lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <200707170013.l6H0Dvnt026433@www.harkless.org>
Date: Mon, 16 Jul 2007 17:13:57 -0700
From: Dan Harkless <bugtraq06@...kless.org>
To: bugtraq@...urityfocus.com
Subject: Re: iDefense Security Advisory 07.11.07: Apple QuickTime SMIL File Processing Integer Overflow Vulnerability 


On July 11, 2007, iDefense Labs <labs-no-reply@...fense.com> wrote:
>
> Apple QuickTime SMIL File Processing Integer Overflow Vulnerability
> 
[...]
> 
> Apple has released QuickTime 7.2 which resolves this issue. 

(And seven other security issues, six of which allow for remote code
execution.)

> More information is available via Apple's QuickTime Security Update page
> at the URL shown below.
> 
> http://docs.info.apple.com/article.html?artnum=305947

I think it's worth noting that Apple has *not* resolved the issues on
Windows 2000 -- they have apparently dropped support for that OS as of
QuickTime 7.2.  They now only mention support for Windows XP and Vista
(except on <http://www.apple.com/quicktime/player/faq.html>, which they seem
to have forgotten to update).

If you run Apple Software Update on a Win2K box, it'll lie and say "Your
software is up-to-date." even though you're missing QuickTime 7.2 and its
fixes for the eight severe security holes.

Also Apple is continuing to support iTunes on Windows 2000 -- iTunes 7.3.1
came out after QuickTime 7.2, and there's an explicit radio button to
download for Windows 2000 at <http://www.apple.com/itunes/download/>.  Not
too surprising, since ending support for iTunes on Windows 2000 would mean
cutting off a revenue stream, but since iTunes requires QuickTime to
function, this means that they're bundling QuickTime 7.1.6 for Windows 2000,
of course with no warning as to the known security holes you're placing on
your machine if you do that.

Windows 2000 users who need the ability to play QuickTime movies will have
to either upgrade to XP / Vista (QuickTime is the first major mainstream
application I'm aware of that's dropped security update support for Win2K),
disable the QuickTime browser plugins (and any automatic "helper app."
actions) so that merely visiting a malicious web page won't be enough to
expose onself to arbitrary code execution, or uninstall QuickTime and use
some third-party player that has partial QuickTime support, like VLC
(<http://www.videolan.org/vlc/>) or MPlayer (<http://www.mplayerhq.hu/>).

-- 
Dan Harkless
http://harkless.org/dan/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ