On July 11, 2007, iDefense Labs <labs-no-reply@xxxxxxxxxxxx> wrote: > > Apple QuickTime SMIL File Processing Integer Overflow Vulnerability > [...] > > Apple has released QuickTime 7.2 which resolves this issue. (And seven other security issues, six of which allow for remote code execution.) > More information is available via Apple's QuickTime Security Update page > at the URL shown below. > > http://docs.info.apple.com/article.html?artnum=305947 I think it's worth noting that Apple has *not* resolved the issues on Windows 2000 -- they have apparently dropped support for that OS as of QuickTime 7.2. They now only mention support for Windows XP and Vista (except on <http://www.apple.com/quicktime/player/faq.html>, which they seem to have forgotten to update). If you run Apple Software Update on a Win2K box, it'll lie and say "Your software is up-to-date." even though you're missing QuickTime 7.2 and its fixes for the eight severe security holes. Also Apple is continuing to support iTunes on Windows 2000 -- iTunes 7.3.1 came out after QuickTime 7.2, and there's an explicit radio button to download for Windows 2000 at <http://www.apple.com/itunes/download/>. Not too surprising, since ending support for iTunes on Windows 2000 would mean cutting off a revenue stream, but since iTunes requires QuickTime to function, this means that they're bundling QuickTime 7.1.6 for Windows 2000, of course with no warning as to the known security holes you're placing on your machine if you do that. Windows 2000 users who need the ability to play QuickTime movies will have to either upgrade to XP / Vista (QuickTime is the first major mainstream application I'm aware of that's dropped security update support for Win2K), disable the QuickTime browser plugins (and any automatic "helper app." actions) so that merely visiting a malicious web page won't be enough to expose onself to arbitrary code execution, or uninstall QuickTime and use some third-party player that has partial QuickTime support, like VLC (<http://www.videolan.org/vlc/>) or MPlayer (<http://www.mplayerhq.hu/>). -- Dan Harkless http://harkless.org/dan/
