Mystery of the Quicktime Update.

Apple has provided a fix for the RTSP exploit announced during the month of Apple bugs. Unfortunately, the update is quite hidden for Windows users. The Apple security document only has a link for Apple users, there is no link for Windows 2000 and XP users. Interesting.
The ISC diary has posted some instructions to download the patch, but you need to have Apple Software Update installed. If you have it, its probably on the start menu. You need to have recently gotten iTunes or Quicktime to have this installed. I only have it on one of my computer. I cant figure out where to download the patch for the other computers. I ran the “check for updates” from within Quicktime and it says I am up to date! This is not going to be good for enterprise software updates. We were already asking why Quicktime is on our ghost load.
I used Microsoft Process Monitor while downloading the patch on the one computer with Apple Software Update installed. That allowed me to capture a MSI file from my Temporary Internet Files; %userprofile%\Local Settings\Temporary Internet Files\Content.IE5\M7CLQPIX\SecurityUpdate2007-001[1].msi (your location will probably vary).
After installing the patch, my Quicktime was still version 7.1.3 when I checked the help, about quicktime from within the program.
The update creates a registry key HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\Security Updates\2007-001 Version= (need to double click on version to see the value). The quicktimeplayer.exe is now version as well. Previously the version was These two items will help differentiate patched systems from unpatched systems.
Now, I need to figure out how to deploy this. Next, I will check if the 7.1.3 version from is the new version. If so, I’ll probably update my install package and do a bit of testing. Hopefully it won’t be necessary to slipstream or daisy chain this SecurityUpdate2007-001.msi and the existing 7.1.3


  1. You can also get the file via Apple Software Update without trickiness:

    1. Select the 2007-001 security update in ASU.
    2. “Tools->Download Only”
    3. “Tools->Open Downloaded Updates Folder…”

    I still dunno if the MSI is safe to use, or does the whole job. Why wouldn’t they release it on the webotron? I give them enough credit that they wouldn’t do this just to pimp ASU while it’s not yet fully baked on the Windows platform.

Comments are closed.