The QuickTime vulnerability relates to how the media player software handles the Real Time Streaming Protocol, or RTSP, according to an Apple alert. An attacker could exploit the flaw and commandeer a vulnerable system by placing a special RTSP string in a QuickTime file and tricking a user into opening that file, Apple said.
"A buffer overflow exists in QuickTime's handling of RTSP URLs," according to the Apple alert. "By enticing a user to access a maliciously-crafted RTSP URL, an attacker can trigger the buffer overflow, which may lead to arbitrary code execution." The update addresses the issue by performing additional validation of RTSP links, Apple said.
Security-monitoring companies Secunia and the French Security Incidence Response Team, or FrSIRT, have rated the QuickTime problem as "highly critical" and "critical," respectively. Still, experts have not seen widespread exploitation of the problem.
One of the bug hunters behind the Month of Apple Bugs said he is stunned by the time it took Apple to fix the flaw. "Twenty two days for a remote issue that leads to code execution right away is sort of insane," the pseudonymous LMH said in an interview via instant message. "There was already an exploit and it was being abused in targeted attacks."
The vulnerability affects QuickTime 7.1.3 on Mac OS X and Windows. Several other vulnerabilities in Apple software have been disclosed as part of the Month of Apple Bugs, including in QuickTime. Apple has not yet released fixes for those issues.
Apple has said that it is aware of the project, but has chosen not to comment beyond a standard statement that it takes security very seriously and has "a great track record of addressing potential vulnerabilities before they can affect users. We always welcome feedback on how to improve security on the Mac."
The Apple patch can be downloaded and installed via the Software Update feature in Mac OS X, or from Apple Downloads.
When will Apple users learn and buy a Windows PC like 95% of computer users! Steve Jobs and his evil empire does not care about you....its all about his back shares and the quarter of a billion dollars he made:):):)
I think that having a healthy and vigourous competitor like Apple is crucial to the long term strategic goals of Microsoft. Having Apple as a viable alternative keeps the regulators off of Microsoft. Even better, the switch to the Intel platform, which enabled Boot Camp and Parallels to do their thing, basically opens up the entire desktop and laptop market to MSFT. They don't care what hardware you run which puts them at a significant market advantage over Apple - which is essentially a hardware company that happens to sell an OS.
Happy to hear that Apple becomes more customer friendly
I am happy for the computer industry that Apple will be stopping arrogance like "all our products are rated 5-start", "you don't need help with a Mac" or "my sh.t does not smell". They used to publish critical security updates secretly under innocent names. A few years ago they published the critical buffer overflow in the words "with this update your browser can handle the URLs more efficiently". Bugs even severe ones are part of the process. Just accept it and try to make it better. Whichever company it is...
Happy to hear that Apple becomes more customer friendly
I am happy for the computer industry that Apple will be stopping arrogance like "all our products are rated 5-start", "you don't need help with a Mac" or "my sh.t does not smell". They used to publish critical security updates secretly under innocent names. A few years ago they published the critical buffer overflow in the words "with this update your browser can handle the URLs more efficiently". Bugs even severe ones are part of the process. Just accept it and try to make it better. Whichever company it is...
I'm not a multiplatform guru, so I was expecting a zip or EXE file for my WinXP machine--does the dgmg file go in the Quicktime folder in Program Files? Go ahead and flame....I can take it. Just so long as a correct answr accompanies the high-BTU comments.
DMG files dont go into any folders they are disk images .. a bit like you would know of bz2 files in some other *nixes. Most of users choose to expand them onto the desktop.
DMG are nice and easy since they are considered a volume by the machine .. you can see them in terminal as a subfolder of / Volumes/ part of your partition. Zip files etc are not considered disks they are just another folder.
As to the quicktime flaw .. this is a bit laughable .. ok first to get exposed to this flaw you have to be using a streaming service that service has to be infected to begin with and you would have to enable trust on that service for the flaw to run at all ...
General recommandation : dont use rstp from people you do not trust... there are very very few people using that technology save Apple.
A more worrysome bug is the Acrobat javascript vulnerability , i would recommend to turn off all javascript execution in this software and or use preview as your primary PDF reader.
How come when I run the software update check in my Quicktime 7.1.3.100 dated 9/1/2006 it says I have the most up to date version? The update link provided by CNET only shows a patch to the Mac version of Quicktime (dmg file).
Web giant is spending $120 million to beef up its Mountain View, Calif., headquarters, according to filings with the city reviewed by the San Jose Mercury News.
The Samsung Galaxy Mini 2 S6500 could make its debut at the Mobile World Congress in Barcelona later this month, according to a leaked promotional image.
MIT creates a simulation to celebrate the 50th anniversary of Spacewar. A relic of the early days of minicomputers, it was one of the first computer video games and set the stage for many others, including Asteroids.
Let the flaming begin!!!!!
They then opened their mouth and removed all doubt.
competition?
crucial to the long term strategic goals of Microsoft. Having Apple
as a viable alternative keeps the regulators off of Microsoft. Even
better, the switch to the Intel platform, which enabled Boot Camp
and Parallels to do their thing, basically opens up the entire
desktop and laptop market to MSFT. They don't care what hardware
you run which puts them at a significant market advantage over
Apple - which is essentially a hardware company that happens to
sell an OS.
Bugs even severe ones are part of the process. Just accept it and try to make it better. Whichever company it is...
Bugs even severe ones are part of the process. Just accept it and try to make it better. Whichever company it is...
+windows+not+patched&ie=UTF-8&oe=UTF-8
like you would know of bz2 files in some other *nixes. Most of
users choose to expand them onto the desktop.
DMG are nice and easy since they are considered a volume by
the machine .. you can see them in terminal as a subfolder of /
Volumes/ part of your partition. Zip files etc are not considered
disks they are just another folder.
As to the quicktime flaw .. this is a bit laughable .. ok first to get
exposed to this flaw you have to be using a streaming service
that service has to be infected to begin with and you would have
to enable trust on that service for the flaw to run at all ...
General recommandation : dont use rstp from people you do not
trust... there are very very few people using that technology save
Apple.
A more worrysome bug is the Acrobat javascript vulnerability , i
would recommend to turn off all javascript execution in this
software and or use preview as your primary PDF reader.
For that matter... with the exception of Oracle... I think everybody else has a much better track record than Microsoft!
Walt