| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <09C6E9ED93E94269925E68BEE74D3F0A@W340> Date: Wed, 1 Jul 2015 18:15:24 +0200 From: "Stefan Kanthak" <stefan.kanthak@...go.de> To: <bugtraq@...urityfocus.com> Cc: <fulldisclosure@...lists.org> Subject: iTunes 12.2 and QuickTime 7.7.7 for Windows: still outdated and VULNERABLE 3rd party libraries, still UNQUOTED and VULNERABLE pathnames C:\Program Files\... Hi @ll, the just released QuickTime 7.7.7 and iTunes 12.2 for Windows still have quite some of the BLOODY beginners errors I already documented in the past. QuickTime 7.7.7, QuickTime.msi unquoted pathname of executables in command line [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Media\QuickTime\shell\open\command] @="C:\\Program Files\\QuickTime\\QuickTimePlayer.exe" iTunes 12.2, AppleMobileDeviceSupport.msi outdated 3rd party libraries: * libcurl 7.16.2 is NINE years old and has at least 25 unfixed CVEs! The current version is 7.43.0; for the fixed vulnerabilities see <http://curl.haxx.se/docs/security.html> * libeay32.dll and ssleay32.dll 0.9.8za from 2014-06-05 The current version is 0.9.8zg and has 24 security fixes which are missing in 0.9.8za; see <http://openssl.org/news/> Apple STILL doesnt care about customer security, so better STAY AWAY from their insecure software! Stefan Kanthak
Powered by blists - more mailing lists