Members blue2blue Posted May 2, 2007 Members Share Posted May 2, 2007 http://www.informationweek.com/news/showArticle.jhtml;jsessionid=WFMAULJA5RVPIQSNDLRSKHSCJUNN2JVN?articleID=199203215 Apple Fixes 'Highly Critical' QuickTime Bug Researches say now that a fix is out for the vulnerability, they expect hackers will use it to reverse engineer the flaw and quickly create an exploit. By Sharon Gaudin InformationWeek May 2, 2007 10:39 AM Apple released a new version of QuickTime that fixes a "highly critical" vulnerability, but now that the fix is out, security researchers say, an exploit is likely to follow close on its heels. The version update, which is for both the Mac OS X and Windows, plugs a hole that could open up the millions of people who use an iPod to attacks on their desktops and laptops. QuickTime is Apple's multimedia technology. The iPod uses the iTunes media player, which people run on their PCs and Macs. ITunes, in turn, uses QuickTime. The U.S.-CERT gave the vulnerability a 10 out of 10 points in its risk-rating scale. Researchers are recommending that users get the update as soon as possible. The vulnerability is caused by an error in the way Apple QuickTime handles Java. The Apple update advisory noted that the flaw may allow reading or writing out of the bounds of the allocated heap. The bug can be exploited if a user visits a malicious Web site, running a Java-enabled browser. Researchers said that includes Microsoft's Internet Explorer, along with Mozilla's Firefox and Apple's Safari browser. The bug also affects Windows Vista through Internet Explorer 7. Dmitri Alperovitch, principal research scientist at Secure Computing, said the bug also could be exploited through e-mail, either through links to malicious Web sites or by using HTML code in the e-mail that will trigger QuickTime to launch. According to Apple's advisory, the QuickTime Version 7.1.6 update addresses the flaw by performing additional bounds checking when creating QTPointerRef objects. "No exploits have yet come out for this but I would expect some in the next day or two," said Dmitri Alperovitch, a principal research scientist at Secure Computing, in an interview with InformationWeek. "By comparing the code in the patch to the vulnerable version, they can identify the flawed code. I wouldn't expect many users in the next day or two to upgrade, so there will still be a huge populations that's vulnerable so exploit writers will have a huge field to target." Link to comment Share on other sites More sharing options...
Members alphajerk Posted May 2, 2007 Members Share Posted May 2, 2007 god i hate quicktime... and itunes. Link to comment Share on other sites More sharing options...
Members blue2blue Posted May 2, 2007 Author Members Share Posted May 2, 2007 You think you hate Quicktime. I BOUGHT, paid for, and registered QuickTime Pro 6.5 (my digi cam outputs vid in QT mov format). When Mac friends kept sending me Mp4/AACs I'd click on them, QT Pro would load and then not play the media. I'd check for updates to QT Pro and would be told everything was up to date. It was driving me crazy. Finally, I went out on the web and realized there was a whole new, ordinal version of QT Pro, QTP 7 -- even though the QTP updater didn't bother to mention it! And I quickly figured out Apple expected me to buy the update to it to get the new codecs! So, dutiful consumer that I am, I went to Apple's site to buy my update... ... BUT they wanted FULL RETAIL price with no "update/upgrade discount" whatsoever. I was literally dumbfounded. (Not easy to do, even momentarily. You can imagine.) At that point I decided I needed to find an alternative. I tried Quicktime Alternative but couldn't get it to work with Mp4 type files. But then I discovered the FREE VLC player which defecates all over QTP (and a number of other players like WMP) and was... you know... free and up to date. Anyhow, I just checked my version of QTP 6.5 and -- yep -- just as I expected, it says "Your Quicktime software is up to date." Jerks. Link to comment Share on other sites More sharing options...
Members EnemyofSilence Posted May 2, 2007 Members Share Posted May 2, 2007 "Terri Forslof, manager of security response with security company TippingPoint, said in an interview that she's impressed Apple could build, test, and release a fix for the flaw so quickly. According to the Zero Day Initiative, the flaw was reported to Apple on April 23, just a little more than a week before the update was released to the public on May 1. "They really stepped up, turned the screws down and got that thing out the door," said Forslof. "Responding so quickly to this shows that they really do take security seriously. They communicated with us the whole time." Forslof also said researchers at TippingPoint are on watch for an exploit to be released. "Because it is QuickTime and it is so ubiquitous, I'd say there's a lot of interest in figuring this out and exploiting it." The new QuickTime version will be delivered automatically through Software Update, but users also can manually download and install it from this Web site. Apple credited researchers Dino Dai Zovi for working with TippingPoint and the Zero Day Initiative for reporting this issue. " Those evil bastards! Link to comment Share on other sites More sharing options...
Members Extreme Mixing Posted May 2, 2007 Members Share Posted May 2, 2007 I don't know if it will fix your problem, Blue, but try flip4mac. It's free and allows quicktime to play most anything. Works for me anyway. Steve Link to comment Share on other sites More sharing options...
Members blue2blue Posted May 2, 2007 Author Members Share Posted May 2, 2007 "Terri Forslof, manager of security response with security company TippingPoint, said in an interview that she's impressed Apple could build, test, and release a fix for the flaw so quickly. According to the Zero Day Initiative, the flaw was reported to Apple on April 23, just a little more than a week before the update was released to the public on May 1. "They really stepped up, turned the screws down and got that thing out the door," said Forslof. "Responding so quickly to this shows that they really do take security seriously. They communicated with us the whole time." Forslof also said researchers at TippingPoint are on watch for an exploit to be released. "Because it is QuickTime and it is so ubiquitous, I'd say there's a lot of interest in figuring this out and exploiting it." The new QuickTime version will be delivered automatically through Software Update, but users also can manually download and install it from this Web site. Apple credited researchers Dino Dai Zovi for working with TippingPoint and the Zero Day Initiative for reporting this issue. " Those evil bastards! No, no. Good for them for stepping up for QT free users (and presumably users of QTPro 7). And for the LEGION of iTunes users. I wish I could get security updates for the fully paid-for, registered copy of QuickTime Pro 6.5 I own... WITHOUT having to pay the full retail price of QT Pro 7 (just as though I were a first time buyer). But, no, that apparently is not to be... I guess I just have unreasonable expectations about how things are should be. I don't usually think of myself as a spoiled, pampered Windows user. Link to comment Share on other sites More sharing options...
Members alphajerk Posted May 2, 2007 Members Share Posted May 2, 2007 same thing happened to me with QTpro... except i could no longer install the QTpro that i owned. the MAC just said, no... you have a later version installed, even when i deinstalled it... i still couldnt load up the older version i needed to have run for a project. {censored} apple and their "upgrades" Link to comment Share on other sites More sharing options...
Members blue2blue Posted May 2, 2007 Author Members Share Posted May 2, 2007 I don't know if it will fix your problem, Blue, but try flip4mac. It's free and allows quicktime to play most anything. Works for me anyway.Steve Thanks for the suggestion, Steve but... well... I live on the dark side. (In Windows-land.) Actually, I'd be in fine shape -- IF I could talk QuickTime Pro 6.5 out of resetting my media types in Firefox when it runs. I HATE it when it resets itself (or the QT FF plug-in more to the point) as the default MIME TYPE handler for mp3 files -- which, as far as I can tell -- puts me right back at risk from attempts to exploit this unfixed flaw. (QTP also re-inserts itself into my boot profile despite the fact I keep pulling it back out. It is a thoroughly annoying little program. But -- give the devil its due -- it is quite light on its feet as a simple, utility video editor. I will, indeed, give them that.) Link to comment Share on other sites More sharing options...
Members alphajerk Posted May 2, 2007 Members Share Posted May 2, 2007 thats another PITA about QT [its insistance on booting at startup], itunes is worse even with its half dozen processes it needs to have running all the time, and if you kill them, you create an unstable machine. its some cruel joke for XP users. i HAVE to have QT on my machine [unfortunately] but not iTunes... even though QT keeps wanting me to install it. Link to comment Share on other sites More sharing options...
Members John Sayers Posted May 3, 2007 Members Share Posted May 3, 2007 yes - QT and I-Tunes are a total pain in the A!! probably the reason why I've never considered going MAC. Link to comment Share on other sites More sharing options...
Members Jon Gnash Posted May 3, 2007 Members Share Posted May 3, 2007 Someone should write a Mac virus that makes the enclosures crack - so that the users are exposed to all that asbestos. Link to comment Share on other sites More sharing options...
Members Lancaster Posted May 3, 2007 Members Share Posted May 3, 2007 but not iTunes... even though QT keeps wanting me to install it. QT and iTunes on XP ...trying to uninstall this stuff is a nightmare.I had registry keys and other QT junk that kept coming back from the dead every time I thought I'd finally got it all. I literally ripped it out of the registry and prayed.... I found a really old version of iTunes I woudnt mind using because it IS a nice MP3 player ( I still have it on my Mac) but I dont think I'll install it.On XP, WMP is a model citizen by comparison. Link to comment Share on other sites More sharing options...
Members The Chinese Posted May 3, 2007 Members Share Posted May 3, 2007 yes - QT and I-Tunes are a total pain in the A!! probably the reason why I've never considered going MAC. Ignorance is bliss.... he he he.. Link to comment Share on other sites More sharing options...
Members blue2blue Posted May 3, 2007 Author Members Share Posted May 3, 2007 Yeah... I don't think there's any reason to start dumping on the Mac in this thread. This is one small (but momentarily important) issue (that affects iTunes/QTime users on both major platforms). And -- as noted earlier - Apple got the fix out pretty quickly. (I've got my own quarrel with them over their QTPro upgrade policy and the lack of a fix for my just-previous, paid-for version and the necessity to pay full price for an update but I guess I should have explored Apple's upgrade policies before I bought. I'd just never heard of a program where they wanted you to pay full price to go from, in my case, 6.5 to 7, simply in order to get a crucial security fix. But I'm willing to address that as a separate issue. Admittedly, it does make me disinclined to ever do business with Apple again. But that's my problem, I guess. Others have no problems with that sort of thing. They're more generous souls than I, I guess.) Anyhow -- while I recognize that my first comments may have set a critical tone about QuickTime Pro -- and I think we can stipulate that MANY of us have strong feelings, pro and con, about a LOT of computer platform issues that are worthy of discussion -- rather than let this descend further into some kind of slagfest, maybe we can see if we can't focus on the Quicktime/iTunes security issue... Link to comment Share on other sites More sharing options...
Members alphajerk Posted May 3, 2007 Members Share Posted May 3, 2007 yeah, dont install it to begin with. Link to comment Share on other sites More sharing options...
Members EnemyofSilence Posted May 3, 2007 Members Share Posted May 3, 2007 No, no. Good for them for stepping up for QT free users (and presumably users of QTPro 7). And for the LEGION of iTunes users. I wish I could get security updates for the fully paid-for, registered copy of QuickTime Pro 6.5 I own... WITHOUT having to pay the full retail price of QT Pro 7 (just as though I were a first time buyer). But, no, that apparently is not to be... I guess I just have unreasonable expectations about how things are should be. I don't usually think of myself as a spoiled, pampered Windows user. I've not seen any mention of that version with regard to the security patchs. If QT Pro 6.5's java plug-in is indeed affected, I totally agree they should patch it free. QT7 has features and codecs that 6.5 didn't have. Is that worth full retail price - $29.99 - to you? If not, don't use it and don't buy cameras and stuff that are dependent on it. You'll be happier. Link to comment Share on other sites More sharing options...
Members blue2blue Posted May 3, 2007 Author Members Share Posted May 3, 2007 Yeah... this vulnerability does affect previous versions of QT. But, hey, thanks for the advice! I'm a big believer in the whole caveat emptor notion -- and I did know in advance the output of the cam was .mov. But I got swayed by this guy who went on and on about what a great video editor QTP was ( )... and, like I said, it is light on its feet, I will give it that. If I can just keep it from reinserting itself into my boot profile and resetting some of my associations when I use it. Last time I had to go into the registry to get rid of it. And -- of course -- that is the real fear -- since when I disconnect QT from Firefox, QTP seems to changes my settings back.* AND, of course, that will continue to subject me to the direct risk of this vulnerability -- which for me -- remains unfixed. [uPDATE: OK, I turned off Java in FireFox (that should be a treat but I used to always run with it off). I went through FF and reset all the QT associations to VLC again. We'll see if it sticks. And -- BTW -- *it may actually be those way-too-frequent (OK, we need them, I know) Firefox updates that are switching me back -- not sure which; maybe both. Let's see what happens this time.] But I'll remember your advice next time... I will absolutely remember how Apple treated me as a QT Pro customer. Don't worry about that. [That said, let me just hasten to say that I think, overall, Apple does a much better job of serving their customers in general than they have here with QTP. The ubiquity of the iPod seems to support that notion and the continued vitality of the American Mac market shows they have their loyal computer users, as well. But, well, you know, I'm still going to remember how they treated me on the one product I've bought from them. It's the only direct experience base with them that I have.] Link to comment Share on other sites More sharing options...
Members Magpel Posted May 3, 2007 Members Share Posted May 3, 2007 IMO, the only reason QT is not considered a f*cking virus itself is semantics. Link to comment Share on other sites More sharing options...
Members Lancaster Posted May 3, 2007 Members Share Posted May 3, 2007 IMO, the only reason QT is not considered a f*cking virus itself is semantics. And viruses are easier to get rid of. Link to comment Share on other sites More sharing options...
Members Jeff da Weasel Posted May 3, 2007 Members Share Posted May 3, 2007 yes - QT and I-Tunes are a total pain in the A!! probably the reason why I've never considered going MAC. And you never, ever should. You're a PC type of guy... you should remain true to yourself. Link to comment Share on other sites More sharing options...
Members blue2blue Posted May 3, 2007 Author Members Share Posted May 3, 2007 I'm with Jeff. I think there are plenty of good reasons why someone might prefer one platform over another. And I think some of us will clearly never be entirely comfortable with the "wrong" platform for us. I, for instance, have great admiration for many aspects of the Mac platform and think (as I think I said above) Apple has much to teach the rest of the industry about some aspects of packaging the computer experience. But for many of the same reasons I'm very uncomfortable in my "dependency" on Microsoft, I would be even more so if my hardware AND my software came from a single company, whether that company was MS, Dell, Apple, HP, or anyone else. But those are my concerns; obviously many other entirely sensible, knowledgeable power users have managed to accomodate such a unitary relationship. EMV Link to comment Share on other sites More sharing options...
Members alphajerk Posted May 4, 2007 Members Share Posted May 4, 2007 IMO, the only reason QT is not considered a f*cking virus itself is semantics. no greater truth has ever been spoken here. Link to comment Share on other sites More sharing options...
Members Lakisha Posted May 5, 2007 Members Share Posted May 5, 2007 Yeah... I don't think there's any reason to start dumping on the Mac in this thread. This is one small (but momentarily important) issue (that affects iTunes/QTime users on both major platforms).And -- as noted earlier - Apple got the fix out pretty quickly. (I've got my own quarrel with them over their QTPro upgrade policy and the lack of a fix for my just-previous, paid-for version and the necessity to pay full price for an update but I guess I should have explored Apple's upgrade policies before I bought. I'd just never heard of a program where they wanted you to pay full price to go from, in my case, 6.5 to 7, simply in order to get a crucial security fix. But I'm willing to address that as a separate issue. Admittedly, it does make me disinclined to ever do business with Apple again. But that's my problem, I guess. Others have no problems with that sort of thing. They're more generous souls than I, I guess.)Anyhow -- while I recognize that my first comments may have set a critical tone about QuickTime Pro -- and I think we can stipulate that MANY of us have strong feelings, pro and con, about a LOT of computer platform issues that are worthy of discussion -- rather than let this descend further into some kind of slagfest, maybe we can see if we can't focus on the Quicktime/iTunes security issue... Yo! Get over yourself. Quicktime is the {censored}. Pay the 15 bucks or 25 bucks for the damn upgrade and grow the fk up. I stumbled onto this and can't believe such a ignorant flame about a nothing problem. Newsflash all software has flaws. Hellloooooo. So this flaw is made known, apple makes a fix and life goes on. BFD. Then theres these apple haters or pc haters or whatever haters who just start jumpin up and down with glee the second someone makes known something they can blow up for their own dumbass reasons. its like they decided the computer they dont use is their sworn enemey and their on some mission to do battle with it which has more to do with other kids makin fun of them in thrid grade than it has to do with the damn computer platform itself. And thhen you hold on to some upgrade cost that you dont think you should have paid for thats probably less money than you spent for dinner last night and thats enough to fuel your computer hatred of apple for the next 50 years!!! Get Over Your Self. !!! Some people are just insane even though theyre trying to pretend all theyre doing is being reasonable critics. Yeah right this is all about your concern for a security flaw that newsflash number 2 has not hurt a damn person and is fixed. Next. Well. Now that your about to tell me how stupid i am i will go back to using my lovely apple computer and apple quicktime which works just fine and you can go back to hating apple because your copy of quicktime which apple spent millions developing didnt come with a free lolypop or whatever it is that made you so mad. You know what you are you are a computer racist plain and simple. Now back to your regularly scheduled hating. Link to comment Share on other sites More sharing options...
Members blue2blue Posted May 5, 2007 Author Members Share Posted May 5, 2007 Ooh. I've just been shot down. By a guy with two posts. (Or a guy who created a whole new identity just to give me both barrels of his thoughts on the matter quasi-anonymously. Which is, cynic that I am, what I suspect. Heck, I even have a pretty good idea who I think it is.) I just don't know how I'm ever going to get over this... BTW... last time I checked the "update" was full price, about $30 for version 7. There appears to be no fix for my 6.5 version. And my dinner last night cost under 2 dollars. So, you know... Same to you, buddy! Link to comment Share on other sites More sharing options...
Members alphajerk Posted May 5, 2007 Members Share Posted May 5, 2007 Quicktime is {censored}. that about sums up your post... i wouldnt pay a DIME for a crap app like QT, sorry dude. i hate it only slightly less on my MAC than on my PC. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.