lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 1 Jul 2015 18:15:24 +0200
From: "Stefan Kanthak" <>
To: <>
Subject: [FD] iTunes 12.2 and QuickTime 7.7.7 for Windows: still outdated
	and VULNERABLE 3rd party libraries,
	still UNQUOTED and VULNERABLE pathnames C:\Program Files\...

Hi @ll,

the just released QuickTime 7.7.7 and iTunes 12.2 for Windows still
have quite some of the BLOODY beginners errors I already documented
in the past.

QuickTime 7.7.7, QuickTime.msi

unquoted pathname of executables in command line

@="C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"

iTunes 12.2, AppleMobileDeviceSupport.msi

outdated 3rd party libraries:

* libcurl 7.16.2

  is NINE years old and has at least 25 unfixed CVEs!

  The current version is 7.43.0; for the fixed vulnerabilities
  see <>

* libeay32.dll and ssleay32.dll 0.9.8za from 2014-06-05

  The current version is 0.9.8zg and has 24 security fixes
  which are missing in 0.9.8za; see <>

Apple STILL doesnt care about customer security, so better STAY AWAY
from their insecure software!

Stefan Kanthak

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists