US CERT - Security Alert TA08-162C -- Apple Quicktime Updates for Multiple Vulnerabilities

[Guest MEB]

US CERT - Security Alert TA08-162C -- Apple Quicktime Updates for Multiple Vulnerabilities

 

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

National Cyber Alert System

 

Technical Cyber Security Alert TA08-162C

 

 

Apple Quicktime Updates for Multiple Vulnerabilities

 

Original release date: June 10, 2008

Last revised: --

Source: US-CERT

 

 

Systems Affected

 

* Apple Mac OS X running versions of QuickTime prior to 7.5

* Microsoft Windows running versions of QuickTime prior to 7.5

 

 

Overview

 

Apple QuickTime contains multiple vulnerabilities as described in the

Apple

Knowledgebase article HT1991. Exploitation of these vulnerabilities could

allow a remote attacker to execute arbitrary code or cause a

denial-of-service condition.

 

 

I. Description

 

Apple QuickTime prior to version 7.5 has multiple image and media file

handling vulnerabilities. An attacker could exploit these vulnerabilities

by

convincing a user to access a specially crafted image or media file that

could be hosted on a web page. Apple QuickTime 7.5 addresses these

vulnerabilities.

 

Note that Apple iTunes for Windows installs QuickTime, so any system with

iTunes may be vulnerable.

 

 

II. Impact

 

These vulnerabilities could allow a remote, unauthenticated attacker to

execute arbitrary code or cause a denial-of-service condition. For

further

information, please see Apple knowledgebase article HT1991 about the

security content of QuickTime 7.5

 

 

III. Solution

 

Upgrade QuickTime

 

Upgrade to QuickTime 7.5. This and other updates for Mac OS X are

available

via Apple Update.

 

Secure your web browser

 

To help mitigate these and other vulnerabilities that can be exploited

via a

web browser, refer to Securing Your Web Browser.

 

 

IV. References

 

* About the security content of the QuickTime 7.5 Update -

<http://support.apple.com/kb/HT1991>

 

* How to tell if Software Update for Windows is working correctly when

no

updates are available -

<http://docs.info.apple.com/article.html?artnum=304263>

 

* Apple - QuickTime - Download -

<http://www.apple.com/quicktime/download/>

 

* Mac OS X: Updating your software -

<http://docs.info.apple.com/article.html?artnum=106704>

 

* Securing Your Web Browser -

<http://www.us-cert.gov/reading_room/securing_browser/>

 

* US-CERT Vulnerability Notes for QuickTime 7.5 -

 

<http://www.kb.cert.org/vuls/byid?searchview&query=apple_quicktime_7.5>

 

____________________________________________________________________

 

The most recent version of this document can be found at:

 

<http://www.us-cert.gov/cas/techalerts/TA08-162C.html>

____________________________________________________________________

 

Feedback can be directed to US-CERT Technical Staff. Please send

email to <cert@cert.org> with "TA08-162C Feedback VU#132419" in the

subject.

____________________________________________________________________

 

For instructions on subscribing to or unsubscribing from this

mailing list, visit <http://www.us-cert.gov/cas/signup.html>.

____________________________________________________________________

 

Produced 2008 by US-CERT, a government organization.

 

Terms of use:

 

<http://www.us-cert.gov/legal.html>

____________________________________________________________________

 

 

Revision History

 

June 10, 2008: Initial release

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.5 (GNU/Linux)

 

iQEVAwUBSE7bhHIHljM+H4irAQKGtQf/bW1M/gN6V35MDqIGFK3PbaIXBqnhtFws

xPl6zNdWmYVCHid6u0aZ+UYE+AESK3Qw3DdiwLRr3X9R4hoGmRUGiedv4h0owQTb

Rij3K5simf2vbNBsVopFNeVnokOowkcRYUk/n0QnGn5FUnwDeKutrMwXQ94As/Y3

8z/VsKpwqjScHgedT6Hv67f8E6kSma4BBcK2NlRC9VMTWN2oUD7MDI/BSp5kcqaM

TJfBJzqsWUywWRP3Bi8PYOLYbmC5Qj7nirl0lzCjJdNiS/GKUnT4LezHTlVhVOv5

FTnkO25morpDQph2+oBi6o+lCOBu6G6RtfQ7u15CGDCeZyme2B79eg==

=e01A

-----END PGP SIGNATURE-----

[Guest Sunny]

Re: US CERT - Security Alert TA08-162C -- Apple Quicktime Updates for Multiple Vulnerabilities

 

Re: US CERT - Security Alert TA08-162C -- Apple Quicktime Updates for Multiple Vulnerabilities

 

 

"MEB" <meb@not here@hotmail.com> wrote in message

news:O35Lrp4yIHA.4376@TK2MSFTNGP06.phx.gbl...

| -----BEGIN PGP SIGNED MESSAGE-----

<snip>

What is the rationale for PGP signed posts on a public news group?

(I was under the impression it was for e-mails between individuals)

[Guest Ingeborg]

Re: US CERT - Security Alert TA08-162C -- Apple Quicktime Updates for Multiple Vulnerabilities

 

Re: US CERT - Security Alert TA08-162C -- Apple Quicktime Updates for Multiple Vulnerabilities

 

Sunny wrote:

>

> "MEB" <meb@not here@hotmail.com> wrote in message

> news:O35Lrp4yIHA.4376@TK2MSFTNGP06.phx.gbl...

>| -----BEGIN PGP SIGNED MESSAGE-----

> <snip>

> What is the rationale for PGP signed posts on a public news group?

> (I was under the impression it was for e-mails between individuals)

>

>

 

The sign gives you the opportunity to check if the poster is who he claims

to be.

[Guest Gary S. Terhune]

Re: US CERT - Security Alert TA08-162C -- Apple Quicktime Updates for Multiple Vulnerabilities

 

Re: US CERT - Security Alert TA08-162C -- Apple Quicktime Updates for Multiple Vulnerabilities

 

FYI, the last version of QT that will install on Windows 9x is 6.5.2.

 

Wonder how long it will take for them to find new problems with QT 7.5 and,

more importantly, SNMPv3 after it's patched. Point is that ALL software has

bugs, and, apparently, all software has security vulnerabilities. It's a

game to stay ahead of the hackers, and it would seem that no OS or

application is immune.

 

I say all good and responsible computer users thrown their machines into the

dumpster. They're just too unsafe.

 

--

Gary S. Terhune

MS-MVP Shell/User

http://grystmill.com

 

"MEB" <meb@not here@hotmail.com> wrote in message

news:O35Lrp4yIHA.4376@TK2MSFTNGP06.phx.gbl...

> -----BEGIN PGP SIGNED MESSAGE-----

> Hash: SHA1

>

> National Cyber Alert System

>

> Technical Cyber Security Alert TA08-162C

>

>

> Apple Quicktime Updates for Multiple Vulnerabilities

>

> Original release date: June 10, 2008

> Last revised: --

> Source: US-CERT

>

>

> Systems Affected

>

> * Apple Mac OS X running versions of QuickTime prior to 7.5

> * Microsoft Windows running versions of QuickTime prior to 7.5

>

>

> Overview

>

> Apple QuickTime contains multiple vulnerabilities as described in the

> Apple

> Knowledgebase article HT1991. Exploitation of these vulnerabilities

> could

> allow a remote attacker to execute arbitrary code or cause a

> denial-of-service condition.

>

>

> I. Description

>

> Apple QuickTime prior to version 7.5 has multiple image and media file

> handling vulnerabilities. An attacker could exploit these

> vulnerabilities

> by

> convincing a user to access a specially crafted image or media file that

> could be hosted on a web page. Apple QuickTime 7.5 addresses these

> vulnerabilities.

>

> Note that Apple iTunes for Windows installs QuickTime, so any system

> with

> iTunes may be vulnerable.

>

>

> II. Impact

>

> These vulnerabilities could allow a remote, unauthenticated attacker to

> execute arbitrary code or cause a denial-of-service condition. For

> further

> information, please see Apple knowledgebase article HT1991 about the

> security content of QuickTime 7.5

>

>

> III. Solution

>

> Upgrade QuickTime

>

> Upgrade to QuickTime 7.5. This and other updates for Mac OS X are

> available

> via Apple Update.

>

> Secure your web browser

>

> To help mitigate these and other vulnerabilities that can be exploited

> via a

> web browser, refer to Securing Your Web Browser.

>

>

> IV. References

>

> * About the security content of the QuickTime 7.5 Update -

> <http://support.apple.com/kb/HT1991>

>

> * How to tell if Software Update for Windows is working correctly when

> no

> updates are available -

> <http://docs.info.apple.com/article.html?artnum=304263>

>

> * Apple - QuickTime - Download -

> <http://www.apple.com/quicktime/download/>

>

> * Mac OS X: Updating your software -

> <http://docs.info.apple.com/article.html?artnum=106704>

>

> * Securing Your Web Browser -

> <http://www.us-cert.gov/reading_room/securing_browser/>

>

> * US-CERT Vulnerability Notes for QuickTime 7.5 -

>

> <http://www.kb.cert.org/vuls/byid?searchview&query=apple_quicktime_7.5>

>

> ____________________________________________________________________

>

> The most recent version of this document can be found at:

>

> <http://www.us-cert.gov/cas/techalerts/TA08-162C.html>

> ____________________________________________________________________

>

> Feedback can be directed to US-CERT Technical Staff. Please send

> email to <cert@cert.org> with "TA08-162C Feedback VU#132419" in the

> subject.

> ____________________________________________________________________

>

> For instructions on subscribing to or unsubscribing from this

> mailing list, visit <http://www.us-cert.gov/cas/signup.html>.

> ____________________________________________________________________

>

> Produced 2008 by US-CERT, a government organization.

>

> Terms of use:

>

> <http://www.us-cert.gov/legal.html>

> ____________________________________________________________________

>

>

> Revision History

>

> June 10, 2008: Initial release

> -----BEGIN PGP SIGNATURE-----

> Version: GnuPG v1.4.5 (GNU/Linux)

>

> iQEVAwUBSE7bhHIHljM+H4irAQKGtQf/bW1M/gN6V35MDqIGFK3PbaIXBqnhtFws

> xPl6zNdWmYVCHid6u0aZ+UYE+AESK3Qw3DdiwLRr3X9R4hoGmRUGiedv4h0owQTb

> Rij3K5simf2vbNBsVopFNeVnokOowkcRYUk/n0QnGn5FUnwDeKutrMwXQ94As/Y3

> 8z/VsKpwqjScHgedT6Hv67f8E6kSma4BBcK2NlRC9VMTWN2oUD7MDI/BSp5kcqaM

> TJfBJzqsWUywWRP3Bi8PYOLYbmC5Qj7nirl0lzCjJdNiS/GKUnT4LezHTlVhVOv5

> FTnkO25morpDQph2+oBi6o+lCOBu6G6RtfQ7u15CGDCeZyme2B79eg==

> =e01A

> -----END PGP SIGNATURE-----

>

>

>

[Guest David H. Lipman]

Re: US CERT - Security Alert TA08-162C -- Apple Quicktime Updates for Multiple Vulnerabilities

 

Re: US CERT - Security Alert TA08-162C -- Apple Quicktime Updates for Multiple Vulnerabilities

 

From: "MEB" <meb@not here@hotmail.com>

 

| -----BEGIN PGP SIGNED MESSAGE-----

| Hash: SHA1

|

| National Cyber Alert System

|

| Technical Cyber Security Alert TA08-162C

|

| Apple Quicktime Updates for Multiple Vulnerabilities

|

| Original release date: June 10, 2008

| Last revised: --

| Source: US-CERT

|

| Systems Affected

|

| * Apple Mac OS X running versions of QuickTime prior to 7.5

| * Microsoft Windows running versions of QuickTime prior to 7.5

|

| Overview

|

| Apple QuickTime contains multiple vulnerabilities as described in the

| Apple

| Knowledgebase article HT1991. Exploitation of these vulnerabilities could

| allow a remote attacker to execute arbitrary code or cause a

| denial-of-service condition.

|

| I. Description

|

| Apple QuickTime prior to version 7.5 has multiple image and media file

| handling vulnerabilities. An attacker could exploit these vulnerabilities

| by

| convincing a user to access a specially crafted image or media file that

| could be hosted on a web page. Apple QuickTime 7.5 addresses these

| vulnerabilities.

|

| Note that Apple iTunes for Windows installs QuickTime, so any system with

| iTunes may be vulnerable.

|

| II. Impact

|

| These vulnerabilities could allow a remote, unauthenticated attacker to

| execute arbitrary code or cause a denial-of-service condition. For

| further

| information, please see Apple knowledgebase article HT1991 about the

| security content of QuickTime 7.5

|

| III. Solution

|

| Upgrade QuickTime

|

| Upgrade to QuickTime 7.5. This and other updates for Mac OS X are

| available

| via Apple Update.

|

| Secure your web browser

|

| To help mitigate these and other vulnerabilities that can be exploited

| via a

| web browser, refer to Securing Your Web Browser.

|

| IV. References

|

| * About the security content of the QuickTime 7.5 Update -

| <http://support.apple.com/kb/HT1991>

|

| * How to tell if Software Update for Windows is working correctly when

| no

| updates are available -

| <http://docs.info.apple.com/article.html?artnum=304263>

|

| * Apple - QuickTime - Download -

| <http://www.apple.com/quicktime/download/>

|

| * Mac OS X: Updating your software -

| <http://docs.info.apple.com/article.html?artnum=106704>

|

| * Securing Your Web Browser -

| <http://www.us-cert.gov/reading_room/securing_browser/>

|

| * US-CERT Vulnerability Notes for QuickTime 7.5 -

|

| <http://www.kb.cert.org/vuls/byid?searchview&query=apple_quicktime_7.5>

|

| ____________________________________________________________________

|

| The most recent version of this document can be found at:

|

| <http://www.us-cert.gov/cas/techalerts/TA08-162C.html>

| ____________________________________________________________________

|

| Feedback can be directed to US-CERT Technical Staff. Please send

| email to <cert@cert.org> with "TA08-162C Feedback VU#132419" in the

| subject.

| ____________________________________________________________________

|

| For instructions on subscribing to or unsubscribing from this

| mailing list, visit <http://www.us-cert.gov/cas/signup.html>.

| ____________________________________________________________________

|

| Produced 2008 by US-CERT, a government organization.

|

| Terms of use:

|

| <http://www.us-cert.gov/legal.html>

| ____________________________________________________________________

|

| Revision History

|

| June 10, 2008: Initial release

| -----BEGIN PGP SIGNATURE-----

| Version: GnuPG v1.4.5 (GNU/Linux)

|

| iQEVAwUBSE7bhHIHljM+H4irAQKGtQf/bW1M/gN6V35MDqIGFK3PbaIXBqnhtFws

| xPl6zNdWmYVCHid6u0aZ+UYE+AESK3Qw3DdiwLRr3X9R4hoGmRUGiedv4h0owQTb

| Rij3K5simf2vbNBsVopFNeVnokOowkcRYUk/n0QnGn5FUnwDeKutrMwXQ94As/Y3

| 8z/VsKpwqjScHgedT6Hv67f8E6kSma4BBcK2NlRC9VMTWN2oUD7MDI/BSp5kcqaM

| TJfBJzqsWUywWRP3Bi8PYOLYbmC5Qj7nirl0lzCjJdNiS/GKUnT4LezHTlVhVOv5

| FTnkO25morpDQph2+oBi6o+lCOBu6G6RtfQ7u15CGDCeZyme2B79eg==

| =e01A

| -----END PGP SIGNATURE-----

|

 

And Apple hasn'r supported QuickTime on Win9x/ME for quite a while.

 

The *only* solution is to REMOVE QuickTime!

 

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[Guest David H. Lipman]

Re: US CERT - Security Alert TA08-162C -- Apple Quicktime Updates for Multiple Vulnerabilities

 

Re: US CERT - Security Alert TA08-162C -- Apple Quicktime Updates for Multiple Vulnerabilities

 

From: "Ingeborg" <a@b.invalid>

 

 

| The sign gives you the opportunity to check if the poster is who he claims

| to be.

 

Except the PGP signing is by the US CERT, not by MEB.

 

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[Guest David H. Lipman]

Re: US CERT - Security Alert TA08-162C -- Apple Quicktime Updates for Multiple Vulnerabilities

 

Re: US CERT - Security Alert TA08-162C -- Apple Quicktime Updates for Multiple Vulnerabilities

 

From: "Gary S. Terhune" <none>

 

| FYI, the last version of QT that will install on Windows 9x is 6.5.2.

|

| Wonder how long it will take for them to find new problems with QT 7.5 and,

| more importantly, SNMPv3 after it's patched. Point is that ALL software has

| bugs, and, apparently, all software has security vulnerabilities. It's a

| game to stay ahead of the hackers, and it would seem that no OS or

| application is immune.

|

| I say all good and responsible computer users thrown their machines into the

| dumpster. They're just too unsafe.

|

 

:-)

 

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[Guest MEB]

Re: US CERT - Security Alert TA08-162C -- Apple Quicktime Updates for Multiple Vulnerabilities

 

Re: US CERT - Security Alert TA08-162C -- Apple Quicktime Updates for Multiple Vulnerabilities

 

Oh I agree, and that is what I have been advising... but these are for those

still using it... each time is a NEW vulnerability.. and for the dual

booters..

There was an alternative posted in one of these discussions.

 

--

MEB

http://peoplescounsel.orgfree.com

--

_________

 

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message

news:e7N10%23Y0IHA.4500@TK2MSFTNGP03.phx.gbl...

| From: "MEB" <meb@not here@hotmail.com>

|

| | -----BEGIN PGP SIGNED MESSAGE-----

| | Hash: SHA1

| |

| | National Cyber Alert System

| |

| | Technical Cyber Security Alert TA08-162C

| |

| | Apple Quicktime Updates for Multiple Vulnerabilities

| |

| | Original release date: June 10, 2008

| | Last revised: --

| | Source: US-CERT

| |

| | Systems Affected

| |

| | * Apple Mac OS X running versions of QuickTime prior to 7.5

| | * Microsoft Windows running versions of QuickTime prior to 7.5

| |

| | Overview

| |

| | Apple QuickTime contains multiple vulnerabilities as described in the

| | Apple

| | Knowledgebase article HT1991. Exploitation of these vulnerabilities

could

| | allow a remote attacker to execute arbitrary code or cause

a

| | denial-of-service condition.

| |

| | I. Description

| |

| | Apple QuickTime prior to version 7.5 has multiple image and media

file

| | handling vulnerabilities. An attacker could exploit these

vulnerabilities

| | by

| | convincing a user to access a specially crafted image or media file

that

| | could be hosted on a web page. Apple QuickTime 7.5 addresses

these

| | vulnerabilities.

| |

| | Note that Apple iTunes for Windows installs QuickTime, so any system

with

| | iTunes may be vulnerable.

| |

| | II. Impact

| |

| | These vulnerabilities could allow a remote, unauthenticated attacker

to

| | execute arbitrary code or cause a denial-of-service condition. For

| | further

| | information, please see Apple knowledgebase article HT1991 about

the

| | security content of QuickTime 7.5

| |

| | III. Solution

| |

| | Upgrade QuickTime

| |

| | Upgrade to QuickTime 7.5. This and other updates for Mac OS X are

| | available

| | via Apple Update.

| |

| | Secure your web browser

| |

| | To help mitigate these and other vulnerabilities that can be

exploited

| | via a

| | web browser, refer to Securing Your Web Browser.

| |

| | IV. References

| |

| | * About the security content of the QuickTime 7.5

Update -

| | <http://support.apple.com/kb/HT1991>

| |

| | * How to tell if Software Update for Windows is working correctly

when

| | no

| | updates are available -

| | <http://docs.info.apple.com/article.html?artnum=304263>

| |

| | * Apple - QuickTime - Download -

| | <http://www.apple.com/quicktime/download/>

| |

| | * Mac OS X: Updating your software -

| | <http://docs.info.apple.com/article.html?artnum=106704>

| |

| | * Securing Your Web Browser -

| | <http://www.us-cert.gov/reading_room/securing_browser/>

| |

| | * US-CERT Vulnerability Notes for QuickTime

7.5 -

| |

| | <http://www.kb.cert.org/vuls/byid?searchview&query=apple_quicktime_7.5>

| |

| | ____________________________________________________________________

| |

| | The most recent version of this document can be found at:

| |

| | <http://www.us-cert.gov/cas/techalerts/TA08-162C.html>

| | ____________________________________________________________________

| |

| | Feedback can be directed to US-CERT Technical Staff. Please send

| | email to <cert@cert.org> with "TA08-162C Feedback VU#132419" in the

| | subject.

| | ____________________________________________________________________

| |

| | For instructions on subscribing to or unsubscribing from this

| | mailing list, visit <http://www.us-cert.gov/cas/signup.html>.

| | ____________________________________________________________________

| |

| | Produced 2008 by US-CERT, a government organization.

| |

| | Terms of use:

| |

| | <http://www.us-cert.gov/legal.html>

| | ____________________________________________________________________

| |

| | Revision History

| |

| | June 10, 2008: Initial release

| | -----BEGIN PGP SIGNATURE-----

| | Version: GnuPG v1.4.5 (GNU/Linux)

| |

| | iQEVAwUBSE7bhHIHljM+H4irAQKGtQf/bW1M/gN6V35MDqIGFK3PbaIXBqnhtFws

| | xPl6zNdWmYVCHid6u0aZ+UYE+AESK3Qw3DdiwLRr3X9R4hoGmRUGiedv4h0owQTb

| | Rij3K5simf2vbNBsVopFNeVnokOowkcRYUk/n0QnGn5FUnwDeKutrMwXQ94As/Y3

| | 8z/VsKpwqjScHgedT6Hv67f8E6kSma4BBcK2NlRC9VMTWN2oUD7MDI/BSp5kcqaM

| | TJfBJzqsWUywWRP3Bi8PYOLYbmC5Qj7nirl0lzCjJdNiS/GKUnT4LezHTlVhVOv5

| | FTnkO25morpDQph2+oBi6o+lCOBu6G6RtfQ7u15CGDCeZyme2B79eg==

| | =e01A

| | -----END PGP SIGNATURE-----

| |

|

| And Apple hasn'r supported QuickTime on Win9x/ME for quite a while.

|

| The *only* solution is to REMOVE QuickTime!

|

| --

| Dave

| http://www.claymania.com/removal-trojan-adware.html

| Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

|

|