Posts tagged ‘Quicktime’
Apple has released Quicktime 7.6.9 to address multiple security vulnerabilities. Viewing a maliciously crafted file could lead to arbitrary code execution.
Apple’s writeup of the security vulnerabilities is posted at this link.
Quicktime can be updated through Apple Software Update or via download at www.apple.com/quicktime/download.
Quicktime was last updated 2.5 months ago.
When Quicktime 7.6.7 came out, I wanted to deploy it with Microsoft System Center Update Publisher (SCUP). I’d recently used SCUP to deploy Flash (for IE) and the Dell Inventory Agent. It made sense to look at using SCUP and SCCM Software Updates to deploy patches rather than continuing to use the old Software Distribution method. The funny thing was, when I Googled/Binged Quicktime and SCUP, I didn’t find a lot of answers. I found a link or two to my blog. Well, I better actually write something since the search engine expects me to have it.
SCUP can deploy MSP, MSI or EXE. In the past I had used a BAT file to set registry keys, copy configuration files and run the install. So that isn’t going to happen unless I compile that into a EXE. Quicktime also requires the update of Apple Application Support.
I decided to use my old friend SMS Installer to package the install files into one EXE and perform the installation actions. I decided to make it as simple as possible. The SMS install script is something like this:
Get Environment Variable %WinDir% into variable windir
Install File \\server\sourceDIR\quicktime to %empt\quicktime\
Execute %temp%\quicktime\appleapplicationsupport.msi /qn reboot=reallysuppress (wait)
Execute %temp%\quicktime\quicktime.msi
ALLUSERS=1 DESKTOP_SHORTCUTS=0 QTTASKRUNFLAGS=0 REGSRCH_INSTALL_ASU=0 /qn reboot=reallysuppress (wait)
The command-line options seem to kept the “Q” systtray icon or desktop shortcuts from occurring. But I didn’t manage to disable checking for updates when Quicktime is opened. It also has the really annoying new interface. In the past I solved those problems by dropping configuration files. That could still be done with a bit more testing.
Compile your EXE in SMS Installer (or your favorite tool to create an install file).
Once you’re install file is ready to go you’re ready to add it to SCUP. Select Create Update and run through the wizard.
Update Information
Update Title: Quicktime 7.6.7 (this could be anything)
Description: Quicktime 7.6.7 improves security and is recommended for all Quicktime 7 users on Windows. (generally I take the description from the security advisory)
Classification: Security Advisory
Bulletin ID: HT4290
Vendor: Apple
Product: Quicktime
Extended Properties
Artcle ID: HT4290
CVE ID: CVE-2010-1799
Severity: Critical
Support URL: could be an internal url or http://www.apple.com/quicktime/download
More Info URL: http://support.apple.com/kb/HT4290
Impact: Normal
Reboot Behavior: I left this on ‘can request reboot’ although SMS Installer is returning a 0 by default
Define prerequisite Rules
Processor Architecture = x86
and
Windows Version Greater than or Equal to
major Version 5, SP Major Version 2, Minor Version 1
Product Type = workstation
Apple supports Quicktime on XPsp2 or greater. Apple uses a separate install file for x64. I chose keep things simple for now and not try to package that in here.
Select Package
Installer Type = EXE
Update Package Source = Browse to your install file (I used UNC path) doesn’t need to be accessible to anything but your installer.
Download URL or UNC = Paste the same path as above.
Command Line = /S (this tells the SMS installer file to run silently. If you used a different packager you’re on your own)
Define Applicability Rules
File Version:
Common Paths – select program_files
Path – quicktime\quicktimeplayer.exe
Comparison – Less than
Version – 7.67.75.0
AND
Registry key exists
HKLM\Software\Apple Computer, Inc.\Quicktime
Define Installed Rules
File Version
Common Paths – Program_Files
Path – quicktime\quicktimeplayer.exe
Comparison – Greater Than or Equal To
Version 7.67.75.0
Now you’ve got an update that is ready to go. Publish it to WSUS and then sync to SCCM as you would with any other SCUP update. I always see people complaining that very few venders supply CAB files for SCUP. The fact is before this year, very few SCCM admins were using SCUP. Vender supplied CABs might not be configured they way you want anyway. For example the Adobe CAB for Flash assumes you want all your computers to have Flash. If you only want to upgrade existing Flash you need to either collection limit the update or write your own detection rules.
I hope reading thought this you understand now how to roll your own update for even a complicated update like Quicktime. Make sure you thoroughly test your deployment.
This week saw a large number of Microsoft patches
Additionally Adobe released updates for Flash and Adobe Air. Acrobat and Reader updates expected for this week will occur next week.
Apple patched the iPhone and released an update for QuickTime. iTunes users were not given the QuickTime update as of this post.
To stay up on all these updates, home users should install something like te Secunia Personal Software Inspector. Sysadmins should wave the dead chicken and hope for the best make plans to deploy these updates if the software is present in the work environment.
Apple has released Quicktime 7.6.2 to deal with multiple security vulnerabilities. Their writeup is posted here.
Hopefully they also fixed the issue in their MSI file that was preventing installs on a few computers. We extract Quicktime.msi from Apple’s installer in order to avoid having to deploy the Apple Software Updater to our computers.
For the third time in the past 30 days, there is a Firefox update including security fixes. Firefox 3.0.10 is out.
“And you want to be my latex salesman”
I dont mean to get all Jeff Jones here, but it seems to me there is a bit of tarnish on that “security king” crown that people give to Mozilla.
Software is going to have bugs. I’m glad Mozilla patches them but more than once a month is getting a bit annoying. Its highlighting a problem that Mozilla doesn’t seem to care about. Enterprise patch deployment.
Mozilla loves to brag that their users apply patches. That’s the problem, you’ve got to use it to get prompted to update it. Even then the end user may turn off checking for updates.
Currently to get Firefox/Thunderbird updates to occur, I can either pray or send out emails, or use NAC to block their access to the network until Firefox is patched.
I can’t believe I’m saying this, but Quicktime and JAVA may have the better idea. JAVA has an always running updater process. I believe Quicktime (via Apple Software Updater) is using Scheduled tasks .
I’d love to just be able to use a logon script or NAC to be able to run C:\program files\Mozilla Firefox\updater.exe which would then prompt the user if a Firefox update was necessary. I’ve searched the Internet to see if this is possible. So far no dice.
Share your thoughts on keeping Firefox updated in the enterprise in the comments.
I finally deployed Quicktime 7.55 two weeks ago. So right on schedule Quicktime 7.6 is out.
Release details here.
I think its one of those immutable laws of security: The day you finish patching a product, a new patch will be released. Perhaps it just seems that way because of Quicktime.
We just sent out notices last week for our users running Adobe Acrobat (not reader) to update. While I deploy Adobe Reader updates since its part of the default install, users have installed Adobe Acrobat on their own, thus they need to patch. Left to their own devices many were found to still be running 7.0 or worse yet 6, or worse yet 5.
Since we’ve made good progress, it only makes sense that anyone running 8.1.2 will need to update again.
From the adobe bulletin:
A critical vulnerability has been identified in Adobe Reader and Acrobat 8.1.2. This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system.
Adobe recommends users of Acrobat 8 and Adobe Reader install the 8.1.2 Security Update 1 patch.
Fortunately 7.1.0 users are already cool.
I never thought I’d be happy to see a Quicktime update. A few more of them and I was planning to create a uninstall package for Quicktime, roll it to the enterprise and remove it from the Ghost load.
It seems that in addition to the eleven fixes in Quicktime 7.4.5, Apple has added some hardening to make further attacks more difficult.
“ASLR prevents hacker code from running because the code is unable to find stuff in memory. Quicktime disabled this feature, so I its layout is not randomized. Exploits for Quicktime vulnerabilities work because they know precisely where important bits are located. If Quicktime enabled ASLR, then most exploits for its vulnerabilities would not work.”>David Maynor in February called for Apple to update Quicktime to take advantage of address space randomization or “ASLR”.
ASLR prevents hacker code from running because the code is unable to find stuff in memory. Quicktime disabled this feature, so I its layout is not randomized. Exploits for Quicktime vulnerabilities work because they know precisely where important bits are located. If Quicktime enabled ASLR, then most exploits for its vulnerabilities would not work.
According to Ryan Naraine at eWeek, Quicktime for Vista now supports ASLR.
“In addition to ASLR, QuickTime for Windows will also do stack buffer safety checking (Visual Studio 2005′s /GS option) and support for hardware NX on Windows Vista.”
This is really good news if you are running Vista (even if you’re running a Mac you’re getting improved protection). If you’re still running XP, perhaps the NX will help (although the article only mentions Vista for some reason). I would suggest to you that there is more to Vista than having problems because your crappy peripherals are unsupported. There are security benefits to upgrading, particularly when the application supplier chooses to use them. Adobe you’re at bat! How will you step up to improve Flash security?
update 4/9/08 David Maynor has written an update where he points out a couple of flaws in Apple’s implementation. “Although most of the files are now marked as ASLR enabled there are still a few binaries that are not and could still provide an attacker a static location to utilize.” As he said, its still a big step forward. Informative post, I’d suggest checking it out.
