No Finished 64-Bit QuickTime X For You! Mac OS X Lion Still Requires QuickTime 7

--
In the true spirit of Apple users, I get seriously pissed off when Apple screw up badly. And OMG has Apple screwed up this time:

In a rather wacked-out article by FairerPlatform, we learned that Apple is only barely upgrading QuickTime 10 in Mac OS X 10.7 Lion. This forces We-The-Technos to continue to (I can't believe this) STILL INSTALL QUICKTIME 7.x.

I can't vent my frustration and rage any better than what I posted over at MacDailyNews:

A very well deserved RANT at Apple:

OMFG APPLE! WTF is wrong with you guys that you STILL CAN’T FINISH QUICKTIME 10!?!?!?!?!

This is when Apple users justifiably get PISSED-THE-HELL-OFF at Apple.

Let’s get real here:

1) There never has been any ‘QuickTime 10.0.x’. There has only been QuickTime 10.0.0.0.0.0. Apple dumped QT 10.0 on us in 2009 and left the buggy thing laying there with no improvements to follow! THAT SUCKS!

2) Now we apparently are going to get a mere token of an upgrade with 10.1.0 that still cannot come close to the functionality of QuickTime 7.x Pro, therefore, we STILL HAVE TO INSTALL QUICKTIME 7.x!!!!!! THAT SUCKS TOO!

Besides the CRAP functionality of QuickTime 10, and the fact that QuickTime 7.x is only 32-bit, there is one other CRITICAL reason to RANT for Apple to actually FINISH QuickTime 10:

SECURITY!!!

Q: What Apple software has the single WORST SECURITY? It’s not Mac OS X folks.

A: It’s QUICKTIME as in QuickTime 7.x!

MOVE YOUR LAZY ASSES APPLE and FINISH 64-bit QUICKTIME 10 RIGHT NOW!!!! It should have been finished A YEAR AGO!!!!!

I hope other Apple users are equally pissed off at this stoooopidity from Apple. (And folks, I NEVER troll).

Did I adequately get my annoyance across? Will Apple be adequately shamed? Do you think Apple will get the clue that I noticed their laziness?

Clearly, this is NOT going to be the year of full, 64-bit secure Quicktime. The waiting drags on and on...

:-P
---

QuickTime v7.6.9 Update For 10.5.8 & Windows

~~
On December 7, 2010 Apple released QuickTime version 7.6.9 for Mac OS X 10.5.8 and Windows XP, Vista and 7ista. No update is required for Mac OS X 10.6.8 users. It contains 15 security patches, some for both Windows and Mac OS X, a couple are Windows only. As usual, most of these vulnerabilities are due to memory overflow programming errors. You can read about the security patchs at:

About the security content of QuickTime 7.6.9

I'm a bit concerned at the moment that Apple have this update listed as being for only Windows. This is INCORRECT. Hopefully Apple will correct their error today. Most likely they will add a separate listing for the Mac OS X 10.5.8 version.

According to Apple:

QuickTime is incorporated into Mac OS X v10.6 and later.
QuickTime 7.6.9 is not presented to systems running
Mac OS X v10.6 or later.

I double-checked and verified that all of these CVE issues have already been patched in 10.6.8. Therefore, be certain that your installation of Snow Leopard is up-to-date.

If you've read my previous posts you know that Apple's QuickTime is the very least secure of Apple's software. A great deal of the problem has to do with JavaScript/ECMAScript Hell, as I call it. As usual, I consider JavaScript to be the bane of the Internet and wish it would be entirely scrapped and replaced with a secure scripting language. Read back in my posts if you're interested in my rants about why JavaScript is a catastrophe.

Below is a quick summary of the security holes patched in QuickTime v7. Click on the CVE numbers for further details.

Common Vulnerabilities and Exposures IDs Patched:

CVE-2010-3787 - Heap-based buffer overflow in QuickTime in Apple Mac OS X 10.6.x before 10.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted JP2 image.

CVE-2010-3788 - QuickTime in Apple Mac OS X 10.6.x before 10.6.5 accesses uninitialized memory locations during processing of JP2 image data, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted JP2 file.

CVE-2010-3789 - QuickTime in Apple Mac OS X 10.6.x before 10.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted AVI file.

CVE-2010-3790 - QuickTime in Apple Mac OS X 10.6.x before 10.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted movie file.

CVE-2010-3791 - Buffer overflow in QuickTime in Apple Mac OS X 10.6.x before 10.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted MPEG movie file.

CVE-2010-3792 - Integer signedness error in QuickTime in Apple Mac OS X 10.6.x before 10.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted MPEG movie file.

CVE-2010-3793 - QuickTime in Apple Mac OS X 10.6.x before 10.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted Sorenson movie file.

CVE-2010-3794 - QuickTime in Apple Mac OS X 10.6.x before 10.6.5 accesses uninitialized memory locations during processing of FlashPix image data, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted FlashPix file.

CVE-2010-3795 - QuickTime in Apple Mac OS X 10.6.x before 10.6.5 accesses uninitialized memory locations during processing of GIF image data, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted GIF file.

CVE-2010-3800 - Viewing a maliciously crafted PICT file may lead to an unexpected application termination or arbitrary code execution.

CVE-2010-3801 - Viewing a maliciously crafted FlashPix image may lead to an unexpected application termination or arbitrary code execution.

CVE-2010-3802 - Viewing a maliciously crafted QTVR movie file may lead to an unexpected application termination or arbitrary code execution.

CVE-2010-1508 - Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. Windows only.

CVE-2010-0530 - A local user may have access to sensitive information. Windows only.

CVE-2010-4009 - Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution.

Note: Not all of the CVE numbers have been listed at the National Vulnerability Database. Therefore, I instead provided links to their references at the Common Vulnerabilities and Exposures site. Check back at the CVE site as these CVEs progress beyond 'candidate' status.

Share and Enjoy!

:-D
~~

Update: Secunia Half Year Report 2010 & QuickTime Hell

--
In a previous article, entitled "Desperate Propaganda..." I had a rant-fest regarding a PC World FUD-fest regarding Apple security. The author, Preston Gralla, managed to spew out this line of deceit:

:-Q****** "The security company Secunia reports that Apple products have more vulnerabilities than those of any other company."

This was clearly taken as a hit at all Apple products. What was missing was any reference to the context of the source Secunia report, which you can read HERE. I knew better, having been an avid Secunia reader since 2005. In fact, the only Apple products noted in the report were QuickTime and iTunes on Microsoft Windows. Secunia didn't cover any other Apple products.

When I read through the entire Secunia Report I found nothing of relevance to Mac OS X except the fact that the Apple apps discussed are prone to the same problems on Mac OS X as well as Windows.

QuickTime Hell

In previous articles I've covered the major problems with QuickTime, the biggest culprit of Apple security holes. It is used in iTunes, thus making iTunes just as vulnerable. In summary, QuickTime stumbles over malicious ECMAScript (aka 'JavaScript') and coding errors that allow malicious buffer overflows.

Supposedly Apple has been overhauling QuickTime. The first peak at it has been QuickTime Player X. But as far as any user can tell, the QuickTime X project is stalled at version 1.0.0. What we have on Snow Leopard is entirely inadequate, incomplete and buggy. Serious QuickTime users are required to also install QuickTime version 7, the current version of which is 7.6.6.

Hopefully Apple will get back to work on revising QuickTime now that iOS 4 has been completed and released.
--

Dump Adobe Reader? Yeah, why not.

--
Intro: I never like articles with a title ending in a question mark. You know what you're going to get: no answer to the question. Therefore, they are typically filler. Yawn on that. So here is my question and answer title. Let's get to the point right off the bat: Adobe Reader is a security risk.

The chatter on the net this past week has come to the conclusion that the long line of security holes in Adobe Reader over the past two years is enough already. Dump the thing. It's like my conclusion from decades past that Windows, among its many disappointments, is too much of a security risk to use professionally. That any business or any government uses it greatly concerns me. But it's not Microsoft bashing day. It's Adobe bashing day. If you don't need Adobe Reader, don't use it. Thankfully, Mac OS X users have Apple's Preview application, which has not got the JavaScript vulnerabilities of Adobe Reader. So use Preview instead. It's not totally immune to infected PDF files, but it's much safer than Adobe Reader.

OK, it's not like anyone's Mac got pwned by using Adobe Reader. There is no malware targeting Macs that I know of that weasels its way in via holes in Adobe Reader. So really there is no major alarm going off telling us to kick Adobe Reader off the bus for having cooties. But considering that Mac OS X is the safest professional operating system on the planet (not that I'm dissing Linux mind you), avoiding Adobe Reader at this time is a very good idea.

Personally, I've been a fan of PDF since Adobe Acrobat version 3. It's brilliant and has only become better over time. Thank you Adobe, and especially thank you for making it an open standard. Its integration into the core of Mac OS X is incredible. However, Adobe allowed in some poor code, including support for the catastrophe oddly known as JavaScript. I'll skip my usual lecture on how it got its misnomer and how it was ruined as a standard by Microsoft. Simply know that it is a security holey mess. Apple has gotten burned by JavaScript in QuickTime since 2006. The same JavaScript insecurities are equally plaguing Adobe Reader. Apple got control of their JavaScript problems. Adobe are still playing catch up.

Me, I'll still continue to use Acrobat. I'll still keep Reader around for when I absolutely need it. And there are indeed times when I require Reader. But I'm also going to keep an eye on the latest Reader problems and continue to update it (manually!) when updates are offered.
--