Network News

X My Profile
View More Activity

New QuickTime Player Fixes 3 Security Flaws

Apple has issued an update to its QuickTime media player software to plug at least three security holes, including one that cyber criminals already are using to break into vulnerable systems.

The new version, QuickTime 7.3.1, is available for Mac and Windows. Mac users can grab the update via the built-in Software Update feature. Windows users who have QuickTime already installed can get the fixes using the Apple Software Update program that ships with QuickTime.

By Brian Krebs  |  December 14, 2007; 10:18 AM ET
Categories:  New Patches  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Microsoft Plugs 11 Windows Security Holes
Next: Apple Patches Java, OS X and Safari 3 Flaws


Brian - are the security holes being exploited in Macs as well as Windows PCs? I would assume not, but thought I'd check for sure.

Posted by: Silver Spring, MD | December 14, 2007 10:46 AM | Report abuse

Silver Spring, yes this affects Mac as well. I love how Mac users have the default attitude that an Apple problem doesn't affect their precious Mac.

And Apple! It is about $%!$%@ time you patched this!

Posted by: D | December 14, 2007 11:41 AM | Report abuse

The Apple Software Update program for Windows never seems to function properly--even mine said all software was up-to-date. Apple software for Windows is starting to become more frustrating than MS: many irregular updates with often malfunctioning updating software!

BK, love the blog.

Posted by: Anonymous | December 14, 2007 4:31 PM | Report abuse

If anyone else is unable to download QuickTime Player version 7.3.1 for Windows directly from the Apple site, here are alternative download sites:

Posted by: Mark Odell | December 14, 2007 11:29 PM | Report abuse

QT is the most dangerous software ever made!

Posted by: Steveballmer | December 15, 2007 1:24 AM | Report abuse


Posted by: jill | December 15, 2007 1:28 AM | Report abuse

Mark O., in his earlier post on alternative download sites for the update (thanks!), didn't say what problems he encountered downloading direct from Apple.

There is one problem that folks may have if they try to download the update on a machine different from the one on which it is to be installed. Apple has one of those too-clever-by-half sites that looks at the "user agent" string that the browser returns to decide what OS you are running. If you are running Firefox on a Linux box (as I am), it will decide that you are running a Mac, or at least that you want the Mac version. I haven't been able to find a straightforward way to ask for the Windows version, but you can work around this by using the "User Agent Switcher" extension for Firefox:

This allows you to tell the Web site that you are using a different browser / OS combination. Using "Opera 8 (Windows XP)" from the pre-configured choices and reloading the download page gets you to the Windows version. (Incidentally, this extension is also useful for some other brain-dead Web sites that insist they only work with Internet Explorer.)

Posted by: Rich Gibbs | December 15, 2007 12:41 PM | Report abuse

Brian: Thank you for helping to keep my computer up to date. Happy holidays!

Posted by: JBV | December 15, 2007 2:15 PM | Report abuse

Rich, thanks for the extra details.

The problem I've encountered on the last two QTPlayer releases is that I can go here:
and click on its download link, and it redirects to the link given in hysdavid's comment, without downloading.

By contrast, I can go here:
and click on its download link, and the download works correctly; don't know why, but it appears not to fit the "different user-agent string" hypothesis.

Posted by: Mark Odell | December 15, 2007 6:51 PM | Report abuse

Rich Gibbs> Apple has one of those too-clever-by-half sites that looks at the "user agent" string that the browser returns to decide what OS you are running

Indeed. Apple like to make you sing for your supper and balance the little ball on the end of your nose if you desire to petition them for the undeserved honour of running their most graciously blessed bloatware. Please, sir, may we have some more gruel...

The main download page has an embedded iframe. Here's the iframe target for the Windows XP/Vista US-English download:

Try that. It's nicely uncluttered, unlike the main page (ugh!).

Posted by: antibozo | December 16, 2007 3:50 AM | Report abuse

Is there a reason that itunes/quicktime do updates by making you reinstall the program instead of just downloading patches? It's a little annoying b/c every time you have to redo the preferences:

"No, I would not like to receive stupid info or newsletters via email."
"No, I don't want quicktime to be the default player for that type of media file. Or that one, or that one, or that one...."

Posted by: meh | December 16, 2007 5:01 AM | Report abuse

Mark, thanks for the info. I know I have downloaded Windows versions before, and I don't *think* I had to do the User Agent trick, once I found the "magic" page. But this time I couldn't find it. I checked the page you mentioned for version 7.2, and it works fine for me, too, without any tricks. But I get the same redirect from the 7.31 download page that you did, even when I edit the URL to resemble the 7.2 link.

It seems that Apple has improved the OS detection "feature". BTW, I did try the link from antibozo's comment, and it works fine.

For meh: the (possibly) good reason for replacing the whole package is to avoid complications stemming from which version the user has, intermediate patches, etc. The bad reason (and probably the operative one) is to make you look at some more advertising.

Posted by: Rich Gibbs | December 16, 2007 11:59 AM | Report abuse

Ditto on Apple Software Update's uselessness. I have QuickTime 7.1.6 on a Win2K box here (my only Windows box at home or work, used strictly for audio applications, including iTunes) and Apple Software Update is just delighted to leave everything intact. iTunes doesn't think anything's wrong either. Gee, maybe this is because 7.1.6 is the last version of QuickTime Apple provides for Win2K. Apple, you suck.

Related issue: iTunes insists on installing itself as a Firefox browser plugin. If I remove it, it tries to reinstall automatically every time I start iTunes. If I make the Firefox plugins folder read-only, iTunes refuses to run.

[If this weren't a public forum, you would see a vivid stream of profanity directed at the idiots at Apple in place of this paragraph.] Guess what, Apple? I don't want your crapware plugin mucking with my browser behavior. Let me sum up: Apple, you suck.

Most of the time, I merely hold Apple gear in mild disdain--baubles for people who like to play with computers without understanding them, and fine for that purpose--but every time I have to actually deal with Apple software, the bile rises. They're worse than Sun, and even Adobe, and that's bad.

For those in a situation similar to mine, you can work around the iTunes plugin stupidity by making a copy of the npnul32.dll in the Firefox plugins directory called npitunes.dll.

Of course, Firefox users may also want to disable the auto-plugin search for QuickTime in the Firefox configuration. One way to accomplish this is to go into about:config and set plugin.scan.Quicktime to a very high value (this is used for version comparison; I use 512.0). Note there are also sibling values for SunJRE (the Java plugin), WindowsMediaPlugin, and Acrobat.

Apple, allow me to remind you once more: you suck. If someone hadn't given me an iPod for free, I wouldn't have any of your pathologically invasive bloatware on my systems.

For your amusement:

Posted by: antibozo | December 16, 2007 9:06 PM | Report abuse

After reading the comments here and elsewhere, I'm even smugger on my long-standing ban on using ANY Apple products!!!

Now add this (below) to boot and I'm really enjoying my super lean mean running Windows machine!!

Mac OS X Java Multiple Vulnerabilities

Who was the genius at Apple who decided to include Java in the OS???? From Apple's website:

"Mac OS X is the only major consumer operating system that comes complete with a fully configured and ready-to-use Java runtime and development environment."

Why thanks for making that decision for me Apple! (Java is also on my software blacklist along with QuickTime)

Posted by: TJ | December 17, 2007 8:58 AM | Report abuse

Thanks for the heads up, Brian! I was on a site that uses QT for videos and was prompted to upgrade to 7.3.1 but since I only use the software's built-in updater and it hadn't prompted me to update, I didn't. It was only when I came here to read the latest on your blog when I saw that there was indeed an update.

However, like most readers have posted, the built-up QT/Apple updater showed QT/iTunes being up todate.
I had to uninstall QuickTime to get the latest version.

Thanks for the great blog! And thanks to the other Security Fix readers for the extra info.

Posted by: Security Fix reader | December 17, 2007 11:22 AM | Report abuse

Let me add my thanks for putting this QT problem; between my forum posts and Bush-like responses to phone calls: "Who is Brian Krebs? How do we know that this guy is legit?", Apple finally relented and hopefully fixed the problem.

Posted by: SPENCER | December 18, 2007 1:13 PM | Report abuse

Brian, why bother with QuickTime? (Or any other bloated media player linked to a storeful of advertising -- Windows Media Player and RealPlayer are at least as bad in this respect.)

There are open source alternatives, such as
VideoLAN VLC media player
or Media Player Classic

I have been installing VLC on Windows XP machines with DVD players. It plays most DVDs without complaint. Media Player Classic emulates WMP6, and comes with optional codec packages that emulate RealPlayer and QuickTime without the ads and the hype.

I am concerned by the recent spate of security holes. Are these in the actual codecs or in the players themselves? If in the codecs, are open source codecs similarly affected?

Generally, what do you think of MPC and VLC?

--Solo Owl, in DC

Posted by: Solo Owl | December 19, 2007 8:53 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company