###########################

# iTunes 12.2 and QuickTime 7.7.7 (WIN) 3rd libs Vulnerability

###########################

Hi @ll,

the just released QuickTime 7.7.7 and iTunes 12.2 for Windows still have quite some of the BLOODY beginners errors I already documented in the past.


QuickTime 7.7.7, QuickTime.msi

unquoted pathname of executables in command line

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Media\QuickTime\shell\open\command]
@="C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"


iTunes 12.2, AppleMobileDeviceSupport.msi

outdated 3rd party libraries:

* libcurl 7.16.2

is NINE years old and has at least 25 unfixed CVEs!

The current version is 7.43.0; for the fixed vulnerabilities see <http://curl.haxx.se/docs/security.html>

* libeay32.dll and ssleay32.dll 0.9.8za from 2014-06-05

The current version is 0.9.8zg and has 24 security fixes which are missing in 0.9.8za; see <http://openssl.org/news/>


Apple STILL doesnt care about customer security, so better STAY AWAY from their insecure software!

Stefan Kanthak

###########################

# Iranian Exploit DataBase = http://IeDb.Ir [2009-07-21]

###########################