Apple today released QuickTime 7.3.1 for Mac and Windows. This update addresses security issues including the following:
• CVE-ID: CVE-2007-6166
Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista / XP SP2
Impact: Viewing a maliciously crafted RTSP movie may lead to an unexpected application termination or arbitrary code execution
Description: A buffer overflow exists in QuickTime’s handling of Real Time Streaming Protocol (RTSP) headers. By enticing a user to view a maliciously crafted RTSP movie, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue by ensuring that the destination buffer is sized to contain the data.
• CVE-ID: CVE-2007-4706
Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista / XP SP2
Impact: Viewing a maliciously crafted QTL file may lead to an unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in QuickTime’s handling of QTL files. By enticing a user to view a maliciously crafted QTL file, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking.
• CVE-ID: CVE-2007-4707
Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista / XP SP2
Impact: Multiple vulnerabilities in QuickTime’s Flash media handler
Description: Multiple vulnerabilities exist in QuickTime’s Flash media handler, the most serious of which may lead to arbitrary code execution. With this update, the Flash media handler in QuickTime is disabled except for a limited number of existing QuickTime movies that are known to be safe. Credit to Tom Ferris of Adobe Secure Software Engineering Team (ASSET), Mike Price of McAfee Avert Labs, and security researchers Lionel d’Hauenens & Brian Mariani of Syseclabs for reporting this issue.
The update is available via Software Update and also as standalone installers.
More info and download links:
• QuickTime 7.3.1 for Leopard – 52.6 MB
• QuickTime 7.3.1 for Tiger- 48.7 MB
• QuickTime 7.3.1 for Panther – 50.9 MB
• QuickTime 7.3.1 for Windows – 20.3 MB
Whew! Good. Now I can go back to ma porn!
speaking of porn, Zune Tang probably just had an eruption of some sort over this [gasp] horrible flaw in an apple product . . . . I expect he’ll be here soon crowing like a rooster.
Zune Tang® is having difficulties maliciously crafting a response.
Apple-free on my Dell PC and loving it! It’s stuff like this that reminds me precisely why I run Windows. Everything on my Dell runs so much better without the scourge of insecure Apple crapware on it. No QuickTime or iTunes to destroy an otherwise magnificent and supremely secure computing experience with Vista. Suck it, MAC sheep.
Your potential. Our passion.™
Apple right on top of things, unlike Microsuck, who waits forever to release fixes for their buggy assed POS OS.
Zune Tang you have TONS of other crap to worry about with Microsuck….
Zune Tang® … dork …
They never fail to bite. It’s simply amazing.
Newbies
gotta love the “supremely secure computing experience with Vista”
Baghdad Bob couldn’t have said it better…..
Mmmmm. New Java too. I like Java.
Flash Media Handler disabled…well that sure screws a lot of people that bought into this QuickTime Interactive BS. What do they mean by “except for a limited number of existing QuickTime movies”?
Dude, you got a D-e-l-l ???
I think that is one of Zune Tang’s more clever rants. Bravo Zune Tang. And seriously, thanks for the many laughs over the various posts.
Peace.
Zune – try harder. You are still not funny enough.
Although: “magnificent and supremely secure computing experience with Vista”
that’s getting there.
Although the acronym for Secured Computer Reliability Experiencing Windows Update does have a ring to it….
Zune, you need to take lessons from John Hodgman. He’s got just the right amount wit to make his PC-ism funny.
I`m a sadist.
I`m an masochist.
Wait, this must be some kind of a hoax. Macs and Apple apps don’t have any security vulnerabilities. At least that’s what MDN keeps saying over and over and over.
I guess 50 MB of code to close these threats to our machines is much ado about nothing. Right, MDN?
Remember, a security update is applied to a existing OS installation under the ASSUMPTION that no previous security breach has already occurred.
Sort of closing the barn door after the horses already escaped.
So it’s best to do:
1: backup twice of all files
2: c boot from OS installation disk
3: select Disk Utility and Erase with Zero Option
4: reinstall the OS, update, enable security procedures (firewall, Little Snitch, etc) then install apps, update, repair permissions and files from backup. (never use your real name on anything in the computer)
Sure it’s a bitch, but these Quicktime exploits as well as others that Apple STILL hasn’t fixed yet are alive and well in the underground community.
Your machine could be listening on one of any of over 65,000 ports for the hackers to request entry.
How many people actually test ALL their ports with a port scan?
How many people employ a method to check on what’s going on in EFI? Which has complete access to your hardware AND the internet?
Apple’s legendary security has flown the coop when EFI was employed and as they have grown the security and privacy has gotten worst.
Some people think that as as long as Mac OS X security is better than Microsoft’s or fixed faster it’s good enough, well it isn’t. It only takes one hole to get in and be in forever just about.
It’s important to throughly check the security BEFORE releasing, but Apple likes to “surprise” the world with a unproven OS and then later work out the bugs.
Can we all say Leoptard?
Pete,
Who died and left you as the resident expert?
Pete = Our Resident KIA (Knows It All)
Why, man, he doth bestride the narrow world
Like a Colossus and we petty men
Walk under his huge legs, and peep about
To find ourselves dishonourable graves.
Ah, dear and wise Pete, we genuflect in your general direction. (Or as my wise grandfather once said, “If you’re so damned smart, how come you ain’t rich?”)
I forgot to mention Shepherd Jobs and his upcoming Blow-World. He once again will ignore these glaring security holes and instead mock Uncle Bill and poor Vista. Those morons who are going back to XP are fools. Vista will run on every machine, guaranteed. Microsoft doesn’t eliminate the ability to upgrade based on processor or video card. It just works.
Zune Tang has it right. You guys in your sheep clothes are fools. Vista combined with IE 7 is the right combo for everyone.
I hope nobody sees an Apple store.
Pete = KIAtard
Realist, no one said that Mac’s don’t have security “vulnerabilities”, they did say there are no successful “exploits” in the wild. BTW, you are such a bore.