Apple patches 7 more QuickTime vulns . . .

  • Article

Unbelievable . . . or sadly - all too believable . . . Apple patches 7 more QT vulns: https://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9045599

What I find amazing is that:

  1. They don't use severity ratings (still!) but do admit (at least) that these are RCE vulns.
  2. They seem to be getting worse - not better with QuickTime to the point where they seem to have given up trying to secure QuickTime for Java and have finally disabled it by default.
  3. No one makes a bigger deal out of this - if this were Media Player people would be going nuts.  The article mentions that they think only one of these vulns can be exploited via a web page . . . I'd be surrpised if that were true based on a quick scan of the CVE descriptions in the Apple security bulletin (the first 3 CVE's have to do with viewing specially crafted movie files which can be made to play automatically I believe if you allow the QT AX control to run in IE which makes those 'browse and your owned' type RCE vulns).  The PICT ones may not be exploitable by simply browsing to a site - not sure if you can point the QT AX control at a PICT file and get it to render it.
    Here's the Apple security bulletin: https://docs.info.apple.com/article.html?artnum=306896

Finally - just to get an idea of how bad it really is - there are at least 13 Secunia advisories to date for QuickTime 7.x: https://secunia.com/product/5090/ and these advisories cover multiple CVEs (I counted 64 CVEs since 2005).

Contrast this with Windows Media Player 11 which has had only one bulletin with 2 CVEs since it shipped and Windows Media Player 10 which has had 2 bulletins.  You have to go all the way back to Media Player 9 to find a version of WMP that had 5 bulletins issued over its lifetime . . .