Webware

In addition to providing full-screen viewing and various iPhone options, the latest version of QuickTime 7.2 includes eight important security fixes. This update affects users of Mac OS X v10.3.9, Mac OS X v10.4.9, as well as users of Windows XP and Windows Vista. The QuickTime update is available from Apple's Software Download for both Mac OS X and Windows users.

QuickTime H.264 movie files
This patch affects users of Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Windows Vista, and XP SP2 and addresses the vulnerability in CVE-2007-2295. When viewing a maliciously crafted H.264 movie, an attack may produce an unexpected application termination or arbitrary code execution. Apple credits Tom Ferris of Security-Protocols.com, and Matt Slot of Ambrosia Software, Inc. for reporting this issue.

... Read more

HeyCast is a new service from the folks that made HeyWatch [review], the online video conversion service. It lets you grab videos from popular hosting sites such as YouTube, Google Video, and Apple's Quicktime movie trailers site, and clump them together into a handy RSS feed you or anyone else can subscribe to in iTunes or other feed readers. The feed isn't just your standard RSS though--HeyCast grabs the Flash videos, converts them, and makes them available for offline viewing on your computer or portable devices.

I gave it a go this morning and came across a few hiccups. My main qualm is that HeyCast seems designed to be incredibly restrictive to novice users who want to use it for free. Since the service grabs these Web videos and converts them into iPod-friendly MP4 video files, it requires users to purchase encoding credits from sister-product HeyWatch. Users also need a place to host the files, which requires them to have their own FTP server or an account with Amazon.com's S3 Web storage service. If you don't have access to either of these, you're limited to just five videos that get capped off at one minute each.

I love the idea of letting people make their own podcast feeds using various Web video content, although HeyCast makes it a little harder than it should be. On a publishing level, simpler solutions can be had setting up something short and sweet with Tumblr, or creating a full-fledged blog with services such as Blogger or WordPress.com. For full-fledged media aggregation and distribution like what HeyCast is attempting to offer, simple solutions don't seem readily available--yet.

HeyCast RSS feeds can be viewed as video microblogs, or subscribed to in iTunes or other RSS subscription services.

(Credit: HeyCast.com)

Today, Apple released a security update for Quicktime 7.1.6, further removing a vulnerability first used by a security researcher in April to win $10,000 and a new Macbook in the "PWN 2 0WN" contest at CanSecWest 2007. This security update complements an earlier bug patch for Quicktime 7.1.6 released by Apple on May 1, 2007. The 1.1Mb Windows Quicktime 7.1.6 update affects users of Windows 2000 SP4, and Windows XP SP2. The 1.4 Mb Mac Quicktime 7.1.6 update affects users of Mac OS X v10.3.9 and Mac OS X v10.4.9.

The vulnerability, as reported in CVE-2007-2175, allows attackers to entice users to a Web site with a maliciously coded Java applet and then run attack code on a compromised machine. The Apple security update places further parameter limitations on QTPointerRef objects in Apple Quicktime Java extensions within the Safari and Firefox browsers, denying these types of attacks. Apple credits security researcher Dino Dai Zovi, working with TippingPoint and the Zero Day Initiative, for his help in resolving this issue.