Focus on Apple
Question on recent Quicktime updates Jun 04 2007 04:30PM
Tom Yarrish (tom yarrish com) (2 replies)
RE: Question on recent Quicktime updates Jun 05 2007 05:29PM
Dixon, Wayne (wcdixo aurora lib il us)
Re: Question on recent Quicktime updates Jun 05 2007 12:35AM
Sûnnet Beskerming (info beskerming com)
Hi Tom,

Short answer - Yes.

Long answer - Yes, you are vulnerable if you are still running on the
QuickTime 6.x codebase. If you look at the MOAB list, the very first
vulnerability (http://projects.info-pull.com/moab/
MOAB-01-01-2007.html) was an issue affecting the rtsp handler. While
the described vulnerability was for version 7 it should be backwards
compatible to version 6. There are also arbitrary code execution
vulnerabilities floating around for .mp4 and .mov file handling in
all versions of QuickTime (still unpatched in QuickTime 7.x), if you
know where to look.

In the end, it comes down to acceptable risk management - you don't
have to upgrade, but you do have to be aware that a lot of the
vulnerabilities being patched in version 7 are more than likely going
to exist in version 6.

On 05/06/2007, at 2:00 AM, Tom Yarrish wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hey all,
> I've done some looking around on Apple's site and on Google, but I
> haven't been able to find a direct answer for this.
>
> Our company is currently running the Windows version of QuickTime
> (6.5.x series). I've been asked if we need to update our version
> in light of the last few updates for 7.x. I've tried to see if any
> of the recent 7.x vulnerabilities affect the 6.5.x client, but have
> been unsuccessful.
> So my question that I'm throwing out here to the group is whether
> or not we need to look into upgrading to 7.x from a vulnerability
> perspective (ignoring any new features that you get from 7.x) or
> are we fine with the 6.5.x series for now. I'm not saying we won't
> eventually upgrade to 7.x, but I'm wondering if it's something we
> need to do immediately because we're vulnerable.
>
> Thanks ahead of time....
>
> Tom
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (Darwin)
>
> iD8DBQFGZD4WZWzkfeDiTw4RAsGzAJ9HTqmPsCa0bbtwls1ajzJpjdvBWgCeI5uP
> ZOspqwxUQOSzD2un0/4BNJY=
> =1uEp
> -----END PGP SIGNATURE-----

Carl

Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus