Network News

X My Profile
View More Activity

Apple's First 2009 Patch Batch Fixes 7 QuickTime Flaws

Apple today released a security update for its QuickTime media player. The new version, QuickTime 7.6, is available for both Mac and Windows systems.

This release fixes at least seven security vulnerabilities. All seven are serious enough that Apple says they could be used to run software of the attacker's choice on a vulnerable system simply by convincing the user to view a specially-crafted movie or streaming media file.

It's important for QuickTime users (particularly Windows users) not to let too much grass grow under their feet before applying this update. Because it is so widely installed (and probably so infrequently updated), QuickTime has drawn the attention of hackers who write and sell automated exploit toolkits. These are software kits that attackers typically stitch into the fabric of hacked Web sites. When a user visits such a site, the toolkit checks to see which if the browser plug-ins may still be vulnerable to know security flaws, serves up an exploit for the first one it finds, and then silently uses that exploit to install malicious software on the visitor's PC.

msftgraf.jpg

According to Microsoft's most recent "Security Intelligence Report," a QuickTime flaw was the third- and fourth-most-attacked Web browser vulnerability for Windows XP and Windows Vista systems, respectively, during the first half of 2008 (See chart pulled from the report).

Mac users can grab the update from Software Update or from Apple Downloads. Windows users can use the download site or the bundled Apple Software Update program.

By Brian Krebs  |  January 21, 2009; 3:38 PM ET
Categories:  From the Bunker , Latest Warnings , New Patches , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Payment Processor Breach May Be Largest Ever
Next: Obama Administration Outlines Cyber Security Strategy

Comments

I installed this and it hosed my Mac. After installation on an iMac running OS 10.4.11 it began repeatedly restarting the Finder program, which brings it to the front and interrupts whatever else you are doing. Several others have reported this on Apple's support forum. No fix offered so far.

Posted by: aweintraub | January 21, 2009 5:05 PM | Report abuse

Hrm. That stinks. Well, maybe Mac users *should* let some grass grow under their feet before installing this. Ugh.

Any problems from Windows users?

Posted by: BTKrebs | January 21, 2009 6:10 PM | Report abuse

The iPhone success and the increased Mac marketshare are making it more financially attractive for malware-makers to target Mac OS X and the applications it supports.

Mac users can probably wait but Windows users ought to have something more than an ordinary AntiVirus agent for protection from vulnerabilities such as these. Those looking for something ought to focus heavily on usability.

Posted by: eiverson1 | January 21, 2009 6:35 PM | Report abuse

Secunia didn't find the update so I went to the Apple download site for the Windows version of just Quicktime. It got partway installed and then said I HAD to install iTunes if I wanted to continue (so I could purchase from the iTunes store). I clicked I did not want iTunes and it stopped the installation. I have always just had Quicktime on this laptop as I only use iTunes on the desktop and then only to download podcasts. Now what?

Posted by: Eremita1 | January 21, 2009 6:39 PM | Report abuse

Eremita1,

Did you check and/or uncheck the proper areas prior to starting download?

Posted by: g0th52 | January 21, 2009 7:31 PM | Report abuse

@g0th52
Yes. I specifically chose the Quicktime only. This is the first time I have ever had a problem with the update. Wonder why they even offer a Quicktime only if during install they insist you install iTunes as well. Think I will wait until Secunia finds the need to update and go through that link. Maybe that will be a different one?? Meanwhile I will avoid Quicktime...if I can.

Posted by: Eremita1 | January 21, 2009 9:33 PM | Report abuse

Apple are great fans of slamming Windows users with software they don't want - install any ONE of iTunes, QuickTime or Safari and they will try to force all THREE on you when you update.

QuickTime sucks. It's one of the most dangerous applications that you can have on a Windows machine. Consequently, I no longer have ANY Apple software on my PC because it all tries to install QuickTime whether I want it or not.

And you thought Microsoft was bad when it came to software flaws..

Posted by: Dynamoo | January 22, 2009 4:22 AM | Report abuse

I just installed this on my MacBook Pro without a hitch. I am using OS X 10.5.6

Posted by: jgwv | January 22, 2009 6:39 AM | Report abuse

I tried to install the update along with the new version of itunes. it bombed midway through and quicktime no longer worked. I tried to do a manual update, and bombed again. Finally was able to install a fresh version of just quicktime and then update itunes. Spent more than almost 2 hours on what should have been a 10 minute chore.

Posted by: mdembski1 | January 22, 2009 9:22 AM | Report abuse

At the moment, my PC with Windows XP isn't able to access the updated version. Apple Software Update doesn't give me a Quicktime option (only Bonjour and Safari). iTunes says that Version 8.0.2 is the latest version - no mention of Quicktime. And Quicktime itself says that Version 7.5.5 is the latest version.

Fortunately, I'm patient, and I'll try again tomorrow. :-)

Posted by: SSMD1 | January 22, 2009 9:50 AM | Report abuse

No problem using Software Update on my MacMini running OS 10.4.11

Posted by: GWGOLDB | January 22, 2009 9:53 AM | Report abuse

I've had the same results as SSMD1. Apple's update site isn't even currently showing a download button for the free version.

Posted by: ThomU | January 22, 2009 10:49 AM | Report abuse

I have an iMac OS version 10.5.6 and had no problem installing this update which took, I should think, less than 2 minutes.

Posted by: dajewell | January 22, 2009 11:19 AM | Report abuse

I went to the Windows link above, but didn't see an option to download the patch. Are we supposed to simply download the full Quicktime?

I don't mind doing that, but I want to make sure that's what I'm supposed to be doing.

Posted by: Georgetwoner | January 22, 2009 11:47 AM | Report abuse

George -- If you have Quicktime already installed, you should also have the Apple Software Update application installed (go to Start, All Programs). Run that and it should find the update you need.

Posted by: BTKrebs | January 22, 2009 11:52 AM | Report abuse

Ah thanks. But I just tried it and the only update was for something called Bonjour:

"Bonjour, also known as zero-configuration networking, enables automatic discovery of computers, devices, and services on IP networks. This update is recommended for all users to improve the usability and compatibility of your existing Bonjour installation."

Sounds to me like, under the circumstances, this is something that I affirmatively do not want.

Anyhow, I've never heard of it, much less used it, so I declined.

Posted by: Georgetwoner | January 22, 2009 12:26 PM | Report abuse

I just installed this update on a MacBook Pro running 10.5.6, acquiring it using Software Update (under Apple), and it went off without a hitch. I did deselect the Safari update option, since I use Firefox exclusively.

Posted by: watchbird1 | January 22, 2009 3:12 PM | Report abuse

As usual, the update installed flawlessly on my Imac.

Posted by: fatman985 | January 22, 2009 3:54 PM | Report abuse

Just installed the update on my MacBook Pro running 10.5.6 and iMac G5 running 10.4.11. As usual no problems.

Posted by: Crang | January 22, 2009 4:34 PM | Report abuse

Several people who had the Finder restart problem cured it by following these instructions to disable a piece of third-party software:


http://discussions.apple.com/thread.jspa?threadID=1873700&tstart=0

Posted by: aweintraub | January 22, 2009 5:22 PM | Report abuse

No problems installing via Software Update on my mini running 10.4.11. QuickTime was the only patch available to me.

Posted by: hitpoints | January 22, 2009 8:41 PM | Report abuse

I have an iMac w/10.5.6, downloaded the Quicktime update yesterday without hitch, & in just a couple mins.

Posted by: orvisman2 | January 23, 2009 1:58 PM | Report abuse

Just this morning (Friday) the QuickTime update was still not selected by Apple Software Update (on a WinXP machine). I have QuickTime 7.5.5. Although I have downloaded the standalone 7.6 update from the Apple website. How long does Apple take to get these things going on its update software facility?

It sounds like Apple Software Update is making Windows play second fiddle to OS X customers.

Posted by: 54Stratocaster | January 23, 2009 3:52 PM | Report abuse

Brian,
Just wanted to give you a compliment. Between you and Secunia, I feel my laptop is right up to date and pretty safe.
The update went on smoothly using Apple update on my Vista Ultimate.
Thanks so much.

Posted by: mlemac | January 23, 2009 4:55 PM | Report abuse

Quicktime has a long history of being a very buggy program. Secunia used to provide stats on this, perhaps they still do.

Posted by: MichaelsPostingID | January 26, 2009 3:43 PM | Report abuse

STOP: HALT: DANGER: WARNING: NO: DON'T:

'Apple's First 2009 Patch Batch Fixes 7 QuickTime Flaws' and breaks other things with NEW flaws!!!

FROM: http://support.aspyr.com/

'We are aware of the issues arising with the latest QuickTime update in 10.4.11 and are working with Apple to get it resolved. Please bear with us as we work with Apple to find the source of and fix for this problem.'

The only reason I am 'peeved' is, as a 25 year PC veteran is I always wait a week or so before installing an update. I knew better, I've been down this path before. Ah, but nothing could ever go wrong with a Mac or a Mac update :)
Update away......

I don't solve problems for free anymore. I wait for the update. So, No CivIV for me. ;(

Posted by: georgethornton1 | January 26, 2009 10:10 PM | Report abuse

Hello and thank you for contacting Aspyr Media.

We are aware of the current issues in 10.4.11 that appear to be the result
of the new QuickTime 7.6 update. We are currently working with Apple to find
the cause and solution to this problem. Usually, when a QuickTime update
causes problems, Apple will provide an update to 7.6 or a rollback to 7.5.
Unfortunately, since QuickTime is an integral part of the Mac OS, it is
almost impossible to just uninstall the problematic version of QuickTime and
install the old one. Apple has been informed of the problem, and we are
working with them to get this problem resolved as soon as possible.

Thank you for your patience.
========
'integral part' - trying to 'own' you, just like MS and IE. I don't want any os to 'own' me.

Posted by: georgethornton1 | January 27, 2009 7:34 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company