Mon, 21 May 2007 Unpatched QuickTime is security risk
Security firm observes risk of unpatched QuickTime installations
Although browsers are notoriously juicy targets for hackers, Apple's QuickTime is actually three times more likely to pose a threat than Internet Explorer 6 – and six times more likely to be a threat than Firefox, Danish vulnerability tracker Secunia said this week.
The higher risk posed by QuickTime stems from slack patching by users. According to an analysis of more than 350,000 system checks done over the last six months by the free Secunia Software Inspector, 33.1 per cent of all QuickTime 7 installations weren't up to date with security patches. Another music player, AOL's Winamp, was almost as likely to be outdated: 27 per cent of Winamp 5 installations were missing needed security fixes.
Question of the day!
Do you share your creations online?
% of Macworld readers agree with you
What do you create and how do you share it?
Follow the conversation at @TabletChat
paintings & illustrations, mostly, which i upload to flickr.RT @fragmentedm
I draw manga/anime characters. I also do graphic design and photography.RT @spialelo
Yes. I usually put them up on my #deviantart account for feedback on how to improve.RT @spialelo
Compared to QuickTime or Winamp, Microsoft's Internet Explorer 6 and Mozilla's Firefox are models of security, said Secunia. Only 9.6 per cent of IE 6 installations lacked one or more patches, while just 5.2 per cent of Firefox 2 deployments needed updating.
The disparity is understandable. Users know browsers often have security holes, and updating them – particularly Microsoft products – is often a well-established habit that takes place on a known schedule. But Secunia's data shows that outside of operating systems and browsers, users neglect regular patching.
"This constitutes a significant problem," said Jakob Balle, Secunia's development manager, in a blog post detailing the Software Inspector results. "Most people wouldn't hesitate to open an .mpg, .jpg, .mov or .mp3 file from any source if it seems the least bit interesting and relevant. It's easy to embed a movie in your home page, for example, and all it takes is one unpatched QuickTime vulnerability and a provocative video title to compromise a lot of visitors."
Researchers regularly identify vulnerabilities in QuickTime and Winamp. Secunia's own database, for example, pins ten bugs on QuickTime 7, three of them so far this year. The most-recently-patched QuickTime flaw was disclosed about three weeks ago and patched on 1 May. Winamp 5 sports 11 vulnerabilities, said Secunia; the last bug was also quashed earlier this month.
Balle said that scans of business computers for unpatched applications reveal the same user behaviour that inspection of consumer computers exposes. "The vulnerable applications tend to be more business-like in nature, exploiting flaws in enterprise software and devices rather than media players," he said. "However, the overall picture is the same: The operating systems, browsers and Microsoft applications in general appear to be updated fairly regularly. But all other applications seem to be forgotten, or receive too low a priority given the severity of the issues."
Part of the problem may be due to the fact that many application vendors don't bake in automated security update mechanisms, leaving it up to users to first recognize the seriousness of a vulnerability and then search for, download and install a patch. Or if vendors do offer automatic patching, updates are done irregularly or not frequently enough. In contrast, QuickTime updater on Windows checks for updates on a default weekly schedule.
Although the free Software Inspector remains available, Secunia is also pushing a server-side edition, dubbed Network Software Inspector.
Contact Us
DiggEmail A Friend
Email this article to a friend or colleague:
PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.
Permalink This Article
This articles permalink is:
http://www.macworld.co.uk/news/index.cfm?newsid=18084
<<prev article | back to news index | next article>>
Latest News
- Apple intros Aperture 3, adds over 200 new features
- Walt Disney World iPhone update offers 300 pages, 500 photos
- VIP iPhone app drops from millionaire priced £279.99 to under a tenner
- Play.com: Google Nexus One now available for pre-order
- Amazon's Kindle gets ready to battle Apple's iPad
- Apple Store is down, new Macs imminent?
- Canon intros EOS 550D 18-megapixel DSLR camera
- WSJ: Apple could slash iPad prices if sales disappoint
- Apple offers 'find out how' tutorials as podcasts
- Adobe says sorry for 16-month-old Flash bug
- Getty launches subscription stock image service, Thinkstock
- RouteBuddy intros RouteBuddy Atlas 1.3 for iPhone, iPod touch
iPhone 3G S Video Review
Mac Broadband?
Search news
Search Google
Newsletter signup
It's easy and free to get the latest news headlines, reviews and opinions straight to your email inbox. Sign up NOW to make sure you receive the latest Mac news, reviews and tutorials on your favourite topics.
Register now
Stay on top of the latest, breaking Mac news and chat with other Mac professionals and enthusiasts about the issues that matter to you. Register with Macworld today to join our forums and receive our twice-weekly email newsletter, Macworld Mainline.
RSS
Have the latest content delivered to your desktop via RSS. Use the links below to get access to a specific blog, news, or reviews feed.
MACWORLD MARKETPLACE
 |
Computer & Laptop |
 |
Are you a new customer? Are you doubtful? |
 |
Circus Ponies NoteBook - the easy way to get organized on the Mac |
 |
50% off ebooks |
 |
Beat the Credit Crunch - Lease your Mac from Hardsoft. |
Click here for the latest reader comments