Apple releases Quicktime 7.1 security update for both OSX and WindowsXP

Apple, Inc. ^ | 1/2 3/2007

[Swordmaker]

About Security Update 2007-001

This document describes Security Update 2007-001, which can be downloaded and installed via Software Update preferences, or from Apple Downloads.

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key."

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To learn about other Security Updates, see "Apple Security Updates."

Security Update 2007-001

• QuickTime

  CVE-ID: CVE-2007-0015

  Available for: QuickTime 7.1.3 on Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.8, Mac OS X Server v10.4.8, Windows XP/2000

  Impact: Visiting malicious websites may lead to arbitrary code execution

  Description: A buffer overflow exists in QuickTime's handling of RTSP URLs. By enticing a user to access a maliciously-crafted RTSP URL, an attacker can trigger the buffer overflow, which may lead to arbitrary code execution. A QTL file that triggers this issue has been published on the Month of Apple Bugs web site (MOAB-01-01-2007). This update addresses the issue by performing additional validation of RTSP URLs.

[Swordmaker]

Security Update for Quicktime - Mac OS X.3.9, OS X.4.x and WindowsXP/2000. PING

If you want on or off the Mac Ping List, Freepmail me.

[HAL9000]

Tomorrow's Wall Street Journal has an interview with the MOAB guys, but notes that the one "showstopper" they found was the QuickTime vulnerability, which is fixed in this update.

Still no viruses, worms or spyware reported in the wild on Mac OS X for over five years.

[Echo Talon]

Apple does not disclose, discuss, or confirm security issues

Don't put your head in the sand.. its a dangerous world, deal with it.

[Swordmaker]

Well, Gee, Echo, up until the release of Vista, Microsoft's approach to the vast majority of security problems was to let third party companies handle it for them... Now they want to CHARGE their customers additional fees to let Microsoft do it.

[Shimmer128]

Sorry Swordmaker, his head is in the sand, he can't hear you.

[Echo Talon]

What about Windows Defender that is free?