<<< Date Index >>>     <<< Thread Index >>>

Re: iDefense Security Advisory 07.11.07: Apple QuickTime SMIL File Processing Integer Overflow Vulnerability



On July 11, 2007, iDefense Labs <labs-no-reply@xxxxxxxxxxxx> wrote:
>
> Apple QuickTime SMIL File Processing Integer Overflow Vulnerability
> 
[...]
> 
> Apple has released QuickTime 7.2 which resolves this issue. 

(And seven other security issues, six of which allow for remote code
execution.)

> More information is available via Apple's QuickTime Security Update page
> at the URL shown below.
> 
> http://docs.info.apple.com/article.html?artnum=305947

I think it's worth noting that Apple has *not* resolved the issues on
Windows 2000 -- they have apparently dropped support for that OS as of
QuickTime 7.2.  They now only mention support for Windows XP and Vista
(except on <http://www.apple.com/quicktime/player/faq.html>, which they seem
to have forgotten to update).

If you run Apple Software Update on a Win2K box, it'll lie and say "Your
software is up-to-date." even though you're missing QuickTime 7.2 and its
fixes for the eight severe security holes.

Also Apple is continuing to support iTunes on Windows 2000 -- iTunes 7.3.1
came out after QuickTime 7.2, and there's an explicit radio button to
download for Windows 2000 at <http://www.apple.com/itunes/download/>.  Not
too surprising, since ending support for iTunes on Windows 2000 would mean
cutting off a revenue stream, but since iTunes requires QuickTime to
function, this means that they're bundling QuickTime 7.1.6 for Windows 2000,
of course with no warning as to the known security holes you're placing on
your machine if you do that.

Windows 2000 users who need the ability to play QuickTime movies will have
to either upgrade to XP / Vista (QuickTime is the first major mainstream
application I'm aware of that's dropped security update support for Win2K),
disable the QuickTime browser plugins (and any automatic "helper app."
actions) so that merely visiting a malicious web page won't be enough to
expose onself to arbitrary code execution, or uninstall QuickTime and use
some third-party player that has partial QuickTime support, like VLC
(<http://www.videolan.org/vlc/>) or MPlayer (<http://www.mplayerhq.hu/>).

-- 
Dan Harkless
http://harkless.org/dan/