Run the Secunia inspection tool and you find that Steve Jobs doesn’t care about the security on your system because he doesn’t make it easy AT ALL to patch for a security issue with Quicktime…
This installation of Apple QuickTime 7.x is insecure and potentially exposes your system to security threats!
The detected version installed on your system is 22.214.171.124, however, the latest secure version released by the vendor, fixing one or more vulnerabilities, is 126.96.36.199.
Update to version 188.8.131.52 or later.
Currently, it is NOT possible to download a secure installation from the Apple.com download page. Therefore, in order to secure your installation you need to take the following steps:
Run the “Apple Software Update” application.
This application is normally installed together with Quicktime, if this is not the case, you will need to re-install Quicktime by downloading it from Apple.com again.
Select and install the available update called “Security Update 2007-1″.
If your “Apple Software Update” application is not up-to-date, then you will asked to update this first.
Read about the vulnerabilities fixed with this update in Secunia advisory SA23540 (opens in a new window). The Secunia advisory describes the vulnerabilities fixed by the latest security update. If your installation is outdated with more than one version, then more vulnerabilities may be covered.
Yes boys and girls… there’s an easy to get downloadable version for Mac machines… but for Windows… you need to install the insecure 7.1.3 and then go through the programs Software update tool to get the fixed bits. You cannot install directly a patched and fixed Quicktime version.
The only way I was able to get patched was to uninstall the Quicktime I had to reinstall with the software updater..when I went to install the 7.1.3 from the Apple web site, it said I had a newer version, yet Secunia indicated I was insecure. Launching Quicktime and having it look for updates inside the program itself indicated that it was up to date. Secunia was the only one insisting that I wasn’t up to date and in fact still had vulnerable parts on my machine. Again, the ONLY way I was able to Quicktime patched was to uninstall it completely, install a vulnerable version and THEN update it by launching the separate software updater tool.
Look for that Icon in your program listing and ensure you launch that to install the update.
From the Apple bug project… The only potential workaround would be to disable the rtsp:// URL handler, uninstalling Quicktime or simply live with the feeling of being a potential target for pwnage
Unbelievable…. nice one Mr. Jobs…thanks for caring so much for my security…
P.S. … okay okay yeah… I know that the headline is a cheap shot… and I’m sorry about that but come on…. the way one has to get patched for this is unreal… the updater program is just “out there” on the menu bar. If you are an admin you have to follow Eric Schultz’s hackup way to get the patch as he discussed on www.patchmanagement.org, if you are a normal end user who opted to not install the updater program, you won’t get patched and it then requires admin rights….I don’t know which is worse… Microsoft’s patch SVCHOST.exe issues or Apple’s requiring us to go through hoops for this one….obviously having an unpatched vulnerability still on your machine that can be nailed “from remote” is a lot worse that CPU issues that do have patches and workarounds.