RSSApple Repairs QuickTime Glitch, Closes Browser Exploit
By Scott M. Fulton, III | Published October 4, 2007, 2:24 PM
A security update released by Apple this morning for users of QuickTime for Windows appears to eradicate the exploitable hole discovered last month by GNUCitizen.org developer Petko D. Petkov.
That exploit enabled the Web browser to pass JavaScript code to the QuickTime plug-in, which it then passes back to Firefox when it's the default Web browser. The code could then run unchecked, theoretically enabling a malicious user almost total access to a client's system, including his file system and command line.
The 2.0.0.7 update to Firefox, released last week, closed a big part of the hole: Although QuickTime continued to trigger Firefox when it was the default Web browser, Firefox would not run the malicious JavaScript code.
Now, as BetaNews tests confirm, Apple's update shuts the other door: It no longer launches a Web browser when it encounters a filename that fits its accepted pattern (for instance, an MOV file) but which doesn't actually exist.
A security bulletin on Apple's Web site fully acknowledged and explained the repaired deficiency. The security update only works on the most recent QuickTime 7.2 version.
It wouldn't update for me. Is it not relevant to the pro version of quicktime? It starts installing and then just seems to forget about it after the initial window.
Score: 0
|and here come the "that why i dont use firefox replies"
Score: 0
|i was thinking more along the lines of "apple says it never has wiruses" lines
Score: 0
|What's with the v/w thing? Are you turning into a wascawy wabbit?
Score: 0
|That is why I DO use firefox. this particular exploit was fixed within days of discovery, didn't require a reboot of my PC, and took seconds to apply.
Score: 0
|Quicktime
Itunes
Get your updates this week! Prepare and test for next week's 'sploits!
Score: 0
|oh noes! the sploits! im wulnerable! *dies*
Score: 0
|