Did the BugBlog help you? Donate via PayPal to say thanks.

Even better, subscribe to the BugBlog Plus for even more coverage of bugs and their fixes.

Order books and more at Amazon.com

Order Windows 2000 Secrets from Amazon.com

BugBlog Bug of the Month

Every month the BugBlog picks its Bug of the Month, representing the most significant bug found in the past month. Sometimes, the bug will be the one which could potentially cause the most damage; sometimes it will be the bug which affects the most users. And sometimes, it will be the bug that is just the most interesting bug. This bug will be selected either from the free Bug of the Day, or from the subscription-only BugBlog Plus.

The BugBlog Bug of the Month appeared on 1/11/2006.

A bug in Apple QuickTime for both Mac OS X 10.3.9 or later, and Windows 2000/XP, may allow an attacker to run hostile code on your computer. They can do this via a QTIF image with hidden hostile content that can generate a heap buffer overflow. This has been patched in QuickTime 7.0.4, which you can get via Apple's Software Update or from http://www.apple.com/support/downloads/. Apple credits Varun Uppal for finding this bug.

Why this bug? Actually, this bug affected more than just QTIF images. It also posed a threat with JPEG, TGA, TIFF, and GIF images too. Also, it came right on the heels of Microsoft's security problems with WMF files, and showed that Apple users couldn't be too smug.

To top it off, by 1/14 reports were circulating that the upgrade itself had some problems.

Many people who have installed the Apple QuickTime 7.0.4 update are complaining about the problems they are having with it. You can see two extended discussions of this at http://discussions.apple.com/thread.jspa?threadID=310936&tstart=0 and at http://discussions.apple.com/thread.jspa?threadID=309078&tstart=0. Apple has posted a QuickTime 7.0.1 reinstaller if you want to remove the update. It is at http://www.apple.com/support/downloads/quicktime701reinstallerforquicktime704.html. The reason for the update in the first place was to patch numerous security bugs that may allow hostile content to come in via graphics files. There seem to be more complaints about QuickTime for Mac than QuickTime for Windows -- but that may be because Mac users are more likely to go to the Apple Forums.

In fact, it is now February, and if you go to the Apple Support page and look at their listing of the Top Downloads, you will see that the 7.0.1 Reinstaller makes the list, but not the upgrade.

Previous Bugs of the Month

Jan 2006: Microsoft WMF Bug

Dec 2005: Sony's Secret DRM Scheme Leaves Users Exposed

November 2005: Four Separate Bugs Leave Windows Open to Takeover

October 2005: Acrobat Screws Up MS Word

September 2005: Apple Security Update Breaks 64-bit Apps

August 2005: Cisco IOS Vulnerable to IPv6 bug

July 2005: RealNetworks Fixes Four Bugs in Their Media Player

June 2005: Flawed Rollout for Netscape 8

May 2005: TCP/IP Fix for Windows

April 2005: Denial of Service against Symantec Norton AntiVirus

March 2005: IDN Spoofing Bug

February 2005: Windows Animated Cursor Bug

January 2005: Windows Firewall Problems with Dial-up connections

The Bug of the Month is also posted at Blogcritics.org