Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: Obsolete QT updates

  1. #1
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Obsolete QT updates

    FYI...

    - http://www.kb.cert.org/vuls/id/442497
    1.24.2007 ~ "Solution: Apply Update: This issue is addressed in Apple Security Update 2007-001...
    An update for Microsoft Windows XP and 2000 systems is available via the Apple Software Update* application installed with QuickTime 7.1.3..."
    (NOTE: See c:\program files\apple software update\softwareupdate.exe to start the program.)

    How to repair Software Update for Windows
    * http://docs.info.apple.com/article.html?artnum=304264

    How to tell if Software Update for Windows is working correctly when no updates are available
    - http://docs.info.apple.com/article.html?artnum=304263 ...
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #2
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation QuickTime v7.1.5 Security update released

    FYI...

    Security update for QuickTime (v7.1.5)
    - http://isc.sans.org/diary.html?storyid=2363
    Last Updated: 2007-03-06 03:05:12 UTC ...(Version: 2)
    "Apple released a new version of QuickTime (7.1.5) which contains numerous bug fixes and a lot of important security patches. This article ( http://docs.info.apple.com/article.html?artnum=305149 ) lists the security content of this release – you can see that it fixes 8 security vulnerabilities, all of which just require a user to click on a specially crafted file... You can find the Mac version at http://www.apple.com/quicktime/download/mac.html , while the Windows version can be downloaded from http://www.apple.com/quicktime/download/win.html ..."

    ("Apple Software Update" now shows the v7.1.5 update - YMMV.)

    > http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0711

    Last edited by AplusWebMaster; 2007-03-13 at 18:24. Reason: Added NIST/CVE reference URL...
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #3
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Quicktime updated

    FYI...

    - http://isc.sans.org/diary.html?storyid=2689
    Last Updated: 2007-04-24 21:54:43 UTC ~ "Secunia has posted an advisory today that involves Apple Quicktime Java. According to the advisory this is a highly critical problem that affects versions 3.x, 4.x, 5.x, 6.x and 7.x. The vulnerability is due to an unspecified error within the Java handling in QuickTime. This can be exploited allowing execution of arbitrary code when a user visits a malicious web site using a Java-enabled browser e.g. Safari or Firefox (ed. note: IE, too)..." http://secunia.com/advisories/25011/

    > http://www.us-cert.gov/current/#vuln..._quicktime_and




    FYI...

    QuickTime 7.1.6 released
    - http://docs.info.apple.com/article.html?artnum=305446
    Date Modified: May 01, 2007
    "Available for: Mac OS X v10.3.9, Mac OS X v10.4.9, Windows XP SP2, Windows 2000 SP4
    Impact: Visiting a malicious website may lead to arbitrary code execution
    Description: An implementation issue exists in QuickTime for Java, which may allow reading or writing out of the bounds of the allocated heap..."
    > http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2175
    CVSS Severity: 10.0 (High)

    Windows version download: http://www.apple.com/quicktime/download/win.html



    FYI...

    Security Update (QuickTime 7.1.6 for Windows)
    This update is recommended for all users and improves the security of QuickTime 7.1.6.
    - http://www.apple.com/support/downloads/
    Size: 1.1MB - 05/29/2007

    - http://docs.info.apple.com/article.html?artnum=305531
    Date Modified: May 29, 2007

    > http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2388

    > http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2389

    > http://lists.apple.com/archives/secu.../msg00005.html

    > http://secunia.com/advisories/25130/

    > http://www.us-cert.gov/current/#appl...ecurity_update
    updated May 30, 2007

    .
    Last edited by AplusWebMaster; 2007-07-12 at 14:21.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #4
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation QuickTime v7.2 released

    FYI...

    QuickTime multiple vulns - update available
    - http://secunia.com/advisories/26034/
    Release Date: 2007-07-12
    Critical: Highly critical
    Impact: Exposure of sensitive information, DoS, System access
    Where: From remote
    Solution Status: Vendor Patch
    Software: Apple QuickTime 7.x
    ...The vulnerabilities are reported in versions prior to 7.2.
    Solution: Update to version 7.2.
    QuickTime 7.2 for Mac:
    http://www.apple.com/support/downloa...e72formac.html
    QuickTime 7.2 for Windows:
    http://www.apple.com/support/downloa...orwindows.html ..."

    > http://docs.info.apple.com/article.html?artnum=305947

    > http://docs.info.apple.com/article.html?artnum=61798

    > http://www.apple.com/support/downloads/

    .
    Last edited by AplusWebMaster; 2007-07-12 at 15:30.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #5
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation

    FYI...

    - http://www.f-secure.com/weblog/archi....html#00001230
    July 12, 2007 - "...It's important to update. Why? Because of stuff like MPack. MPack is a PHP based malware kit that's sold as if it were commercial software. It includes updates, support, and additional modules can be purchased. It's very successful at the moment. The kit uses compromised passwords to hack web servers and to insert an IFrame. If you visit a web page with such an IFrame, MPack's PHP script will be run and it will attempt to infect your computer. The PHP script is structured so that OS and browser versions are identified. The IFrame redirects to other PHP scripts depending on the details. These various scripts are easily updated by MPack's authors. Among the list of exploits it tries is one for QuickTime. This new update may fix some of the QuickTime flaws known to malware authors. And it may also tip them off to new exploits. Apple's iTunes and therefore QuickTime is a very popular application. If everyone updates sooner than later it will shorten the window of opportunity for the bad guys..."

    .
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #6
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Quicktime v7.2.0.245 update released

    FYI...

    Quicktime v7.2.0.245 update released
    - http://docs.info.apple.com/article.html?artnum=306560
    October 03, 2007
    Security Update for QuickTime 7.2

    Download:
    - http://www.apple.com/support/downloa...orwindows.html
    "This update is recommended for all users and improves the security of QuickTime 7.2."


    .
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #7
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Arrow Quicktime multiple vulns - v7.3 released

    FYI...

    Quicktime multiple vulns - v7.3 released
    - http://preview.tinyurl.com/29lknu
    November 05, 2007 - InfoWorld - "...The QuickTime 7.3 update, released Monday, fixes seven bugs in the software. Six of the flaws could allow an attacker to run unauthorized software on a victim's PC. To do this, the attacker would first need to trick the victim into viewing a maliciously crafted movie or image file, Apple said. The seventh flaw lies in QuickTime for Java, and it could be used to gain access to sensitive information or to run Java applets with elevated privileges..."

    - http://docs.info.apple.com/article.html?artnum=306896
    Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5, Windows Vista, XP SP2
    CVE-ID: CVE-2007-2395
    Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
    CVE-ID: CVE-2007-3750
    Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
    CVE-ID: CVE-2007-3751
    Impact: Untrusted Java applets may obtain elevated privileges
    CVE-ID: CVE-2007-4672
    Impact: Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution
    CVE-ID: CVE-2007-4675
    Impact: Viewing a maliciously crafted QTVR movie file may lead to an unexpected application termination or arbitrary code execution
    CVE-ID: CVE-2007-4677
    Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution...

    - http://secunia.com/advisories/27523/
    Release Date: 2007-11-06
    Critical: Highly critical
    Impact: Security Bypass, Exposure of sensitive information, System access
    Where: From remote
    Solution Status: Vendor Patch...
    Solution: Update to version 7.3...

    Download:
    > http://www.apple.com/support/downloa...orwindows.html
    -or-
    Use the Apple Software Update icon on your system.

    Last edited by AplusWebMaster; 2007-11-07 at 13:22.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #8
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation

    FYI...

    - http://www.us-cert.gov/current/#0_da...ility_in_apple
    November 23, 2007 - "US-CERT is aware of a vulnerability in Apple QuickTime that may allow an attacker to execute arbitrary code or cause a denial-of-service condition on an affected system..."

    > http://www.milw0rm.com/exploits/4651
    2007-11-24

    - http://secunia.com/advisories/27755/
    Release Date: 2007-11-26
    Critical: Extremely critical
    Impact: System access
    Where: From remote
    Solution Status: Unpatched
    Software: Apple QuickTime 7.x
    ...The vulnerability is confirmed in version 7.3. Other versions may also be affected.
    NOTE: A working exploit is publicly available.
    Solution:
    Do not browse untrusted websites, follow untrusted links, nor open untrusted QTL files.

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #9
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs up

    Workaround:

    - http://blog.washingtonpost.com/secur...patched_3.html
    November 27, 2007 - "...QuickTime users can set the program so that neither the player nor the QuickTime plug-in for IE/Firefox will use QuickTime to open RTSP content. To do this, open QuickTime, select "Edit," then "Preferences." On the tab labeled "Browser," click the "MIME Settings" tab at the bottom, and then on the "+" sign next to "Streaming," and uncheck the box next to RTSP. Click "OK," and then head over to the "File Types" tab and do the same..."

    (Screenshots available at the URL above.)

    - http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6166
    Last revised: 11/29/2007
    Last edited by AplusWebMaster; 2007-11-30 at 15:44.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #10
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation

    FYI...

    - http://isc.sans.org/diary.html?storyid=3713
    Last Updated: 2007-12-02 11:35:52 UTC ...(Version: 2)
    "Symantec is reporting* an active exploit site for the QuickTime RTSP Response vulnerability..."

    * http://preview.tinyurl.com/28ukts
    December 1, 2007 08:36 PM - "...The attack we have confirmed today begins with the popular IFRAME. An IFRAME code that causes the browser to make an additional request to another URL, is embedded in a porn site. Without knowledge, users visiting this site are redirected to the malicious site serving the exploit... We are still studying the attack in depth, so look out for more information at a later time. Since a patch to correct the issue has yet to be released, we advise users to be cautious when browsing the web. For those of you seeking extra protection, we also recommend the following options:
    - Run web browsers at the highest security settings possible
    - Disable Apple QuickTime as a registered RTSP protocol handler.
    - Filter outgoing activity over common RTSP ports, including TCP port 554 and UDP ports 6970-6999..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •