Apple Mac OS X users, it's time to update.

Apple is pushing out its Security Update 2013-003 to users, fixing a trio of vulnerabilities that affect Apple's QuickTime media player. What's even more surprising is that the vulnerabilities were all reported to Apple via HP's Zero Day Initiative (ZDI), and all have previously been patched on Windows.

The three vulnerabilities all involve a user playing or viewing some form of maliciously crafted video file that could potentially enable an attacker to execute arbitrary code.

CVE-2013-1019 is identified in the Apple advisory as being triggered by way of a buffer overflow in video files that use Sorenson codecs. CVE-2013-1018 details the same issue triggered by way of H.264 encoded files, and CVE-2013-1022 identifies a buffer overflow issue in the handling of 'mvhd' atoms.

All three of the issues were fixed by Apple by way of improved bounds checking.


HP'S ZDI group pays security researchers for their vulnerability disclosures. ZDI then works with vendors to disclose the flaws in a responsible manner.

Scott Lambert, director of Threat Research for HP Security Research (HPSR), explained to eSecurity Planet that due to its popularity in both enterprise and consumer environments, QuickTime is one of the prevalent technologies that HP Zero Day Initiative works to protect through its responsible disclosure program.

"We work closely with Apple to share critical vulnerabilities that are identified by the independent research community, and as a result, 12 of these vulnerabilities have been patched this year in QuickTime alone," Lambert said.

Windows fixed first

While Apple is now issuing an update for Mac OS X QuickTime users, Windows users of QuickTime actually got a similar update at the end of May in the QuickTime 7.7.4 update.

"We have not done any validation, but according to the vendor advisories, these appear to address the same CVEs," Lambert said.

It's not entirely clear why Apple is patching for Mac OS X more than a month after it patched the same issues for Windows users. It's also not clear why the patches were not part of the large June patch update that fixed 55 vulnerabilities across Mac OS X.

From ZDI's perspective, Apple is doing just fine. 

"Apple is one of our most responsive vendors, consistently taking the security issues we disclose seriously and issuing patches well within our disclosure policy," Lambert said.

Sean Michael Kerner is a senior editor at eSecurity Planet and Follow him on Twitter @TechJournalist.