint wouldn’t say what it paid Put for the flaw, companies typically pay thousands of dollars for bugs like this. Miller and Dai Zovi’s book lists for $50.
Although Put used a different technique from Miller and Dai Zovi to find the issue, TippingPoint didn’t know that it had bought the bug in The Mac Hacker’s Handbook until Apple informed it about a week ago, according to TippingPoint’s security research manager, Pedram Amini.
It’s not unusual for two hackers to discover the same bug, Amini said. Recently three separate researchers submitted identical Internet Explorer flaws within a six-month period. However, he added, “Had we read the book prior to receiving this issue from Damian, we probably would not have made an offer.”
In its security advisory, Apple credited both Miller and Put with finding the issue.
In addition to the security fix, the iTunes 8.2 release includes support for the upcoming iPhone 3.0 software, which is expected to be unveiled at Apple’s Worldwide Developer Conference next week in San Francisco.