Apple Issues Emergency Security Patch for Macs
CREDIT: Apple/Sascha Burkard/Shutterstock.com
If you're a Mac user and watch video files on your computer, consider downloading Apple's Security Update 2013-003 sooner rather than later. A vulnerability in QuickTime makes it possible for exploiters to distribute movie files full of malicious code.
The issue affects at least three versions of Mac OS X — 10.6 Snow Leopard, 10.7 Lion and 10.8 Mountain Lion — and can happen when Mac users view video files on QuickTime. The patch actually addresses three separate but related security flaws, two of which deal with "buffer overflow" and one of which deals with "buffer underflow." (Apple no longer supports pre-Snow Leopard versions of Mac OS X.)
In simple terms, a hacker with ill intent could lace malicious code into a movie file, or something disguised as a movie file. Buffer overflow and underflow occur when a program reads adjacent data at incorrect speeds. On its own, it can be a nuisance, but combined with harmful scripts — a package to install malware or direct users to dangerous websites, for example — it can create a sizable gap in security.
Apple discovered the flaws through HP's Zero Day Initiative, which rewards security researchers for finding security vulnerabilities in popular platforms. Interestingly, two of the researchers who discovered these flaws, Tom Gallagher and Paul Bates, both hail from Microsoft.
Because security researchers found the flaw, there's no indication that anyone ever took advantage of this flaw in the wild. If hackers had glommed on to this method, it's likely that Apple would have addressed it sooner, especially since QuickTime is Apple's default video player.
Apple's Security Update 2013-003 patches the issue, and will roll out to all users automatically over the next few days. That said, if you want it right now, click the main Apple menu and select Software Update.
Getting the security update sooner rather than later may be a good idea: If hackers are going to take advantage of the vulnerability, this is their last chance. [See also: 13 Security and Privacy Tips for the Truly Paranoid]
Movie files are generally a good place to hide malware, especially since many illegal-download and torrent sites are already brimming with malicious pop-ups and download prompts. And because movie files are big, it's easy to slip in a small executable script.
The easiest way to avoid video-based malware is to acquire all of your content from legitimate sources, or stick to streaming sites like YouTube. If something looks suspicious, though, run it through an anti-virus scanner first. That new "Game of Thrones" episode is not worth risking the health of your Mac.