iTunes 12.2 and QuickTime 7.7.7 (WIN) 3rd libs Vulnerable

2015.07.02

Credit: Stefan Kanthak

Risk: High

Local: Yes

Remote: No

CVE: N/A

CWE: N/A

Hi @ll,
the just released QuickTime 7.7.7 and iTunes 12.2 for Windows still have quite some of the BLOODY beginners errors I already documented in the past.
QuickTime 7.7.7, QuickTime.msi
unquoted pathname of executables in command line
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Media\QuickTime\shell\open\command]
@="C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"
iTunes 12.2, AppleMobileDeviceSupport.msi
outdated 3rd party libraries:
* libcurl 7.16.2
is NINE years old and has at least 25 unfixed CVEs!
The current version is 7.43.0; for the fixed vulnerabilities see <http://curl.haxx.se/docs/security.html>
* libeay32.dll and ssleay32.dll 0.9.8za from 2014-06-05
The current version is 0.9.8zg and has 24 security fixes which are missing in 0.9.8za; see <http://openssl.org/news/>
Apple STILL doesnt care about customer security, so better STAY AWAY from their insecure software!
Stefan Kanthak

References:

http://seclists.org/fulldisclosure/2015/Jul/6

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

iTunes 12.2 and QuickTime 7.7.7 (WIN) 3rd libs Vulnerable

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.