May 18, 2007 (Computerworld) -- Although browsers are notoriously juicy targets for hackers, Apple Inc.'s QuickTime is actually three times more likely to pose a threat than Internet Explorer 6 -- and six times more likely to be a threat than Firefox, Danish vulnerability tracker Secunia ApS said this week.
The higher risk posed by QuickTime stems from lackadaisical patching by users. According to an analysis of more than 350,000 system checks done over the last six months by the free Secunia Software Inspector, 33.1% of all QuickTime 7 installations weren't up to date with security patches. Another music player, AOL LLC's Winamp, was almost as likely to be outdated: 27% of Winamp 5 installations were missing needed security fixes.
Compared to QuickTime or Winamp, Microsoft Corp.'s Internet Explorer 6 and Mozilla Corp.'s Firefox are models of security, said Secunia. Only 9.6% of IE 6 installations lacked one or more patches, while just 5.2% of Firefox 2 deployments needed updating.
The disparity is understandable. Users know browsers often have security holes, and updating them -- particularly Microsoft products -- is often a well-established habit that takes place on a known schedule. But Secunia's data shows that outside of operating systems and browsers, users neglect regular patching.
"This constitutes a significant problem," said Jakob Balle, Secunia's development manager, in a blog post detailing the Software Inspector results. "Most people wouldn't hesitate to open an .mpg, .jpg, .mov or .mp3 file from any source if it seems the least bit interesting and relevant. It's easy to embed a movie in your home page, for example, and all it takes is one unpatched QuickTime vulnerability and a provocative video title to compromise a lot of visitors."
Researchers regularly identify vulnerabilities in QuickTime and Winamp. Secunia's own database, for example, pins 10 bugs on QuickTime 7, three of them so far this year. The most-recently-patched QuickTime flaw was disclosed about three weeks ago and patched on May 1. Winamp 5 sports 11 vulnerabilities, said Secunia; the last bug was also quashed earlier this month.
No comments:
Post a Comment