NOW READ THIS
("Security Advisory")
Submitted by: Bill Hickey
NCVA List Master
NRT-0408 New QuickTime Bug:
A security researcher revealed new and unpatched bugs in the Windows version of Apple's QuickTime, just a week after the company
plugged a hole known for nearly a month. The researcher posted details of vulnerabilities in five
functions of a QuickTime ActiveX control to the Full Disclosure security mailing list, along with
proof-of-concept exploit code. He said the attack code works against the newest edition, 7.4.1,
which Apple issued only last week to patch a flaw in the player's handling of the Real-Time
Streaming Protocol (RTSP). Because the vulnerabilities are in an ActiveX control, the Microsoft
technology most commonly used in Internet Explorer (IE) plug-ins, only Windows users are at risk.
QuickTime is very common on that platform, however, since it is installed alongside Apple's
popular iTunes music software. Apple did not respond to questions about whether it would confirm
the vulnerabilities in QuickTime's ActiveX control and when it would fix the flaws.
(ComputerWorld 13FEB08)