Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Quicktime patches for Mac and Windows

Published: 2006-01-11
Last Updated: 2006-01-11 05:39:21 UTC
by Kyle Haugsness (Version: 2)
0 comment(s)
Is Apple hiding behind Microsoft's advisories?  Seems like Apple has been conveniently releasing security advisories on the same day as Microsoft's.  Conspiracy theory?  You be the judge.

Anyway, Apple released a security update to Quicktime.  http://docs.info.apple.com/article.html?artnum=303101  There are multiple vulnerabilities patched.  To summarize the advisory: A maliciously-crafted GIF/TIFF/TGA/QTIF image or multimedia file may result in arbitrary code execution.  Well that pretty much covers the whole web browsing thing. 

Given the week we've had, I suppose that everyone should go back to using netcat for surfing the web.

Update (from Scott):

For those using Quicktime on Windows, a quick note about the versions of Quicktime available to download at http://www.apple.com/quicktime/ .  As of  5:30 UTC that the default installer you download includes iTunes.  The version of Quicktime included is 7.0.3 which is vulnerable per the advisory above. However, if you download the standalone installer located at http://www.apple.com/quicktime/download/standalone.html , then you get the updated version of Quicktime 7.0.4.

Additionally, if you try to update the software using the "Update existing software..." item under the Help menu, then you receive a message about not being able to make an Internet connection to the software server. I receive the same message if I use the update message under the Quicktime settings window. Not sure if this is an odd configuration problem on my end, or if their update server is having problems.





Keywords:
0 comment(s)
Diary Archives