PDA

View Full Version : Obsolete QT updates



AplusWebMaster
2007-01-25, 14:51
FYI...

- http://www.kb.cert.org/vuls/id/442497
1.24.2007 ~ "Solution: Apply Update: This issue is addressed in Apple Security Update 2007-001...
An update for Microsoft Windows XP and 2000 systems is available via the Apple Software Update* application installed with QuickTime 7.1.3..."
(NOTE: See c:\program files\apple software update\softwareupdate.exe to start the program.)

How to repair Software Update for Windows
* http://docs.info.apple.com/article.html?artnum=304264

How to tell if Software Update for Windows is working correctly when no updates are available
- http://docs.info.apple.com/article.html?artnum=304263 ...

AplusWebMaster
2007-03-06, 06:24
FYI...

Security update for QuickTime (v7.1.5)
- http://isc.sans.org/diary.html?storyid=2363
Last Updated: 2007-03-06 03:05:12 UTC ...(Version: 2)
"Apple released a new version of QuickTime (7.1.5) which contains numerous bug fixes and a lot of important security patches. This article ( http://docs.info.apple.com/article.html?artnum=305149 ) lists the security content of this release – you can see that it fixes 8 security vulnerabilities, all of which just require a user to click on a specially crafted file... You can find the Mac version at http://www.apple.com/quicktime/download/mac.html , while the Windows version can be downloaded from http://www.apple.com/quicktime/download/win.html ..."

("Apple Software Update" now shows the v7.1.5 update - YMMV.)

> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0711

:fear:

AplusWebMaster
2007-04-25, 05:54
FYI...

- http://isc.sans.org/diary.html?storyid=2689
Last Updated: 2007-04-24 21:54:43 UTC ~ "Secunia has posted an advisory today that involves Apple Quicktime Java. According to the advisory this is a highly critical problem that affects versions 3.x, 4.x, 5.x, 6.x and 7.x. The vulnerability is due to an unspecified error within the Java handling in QuickTime. This can be exploited allowing execution of arbitrary code when a user visits a malicious web site using a Java-enabled browser e.g. Safari or Firefox (ed. note: IE, too)..." http://secunia.com/advisories/25011/

> http://www.us-cert.gov/current/#vulnerability_involving_apple_quicktime_and


:spider: :fear:

FYI...

QuickTime 7.1.6 released
- http://docs.info.apple.com/article.html?artnum=305446
Date Modified: May 01, 2007
"Available for: Mac OS X v10.3.9, Mac OS X v10.4.9, Windows XP SP2, Windows 2000 SP4
Impact: Visiting a malicious website may lead to arbitrary code execution
Description: An implementation issue exists in QuickTime for Java, which may allow reading or writing out of the bounds of the allocated heap..."
> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2175
CVSS Severity: 10.0 (High)

Windows version download: http://www.apple.com/quicktime/download/win.html

:fear:

FYI...

Security Update (QuickTime 7.1.6 for Windows)
This update is recommended for all users and improves the security of QuickTime 7.1.6.
- http://www.apple.com/support/downloads/
Size: 1.1MB - 05/29/2007

- http://docs.info.apple.com/article.html?artnum=305531
Date Modified: May 29, 2007

> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2388

> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2389

> http://lists.apple.com/archives/security-announce/2007/May/msg00005.html

> http://secunia.com/advisories/25130/

> http://www.us-cert.gov/current/#apple_releases_a_security_update
updated May 30, 2007

.

AplusWebMaster
2007-07-12, 14:18
FYI...

QuickTime multiple vulns - update available
- http://secunia.com/advisories/26034/
Release Date: 2007-07-12
Critical: Highly critical
Impact: Exposure of sensitive information, DoS, System access
Where: From remote
Solution Status: Vendor Patch
Software: Apple QuickTime 7.x
...The vulnerabilities are reported in versions prior to 7.2.
Solution: Update to version 7.2.
QuickTime 7.2 for Mac:
http://www.apple.com/support/downloads/quicktime72formac.html
QuickTime 7.2 for Windows:
http://www.apple.com/support/downloads/quicktime72forwindows.html ..."

> http://docs.info.apple.com/article.html?artnum=305947

> http://docs.info.apple.com/article.html?artnum=61798

> http://www.apple.com/support/downloads/

.

AplusWebMaster
2007-07-12, 22:37
FYI...

- http://www.f-secure.com/weblog/archives/archive-072007.html#00001230
July 12, 2007 - "...It's important to update. Why? Because of stuff like MPack. MPack is a PHP based malware kit that's sold as if it were commercial software. It includes updates, support, and additional modules can be purchased. It's very successful at the moment. The kit uses compromised passwords to hack web servers and to insert an IFrame. If you visit a web page with such an IFrame, MPack's PHP script will be run and it will attempt to infect your computer. The PHP script is structured so that OS and browser versions are identified. The IFrame redirects to other PHP scripts depending on the details. These various scripts are easily updated by MPack's authors. Among the list of exploits it tries is one for QuickTime. This new update may fix some of the QuickTime flaws known to malware authors. And it may also tip them off to new exploits. Apple's iTunes and therefore QuickTime is a very popular application. If everyone updates sooner than later it will shorten the window of opportunity for the bad guys..."

.

AplusWebMaster
2007-10-04, 13:04
FYI...

Quicktime v7.2.0.245 update released
- http://docs.info.apple.com/article.html?artnum=306560
October 03, 2007
Security Update for QuickTime 7.2

Download:
- http://www.apple.com/support/downloads/securityupdateforquicktime72forwindows.html
"This update is recommended for all users and improves the security of QuickTime 7.2."


.

AplusWebMaster
2007-11-06, 04:57
FYI...

Quicktime multiple vulns - v7.3 released
- http://preview.tinyurl.com/29lknu
November 05, 2007 - InfoWorld - "...The QuickTime 7.3 update, released Monday, fixes seven bugs in the software. Six of the flaws could allow an attacker to run unauthorized software on a victim's PC. To do this, the attacker would first need to trick the victim into viewing a maliciously crafted movie or image file, Apple said. The seventh flaw lies in QuickTime for Java, and it could be used to gain access to sensitive information or to run Java applets with elevated privileges..."

- http://docs.info.apple.com/article.html?artnum=306896
Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5, Windows Vista, XP SP2
CVE-ID: CVE-2007-2395
Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
CVE-ID: CVE-2007-3750
Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
CVE-ID: CVE-2007-3751
Impact: Untrusted Java applets may obtain elevated privileges
CVE-ID: CVE-2007-4672
Impact: Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution
CVE-ID: CVE-2007-4675
Impact: Viewing a maliciously crafted QTVR movie file may lead to an unexpected application termination or arbitrary code execution
CVE-ID: CVE-2007-4677
Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution...

- http://secunia.com/advisories/27523/
Release Date: 2007-11-06
Critical: Highly critical
Impact: Security Bypass, Exposure of sensitive information, System access
Where: From remote
Solution Status: Vendor Patch...
Solution: Update to version 7.3...

Download:
> http://www.apple.com/support/downloads/quicktime73forwindows.html
-or-
Use the Apple Software Update icon on your system.

:fear:

AplusWebMaster
2007-11-26, 14:06
FYI...

- http://www.us-cert.gov/current/#0_day_vulnerability_in_apple
November 23, 2007 - "US-CERT is aware of a vulnerability in Apple QuickTime that may allow an attacker to execute arbitrary code or cause a denial-of-service condition on an affected system..."

> http://www.milw0rm.com/exploits/4651
2007-11-24

- http://secunia.com/advisories/27755/
Release Date: 2007-11-26
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: Apple QuickTime 7.x
...The vulnerability is confirmed in version 7.3. Other versions may also be affected.
NOTE: A working exploit is publicly available.
Solution:
Do not browse untrusted websites, follow untrusted links, nor open untrusted QTL files.

:fear:

AplusWebMaster
2007-11-27, 21:52
Workaround:

- http://blog.washingtonpost.com/securityfix/2007/11/exploit_released_for_unpatched_3.html
November 27, 2007 - "...QuickTime users can set the program so that neither the player nor the QuickTime plug-in for IE/Firefox will use QuickTime to open RTSP content. To do this, open QuickTime, select "Edit," then "Preferences." On the tab labeled "Browser," click the "MIME Settings" tab at the bottom, and then on the "+" sign next to "Streaming," and uncheck the box next to RTSP. Click "OK," and then head over to the "File Types" tab and do the same..."

(Screenshots available at the URL above.)

- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6166
Last revised: 11/29/2007

AplusWebMaster
2007-12-02, 18:21
FYI...

- http://isc.sans.org/diary.html?storyid=3713
Last Updated: 2007-12-02 11:35:52 UTC ...(Version: 2)
"Symantec is reporting* an active exploit site for the QuickTime RTSP Response vulnerability..."

* http://preview.tinyurl.com/28ukts
December 1, 2007 08:36 PM - "...The attack we have confirmed today begins with the popular IFRAME. An IFRAME code that causes the browser to make an additional request to another URL, is embedded in a porn site. Without knowledge, users visiting this site are redirected to the malicious site serving the exploit... We are still studying the attack in depth, so look out for more information at a later time. Since a patch to correct the issue has yet to be released, we advise users to be cautious when browsing the web. For those of you seeking extra protection, we also recommend the following options:
- Run web browsers at the highest security settings possible
- Disable Apple QuickTime as a registered RTSP protocol handler.
- Filter outgoing activity over common RTSP ports, including TCP port 554 and UDP ports 6970-6999..."

:fear:

AplusWebMaster
2007-12-14, 12:43
FYI...

QuickTime 7.3.1 released
- http://docs.info.apple.com/article.html?artnum=307176
December 13, 2007
"...CVE-ID: CVE-2007-6166 - http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6166
Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista, XP SP2
Impact: Viewing a maliciously crafted RTSP movie may lead to an unexpected application termination or arbitrary code execution
Description: A buffer overflow exists in QuickTime's handling of Real Time Streaming Protocol (RTSP) headers. By enticing a user to view a maliciously crafted RTSP movie, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue by ensuring that the destination buffer is sized to contain the data"

Download:
> http://www.apple.com/support/downloads/quicktime731forwindows.html
-or-
Use the Apple Software Update icon on your system.

:fear:

AplusWebMaster
2008-01-16, 06:15
FYI...

QuickTime 7.4 released
- http://docs.info.apple.com/article.html?artnum=307301

Download:
> http://www.apple.com/support/downloads/quicktime74forwindows.html
Post Date: January 15, 2008

Apple security updates
- http://docs.info.apple.com/article.html?artnum=61798
Last Modified on: January 15, 2008

- http://isc.sans.org/diary.html?storyid=3852
Last Updated: 2008-01-15 22:09:15 UTC - "...Note that this update does not yet appear to resolve the critical vulnerability reported last week by Luigi Auriemma (VU #112179*)."
* http://www.kb.cert.org/vuls/id/112179

:(

AplusWebMaster
2008-02-07, 12:23
FYI...

QuickTime 7.4.1 released
- http://www.apple.com/support/downloads/quicktime741forwindows.html
February 6, 2008 - "QuickTime 7.4.1 addresses security issues and improves compatibility with third-party applications. This release is recommended for all QuickTime 7 users..."
> http://docs.info.apple.com/article.html?artnum=61798
QuickTime 7.4.1
Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Windows Vista / XP
06 Feb 2008

AplusWebMaster
2008-04-03, 17:20
FYI...

QuickTime v7.4.5 for Windows
- http://www.apple.com/support/downloads/
04/02/2008
"This release is recommended for all QuickTime 7 users..."

QuickTime v7.4.5 for Windows
- http://www.apple.com/support/downloads/quicktime745forwindows.html

Security content of QuickTime 7.4.5
- http://support.apple.com/kb/HT1241

- http://www.apple.com/support/quicktime/

- http://isc.sans.org/diary.html?storyid=4232
Last Updated: 2008-04-03 12:14:28 UTC - "...QuickTime version 7.4.5 which addresses 11 vulnerabilities. Vulnerabilities range from denial of service attacks, information leaks to (of course) remote code execution..."

- http://secunia.com/advisories/29650/
Release Date: 2008-04-03
Critical: Highly critical
Impact: Exposure of sensitive information, DoS, System access
Where: From remote
Solution Status: Vendor Patch
...Successful exploitation of these vulnerabilities may allow execution of arbitrary code.
Solution: Update to version 7.4.5...

:fear:

AplusWebMaster
2008-06-10, 14:55
FYI...

QuickTime 7.5
- http://isc.sans.org/diary.html?storyid=4547
Last Updated: 2008-06-10 11:27:16 UTC - "...Apple's security improvements* include fixes for:
- CVE-2008-1581: PICT images can lead to an heap overflow and code execution
- CVE-2008-1582: AAC coded media can lead to code execution
- CVE-2008-1583: PICT images can lead to an heap overflow and code execution
- CVE-2008-1584: Indeo video codec can lead to a stack buffer overflow and code execution - note the fix: "This update addresses the issue by not rendering Indeo video codec content."
- CVE-2008-1585: URL handling of URLs in QuickTime files could lead to attacker controlled application launch and code execution - note the fix: "This update addresses the issue by revealing files in Finder or Windows Explorer rather than launching them."
* http://support.apple.com/kb/HT1991

Download:
- http://www.apple.com/quicktime/download/

:fear:

AplusWebMaster
2008-09-10, 03:46
FYI...

QuickTime v7.5.5 released
- http://www.apple.com/quicktime/download/
09.09.2008

QuickTime 7.5.5
- http://support.apple.com/kb/HT3027
Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP, SP2, and SP3
09 Sept 2008

- http://isc.sans.org/diary.html?storyid=5014
Last Updated: 2008-09-09 20:28:34 UTC - "...The QuickTime update to 7.5.5 refers to following CVE names: CVE-2008-3615, CVE-2008-3635, CVE-2008-3624, CVE-2008-3625, CVE-2008-3614, CVE-2008-3626, CVE-2008-3627, CVE-2008-3628, CVE-2008-3629
...All of them are relating to opening "crafted" media files. Read: it's the typical list of input validation failures leading to code execution. You want this one if you have QuickTime installed..."

- http://secunia.com/advisories/31821/
Release Date: 2008-09-10
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch...

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3614
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3615
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3624
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3625
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3626
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3627
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3628
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3629
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3635

- http://www.us-cert.gov/current/#apple_releases_security_updates1

:fear: