Comments on: Serious Flaw in Popular Media Players from Microsoft and AOL

By: eM3rC

eM3rC — Sun, 06 Jan 2008 22:16:59 +0000

Although this is more the users fault for not updating rather than microsoft, it seems like there should be some security update or alert specifically for people who are vulnerable to this exploit.

Plus, its microsoft… Enough said…

By: Sir Henry

Sir Henry — Fri, 14 Dec 2007 16:49:07 +0000

@Pantagruel:

I, too, am within the population of busy bees you described. Should I encounter a free moment today, I shall see what ground I can cover. I will report back with any updates as I have them.

By: Nobody_Holme

Nobody_Holme — Fri, 14 Dec 2007 15:11:36 +0000

I do update my QT… makes life easier. hadnt spotted that latest though. Off i go to download it.

By: Pantagruel

Pantagruel — Fri, 14 Dec 2007 14:59:19 +0000

@ Sir Henry

I guess most of us are busy doing other stuff (I certainly am), securing machines, applying patches, etc.
But give it a whirl, get vmware (or any other virtual environment) and install a ‘virgin’ version of XP and try the exploits available. We’ll be eager to read your first hand experience. After a look at my ‘to-do’list this exploit most likely will have to wait untill somewhere next week.

By: Sir Henry

Sir Henry — Fri, 14 Dec 2007 14:07:27 +0000

So, has anyone here actually tried the exploit? Given, I do not normally use those apps, but I would be intrigued to see a hands-on with these vulnerabilities.

By: Pantagruel

Pantagruel — Fri, 14 Dec 2007 12:55:39 +0000

Apple released a patch for QT 7.3.1 yesterday removing the problems you run into when opening QTL and RTSP.
Get the patch at http://www.apple.com/support/downloads

By: sKreeM

sKreeM — Thu, 13 Dec 2007 19:42:17 +0000

Ohhhh… I was expecting an MP4 video broadcast of this news

By: Pantagruel

Pantagruel — Thu, 13 Dec 2007 15:27:50 +0000

@ Nobody_Holme

Even QT sufferes from bug and vuln (have a look at http://secunia.com/advisories/27755/ )

A similar vulnerability is mentioned (http://secunia.com/advisories/26034/) also sporting a ‘crafted’ file
as point of entry. Results range from memory corruption upto arbitrary code execution.

So even here the adagio: ‘Patch, patch and moreover patch’ applies.

By: Nobody_Holme

Nobody_Holme — Thu, 13 Dec 2007 14:49:46 +0000

@Pantagruel
Good point. Thats why all such sites should use quicktime…
I had never thought of youtube… thank god for running a recent version of XP and having a fairly up-to-date WMP. now i’m off to update a program i dont intentionally use for the first time ever…

By: Pantagruel

Pantagruel — Thu, 13 Dec 2007 11:21:38 +0000

@ cpj

Indeed you might expect no problems if users do not use media player (as such). The bigger problem is websites like YouTube which use the webbrowser to display video and sound through the installed codecs.
This will eventually get people into trouble and will force them to update (without ever actually using WMP) or suffer a breach/hanging Windows XP/Vista.
Eventhough my parents are basic computer and internet users, they are aware of YouTube and browse about for the sheer fun of it (wondering why someone would put such content of him/herself on the www). This is already enough to keep your codecs up to scratch.