Wednesday, May 22, 2013

QuickTime 7.7.4 Update,
For Windows Only


Today Apple released a Windows only update for QuickTime, version 7.7.4. It patches 12 QuickTime security holes. All of the security patches prevent exploitation of memory management flaws by way of maliciously crafted media files.

If you work with Windows XP SP2, Vista or 7 "or later" (presumably including Windows 8) this update is HIGHLY recommended. A link to the Apple's security summary, Apple's support page, as well as the direct link to the software, are provided below:

About QuickTime 7.7.4 for Windows

[NOTE: As per Apple's recent penchant for botching their documentation, *grumble*, at the moment this page is labeled as being for QuickTime 7.7.3, which is entirely UNhelpful. Hopefully Apple will have corrected this problem by the time you follow their link. (0_o)]

About the security content of QuickTime 7.7.4

QuickTime 7.7.4 Installer

Side Topic: Making QuickTime fully 64-bit

FYI: I've been BITCHING at Apple lately to finally update ALL of QuickTime 10 for Mac to 64-bit code. Actually, I've been ranting at them about it for yonks. But now I am privileged to rant at them via AppleSeed. Hopefully we will see a fully 64-bit QuickTime 10 update very soon. Hint hint Apple!

What's still 32-bit in QuickTime, besides QuickTime Player 7:
- QuickTime Plugin.plugin v7.7.1
- AppleIntermediateCodec.component v2.0.1
- AppleMPEG2Codec.component v1.0.2

Tsk, tsk.


Monday, May 20, 2013

Review of GPGTools 2013.5.20
and GPGMail 2.0b6


[Updated 2013-05-21]

Today, the great people at the Gnu Privacy Guard open source project posted GPGTools 2013.5.20 and GPGMail 2.0b6. I have posted a review of these essential Mac security tools at both and and decided to share my review here as well. I'll start out with links where you can download GPG. 

Note that that GPGMail v2.0b6 is included as part of GPGTools 2013.5.20.



Gnu Privacy Guard remains geek ware, meaning that it is difficult to set up and use by an average Mac user. The learning curve for new users can be extremely steep with a lot of questions asked along the way. However, patience provides rich rewards because GPG lets you:

1) Digitally sign your email with a verified public key. This let's receivers verify that you, and only you, have sent them an email. This can be extremely important.

2) Use unbreakable encryption on any file and any email. You can even use overkill encryption if you wish to be especially careful. With an already incredible amount of cybercrime and cyber-espionage on the Internet, this can be profoundly important.

If you use the email features, keep in mind that encrypting email on your end requires the use of a source email address associated with your GPG key AS WELL AS a receiving email that ALSO has its own publicly available key. Otherwise, no encryption is allowed. However, digital signing is always available.

I have so far tested the current versions of GPGTools and GPGMail with OS X 10.7.5 and had total success. The new version of GPGMail provides support for OS X 10.8. I will be testing these current versions with 10.8.3 and 10.8.4 beta. If there are issues with either, I will post here in another message.

Installing GPGTools/GPGMail is extremely easy. The hard part begins when you have to create your first key, upload your public key to the public server, and begin to use its features. Never be stymied by the learning curve. All of the features work. It simply takes patience and time to figure them out and gain enough experience to be comfortable with them. Excellent documentation is now available. You'll find links to the docs at the end of the installation process. Read them carefully through, then use them step-by-step to get yourself going.

The effort put into creating GPGTools and keeping them compatible with ever changing OS X is slow and painstaking. Please appreciate these efforts by putting GPG to work for you and by donating to the open source project. GPG is entirely free for all Mac users and it works beautifully once you understand the geeky details involved. Thank you to everyone who contributes to this terrific and critical project!

If you are a USA citizen and need a reminder of what GPG is for, here is the 4th Amendment of the US Constitution:
"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."
Here is what Benjamin Franklin had to say about liberty and safety:
"They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety."

Thursday, May 16, 2013

Apple iTunes 11.0.3 Released
With One Security Patch For Mac

Moments like this make me glad I have a Mac.

Apple released iTunes version 11.0.3 today. It contains one security patch. The link to the Security Announcement is below, as well as Apple's description of the security patch.

iTunes 11.0.3 was released for BOTH Windows and Mac. The Windows version includes a huge slew of CVE patches. I'm not going to list them! I don't have to! This is a Mac-only blog. Hee hee! Ha ha. But I will tell you that, according to my count, there are 39 CVE patches in the Windows version, including the cross platform patch below. The majority of those CVE vulnerabilities were discovered by the Google Chrome Security Team. Most impressive. Unfortunately, all of the Windows specific CVE issues are in the Windows version of WebKit, Apple's sponsored open source project for web browsers. Also unfortunate, Google will no longer be contributing to the WebKit project, which means the Google Chrome Security Team will no longer be vetting WebKit for vulnerabilities.

I wish it were not so.
I'm sorry to see them go.

About the security content of iTunes 11.0.3

CVE-2013-1014 :
Impact: An attacker in a privileged network position may manipulate HTTPS server certificates, leading to the disclosure of sensitive information

Description: A certificate validation issue existed in iTunes. In certain contexts, an active network attacker could present untrusted certificates to iTunes and they would be accepted without warning. This issue was resolved by improved certificate validation.


Tuesday, May 14, 2013

New CRITICAL Adobe Security Updates:
Flash Player 11.7.700.202,
AIR and
Cold Fusion 'Hotfix' updates for v9.x and v10

[Note added 2013-05-21 at 9:07 AM ET: Adobe released another update of Flash Player, v11.7.700.203, on May 21, 2013. At the moment there are NO release notes about this version at Groan. If I find any security patches included in this version, I'll be writing it up in a separate article further up the blog. -->Give us a break Adobe.]

As scheduled, Adobe has provided security updates for Flash Player, AIR and ColdFusion. They have also provided updated Security Bulletins. All links are provided below.

Adobe Flash Player and AIR Security Bulletin:

Adobe Flash Player 11.7.700.202:

Adobe AIR 3.7:

13 security vulnerabilities have been patched:
These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2013-2728, CVE-2013-3324, CVE-2013-3325, CVE-2013-3326, CVE-2013-3327, CVE-2013-3328, CVE-2013-3329, CVE-2013-3330, CVE-2013-3331, CVE-2013-3332, CVE-2013-3333, CVE-2013-3334, CVE-2013-3335).

Adobe ColdFusion Hotfix Security Bulletin:

Instructions for installing ColdFusion updates:

5 security vulnerabilities, including 1 that is currently being exploited in-the-wild, have been patched:
Adobe has released a security hotfix for ColdFusion 10, 9.0.2, 9.0.1 and 9.0 for Windows, Macintosh and UNIX.  This hotfix addresses a vulnerability (CVE-2013-1389) that could permit remote arbitrary code execution on a system running ColdFusion, and a vulnerability (CVE-2013-3336) that could permit an unauthorized user to remotely retrieve files stored on the server. 

Adobe is aware of reports that CVE-2013-3336 (referenced in Security Advisory APSA13-03) is being exploited in the wild against ColdFusion customers. Adobe recommends users update their product installation using the instructions provided in the "Solution" section above.

This hotfix resolves a vulnerability that could be exploited by a remote, unauthorized user to run arbitrary code on a system running ColdFusion (CVE-2013-1389).

This hotfix resolves a vulnerability that could permit an unauthorized user to remotely retrieve files stored on the server (CVE-2013-3336).


New Adobe CRITICAL Security Updates:
Acrobat Pro and Reader 11.0.03

[Updated 2013-05-21 @8:38 AM: I removed the paragraphs and image regarding a low resolution icon for Adobe Reader. What I had witnessed was, I have discovered, yet another bug in Apple's Finder application. I've witnessed the exact same phenomenon with other newly installed apps. Refreshing or relaunching the Finder removes the problem. Not good Apple! Apologies to Adobe.]

On schedule, Adobe has posted critical security updates of both Acrobat Pro and Reader. The download links are below.

Thankfully, Adobe has (belatedly) provided an updated Security Bulletin as well, which is also linked below. The updates patch 27 security vulnerabilities.

Security Bulletin:

Adobe Reader XI (11.0.03):

Adobe Acrobat Pro XI (11.0.03):

Here are the security CVE vulnerabilities patched by these updates:
These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2013-2718, CVE-2013-2719, CVE-2013-2720, CVE-2013-2721, CVE-2013-2722, CVE-2013-2723, CVE-2013-2725, CVE-2013-2726, CVE-2013-2731, CVE-2013-2732, CVE-2013-2734, CVE-2013-2735, CVE-2013-2736, CVE-2013-3337, CVE-2013-3338, CVE-2013-3339, CVE-2013-3340, CVE-2013-3341).          

These updates resolve an integer underflow vulnerability that could lead to code execution (CVE-2013-2549).

These updates resolve a use-after-free vulnerability that could lead to a bypass of Adobe Reader's sandbox protection (CVE-2013-2550). 

These updates resolve an information leakage issue involving a Javascript API (CVE-2013-2737).

These updates resolve a stack overflow vulnerability that could lead to code execution (CVE-2013-2724).

These updates resolve buffer overflow vulnerabilities that could lead to code execution (CVE-2013-2730, CVE-2013-2733). 

These updates resolve integer overflow vulnerabilities that could lead to code execution (CVE-2013-2727, CVE-2013-2729).

These updates resolve a flaw in the way Reader handles domains that have been blacklisted in the operating system (CVE-2013-3342).