[<prev] [next>] [day] [month] [year] [list]
Message-ID: <09C6E9ED93E94269925E68BEE74D3F0A@W340>
Date: Wed, 1 Jul 2015 18:15:24 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: fulldisclosure@...lists.org
Subject: [FD] iTunes 12.2 and QuickTime 7.7.7 for Windows: still outdated
and VULNERABLE 3rd party libraries,
still UNQUOTED and VULNERABLE pathnames C:\Program Files\...
Hi @ll,
the just released QuickTime 7.7.7 and iTunes 12.2 for Windows still
have quite some of the BLOODY beginners errors I already documented
in the past.
QuickTime 7.7.7, QuickTime.msi
unquoted pathname of executables in command line
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Media\QuickTime\shell\open\command]
@="C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"
iTunes 12.2, AppleMobileDeviceSupport.msi
outdated 3rd party libraries:
* libcurl 7.16.2
is NINE years old and has at least 25 unfixed CVEs!
The current version is 7.43.0; for the fixed vulnerabilities
see <http://curl.haxx.se/docs/security.html>
* libeay32.dll and ssleay32.dll 0.9.8za from 2014-06-05
The current version is 0.9.8zg and has 24 security fixes
which are missing in 0.9.8za; see <http://openssl.org/news/>
Apple STILL doesnt care about customer security, so better STAY AWAY
from their insecure software!
Stefan Kanthak
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists