| ActiveMac | Anonymous | Create a User | Reviews | News | Forums | Advertise |
|
|
|
User Controls |
|
New User |
|
Login |
|
Edit/View My Profile |
|
|
|
|
|
|
|
ActiveMac |
|
Articles |
|
Forums |
|
Links |
|
News |
|
News Search |
|
Reviews |
|
|
|
|
|
|
|
News Centers |
|
Windows/Microsoft |
|
DVD |
|
ActiveHardware |
|
Xbox |
|
MaINTosh |
|
News Search |
|
|
|
|
|
|
|
ANet Chats |
|
The Lobby |
|
Special Events Room |
|
Developer's Lounge |
|
XBox Chat |
|
|
|
|
|
|
|
FAQ's |
|
Windows 98/98 SE |
|
Windows 2000 |
|
Windows Me |
|
Windows "Whistler" XP |
|
Windows CE |
|
Internet Explorer 6 |
|
Internet Explorer 5 |
|
Xbox |
|
DirectX |
|
DVD's |
|
|
|
|
|
|
|
TopTechTips |
|
Registry Tips |
|
Windows 95/98 |
|
Windows 2000 |
|
Internet Explorer 4 |
|
Internet Explorer 5 |
|
Windows NT Tips |
|
Program Tips |
|
Easter Eggs |
|
Hardware |
|
DVD |
|
|
|
|
|
|
|
Latest Reviews |
|
Applications |
|
Microsoft Windows XP Professional |
|
Norton SystemWorks 2002 |
|
|
|
Hardware |
|
Intel Personal Audio Player 3000 |
|
Microsoft Wireless IntelliMouse Explorer |
|
|
|
|
|
|
|
Site News/Info |
|
About This Site |
|
Affiliates |
|
ANet Forums |
|
Contact Us |
|
Default Home Page |
|
Link To Us |
|
Links |
|
Member Pages |
|
Site Search |
|
Awards |
|
|
|
|
|
|
|
Credits |
 |
Apple plugs QuickTime zero-day flaw | |
|
||
| Time: 19:35 EST/00:35 GMT | News Source: News.com | Posted By: Jonathan Tigner | ||
|
Apple on Tuesday released a QuickTime update to fix a security flaw that was used to breach a MacBook Pro at a recent security conference. The media player vulnerability lies in QuickTime for Java, Apple said in a security alert. The hole could be exploited through a rigged Web site and let an attacker commandeer computers running both Mac OS X and Windows, the Mac maker said. "By enticing a user to visit a Web page containing a maliciously crafted Java applet, an attacker can trigger the issue, which may lead to arbitrary code execution," Apple said. Only computers running an unfixed version of QuickTime would be at risk. Security monitoring company Secunia deems the flaw "highly critical," one notch below its most serious rating. The update, QuickTime 7.1.6, repairs the problem by performing additional checking. Apple credits bug hunter Dino Dai Zovi and the TippingPoint Zero Day Initiative for reporting the issue. | ||
|
Write Comment
Return to News |
Displaying 1 through 25 of 154 Last | Next |
The time now is
10:24:08 AM
ET.
Any comment problems? E-mail us |
| #1 By 3653 (68.52.143.149) at 5/1/2007 9:03:50 PM |
|
<sarcasm>
<thick>how timely</thick></sarcasm> |
| #2 By 3653 (68.52.143.149) at 5/1/2007 9:03:54 PM |
|
dup This post was edited by mooresa56 on Tuesday, May 01, 2007 at 21:04. |
| #3 By 37047 (216.191.227.68) at 5/2/2007 7:48:43 AM |
| #1: You criticize Apple for putting out a fix for this fairly quickly, but praised Microsoft for eventually fixing the ANI security flaw, which took longer to do. Considering this defect is only a week or so old, that is a pretty quick turn around time. Microsoft would have made you wait for the June security update cycle to get this, if it was a flaw in Media Player. But I guess things are still the same with you. With you, if it is not done by Microsoft, it must be bad by definition. And then you wonder why no one, other than Parkkker, takes you seriously. |
| #4 By 23275 (24.179.4.158) at 5/2/2007 9:00:52 AM |
| Mystic - this is only one of three vulns. patched. Two zero day vulns. remain. |
| #5 By 32132 (64.180.219.241) at 5/2/2007 9:31:26 AM |
| #3 How do you know for sure Apple hasn't known about this for months, and only succumbed to publicity. Apple almost never gives you enough information to figure out which patch in the usual batches of 10, 45 or 157 is how old. |
| #6 By 12071 (203.206.255.125) at 5/2/2007 9:58:09 AM |
|
#1 Makes a difference from those "will they or won't they this month" moments huh :)
#4 What are the 2 outstanding ones? #5 We don't know for sure... but if we have a quick look we'll find: Secunia - 24 April - http://secunia.com/advisories/25011/ CVE - 24 April - http://xforce.iss.net/xforce/xfdb/33827 ZDI - 23 April - http://www.zerodayinitiative.com/advisories/ZDI-07-023.html XForce - 23 April - http://xforce.iss.net/xforce/xfdb/33827 SecurityTracker - 24 April - http://securitytracker.com/alerts/2007/Apr/1017950.html So let's use the worst one... 23 April ... such a long time to wait! |
| #7 By 23275 (24.179.4.158) at 5/2/2007 10:43:45 AM |
|
#6, Ref: CVE version: 20061101
The Zero Day Vuln. patched was the highest profile listing as at, CVE-2007-2175 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2175 Two remain as at, CVE-2007-2295 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2295 and, CVE-2007-2296 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2296 The remaining vulns. present the potential for remote code execution via crafted .MOV, or MP4 files - depending upon the method of exploitation used. Eighty (80) vulns are presently registered at the CVE for "QuickTime" - 16 of which are for calendar year 2007. Just because you ask "what the other two are" does not mean that they do not exist - wishing them away will not mitigate them or the danger they represent to users of Apple's products. Source: This alert was researched and written by Corey Nachreiner, CISSP. |
| #8 By 32132 (142.32.208.234) at 5/2/2007 1:46:15 PM |
|
#6 The point I am making is that on the Apple page for the patch, there is no info on when the exploit was discovered.
http://docs.info.apple.com/article.html?artnum=305446 If you just go to Apple you are kept in the dark. Apple+Megapatch gets you 14,800 hits today on Google. http://www.google.com/search?q=%22apple+megapatch |
| #9 By 12071 (203.185.215.144) at 5/2/2007 11:04:49 PM |
|
#7 Easy there my favourite little MS shill, I was simply asking what they were as the story didn't have a link to them.
One of those vulnerabilities (http://security-protocols.com/sp-x45-advisory.php) was first reported over a year ago, which is unacceptable for no patch to have been released by now! Perhaps the solution provided there, use MPlayer, should be taken seriously :) As for the number in 2007 or any year for that matter, that is completely irrelevant if you don't also provide the additional information of how many of those have fixes available and the severity of those vulnerabilities. We've been through this at least 200 times by now but you still prefer to play the blind numbers game. #8 True, the best that they have provided is a "Date Created" at the bottom of the page but this is just the date on which they created the web page, not when the vulnerability was first reported. |
|
Write Comment
Return to News |
Displaying 1 through 25 of 154 Last | Next |
The time now is
10:24:08 AM
ET.
Any comment problems? E-mail us |
