Tag Archives: Apple QuickTime

Apple Releases Security Updates May / June 2016

Earlier this week Apple released a firmware (defined) update for its AirPort wireless base stations to resolve a critical vulnerability. Since I haven’t published information on Apple updates in many weeks I will also discuss the large collection of updates released on the 16th of May applying to the following products:

    =======================
    Apple iOS 9.3.2: For iPhone 4s and later, iPod touch (5th generation) and later, iPad 3 and later
    Apple watchOS 2.2.1: For Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes
    Apple tvOS 9.2.1: For Apple TV (4th generation)
    Apple OS X El Capitan v10.11.5 and Security Update 2016-003: For OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11 to v10.11.5
    Apple Safari 9.1.1: For OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, OS X El Capitan v10.11 to v10.11.5
    Apple iTunes 12.4: For Windows 7 and later
    =======================

    As always, comprehensive details of all of these updates are provided on Apple’s Security Updates page.

    Why Should These Issues Be Considered Important?

    The most important updates to install are the AirPort firmware updates and the OS X security updates.

    The AirPort firmware update is particularly severe since it relates to how the devices within how these devices parse (defined) DNS (defined) data. The possible implications of such a vulnerability are clearly explained in this ComputerWorld article. As that article notes, DNS cannot be easily disabled without affecting functionality providing even more reason to install the necessary firmware updates as soon as possible.

    =======================
    Apart from the AirPort firmware updates the collection of updates made available on the 16th of May includes fixes for issues such as those detailed below:

    Apple iOS 9.3.2: Resolves 39 CVEs and includes fixes for CommonCrypto, IOAcceleratorFamily, Disk Images, iOS kernel (defined), libc, libxml2, OpenGL, WebKit (and associated components (among others).

    Apple watchOS 2.2.1: Resolves 26 CVEs and includes fixes for CommonCrypto, CorCapture, Disk Images, IOHIDFamily, IOAcceleratorFamily, watchOS kernel, libc, libxml2, libxslt and OpenGL

    Apple tvOS 9.2.1: Addresses 33 CVEs, the most severe present in the following components: CommonCrypto, IOAcceleratorFamily, Disk Images, IOHIDFamily, tvOS kernel (defined), libc, libxml2, libxslt, OpenGL, WebKit (and associated components (among others).

    Apple OS X El Capitan v10.11.5 and Security Update 2016-003: Resolves 70 CVEs the most severe being present in the following: AMD, AppleGraphicsControl, AppleGraphicsPowerManagement, ATS, Audio, CommonCrypto, CoreCapture, CoreStorage, Crash Reporter, Disk Images, Graphic Drivers, Intel Graphics Drivers, OAcceleratorFamily, IOAudioFamily. IOFireWireFamily, IOHIDFamily, OS X kernel, libc, libxml2, libxslt, Nvidia Graphics Drivers, OpenGL, QuickTime, SceneKit (among others).
    Apple Safari 9.1.1: Resolves 7 CVEs the most critical being present in WebKit (the renderer of Safari) and WebKit Canvas.

    Apple iTunes 12.4 for Windows: Resolves 1 critical CVE in the iTunes installer.

    How Can I Protect Myself from These Issues?
    If you own any devices that use Apple AirPort wireless base stations, use Apple iOS, watchOS, tvOS or OS X or you know someone that does, advise them to use the links below to install the most recent security updates.

    =======================
    As a routine precaution I would recommend backing up the data on any device for which you are installing updates (preferably to an external storage device that can easily be accessed by you) in order to prevent data loss in the rare event that any update causes unexpected issues.

    Please see these links from Apple for advice on backing up your iPhone and iPad. Advice for updating tvOS is available here.

    For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

    Thank you.

Apple Ends of Support for Quicktime for Windows

Last week Apple indirectly announced that it would be no longer providing support or security updates for their QuickTime player when installed on Microsoft Windows. Please note that QuickTime for Mac OS X is not affected by this change.

Why Should This Change Be Considered Important?
The recent public disclosure of 2 critical security vulnerabilities (detailed here and here) means that QuickTime is currently vulnerable to these issues and will remain that way. These issues were originally responsibly disclosed (defined) to Apple in late 2015. Apple after carrying out a decision making process has concluded that security updates and support for QuickTime on Windows should now be withdrawn. This appears to be due their decision to withdraw this product from their future roadmap (as shown in the ZDI security advisories linked to above).

How Can I Protect Myself From These Newly Disclosed Issues and in the Future?

As recommend by US-CERT as well as Trend Micro and within this InfoWorld article the only certain way to protect yourself from these newly disclosed vulnerabilities is to uninstall QuickTime for Windows.

The above recommendation will also serve to protect you going forward since software that you don’t have installed cannot be exploited (provided there are no remnants/leftovers after uninstalling).

I use QuickTime for Windows for Essential Workflows or Business Purposes, What Can I Use Going Forward?
As detailed in the previously linked to Trend Micro blog post, alternatives such as K-Lite Media Codec pack, QT Lite and Media Player Classic are available as alternatives. If you use QuickTime as a media player only, you could consider the open-source (defined: the source code (human readable code) is free to view and edit by the wider IT community) VideoLAN VLC Player.

Alternatively if none of the above QuickTime substitutes meet your specific needs you could consider installing the most recent version of QuickTime (version 7.7.9) onto a supported version of Windows and then air-gapping that PC. The concept of air-gapping is discussed in-depth in a previous blog post. But as discussed in that post, this approach is not without disadvantages and isn’t 100% safe.

If These Issues Are So Serious Why Is Apple QuickTime For Windows Still Available To Download?
As discussed above QuickTime has many varied uses and simply withdrawing it from the download page would have been even more inconvenient.

In addition, Apple did not publish a timeline in advance for phasing out QuickTime and possibly for this reason it remains available so as not to inconvenience existing users. This also allows anybody using any version prior to 7.7.9 to update to the most recent version to protect against previously resolved vulnerabilities.

==========
I hope that this information is useful to you as you gradually transition from QuickTime for Windows in order to avoid possible exposure to the above mentioned vulnerabilities as well as future vulnerabilities that may be discovered.

Thank you.

Apple Releases Security Updates To Address iMessage Vulnerability

Yesterday Apple released a very large collection of security updates that affect most of their product range to address issues among them the widely published vulnerability in the iMessage app:

=======================

  • Apple iOS 9.3: For iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
  • Apple watchOS 2.2: For Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes
  • Apple tvOS 9.2: For Apple TV (4th generation)
  • Apple Xcode 7.3: For OS X El Capitan v10.11 and later
  • Apple OS X El Capitan v10.11.4 and Security Update 2016-002: For OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11 to v10.11.3
  • Apple Safari 9.1: For OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, OS X El Capitan v10.11 to v10.11.3
  • Apple OS X Sever 5.1: For OS X Yosemite v10.10.5 and later

=======================
As always, comprehensive details of all of these updates are provided on Apple’s Security Updates page.

Without question the most important update is for iOS bringing it to version 9.3. This issue is also present in watchOS and OS X. These updates resolve the cryptographic flaw in Apple’s iMessage app as reported by Matthew Green and his team of research students known as CVE-2016-1788 (defined). I will provide more detail on this vulnerability below.
=======================

Noteworthy fixes included are as follows:

Apple iOS 9.3: Resolves 38 CVEs and includes fixes for AppleUSBNetworking, FontParser, HTTPProtocol, iOS kernel (defined), libxml2, Security, TrueTypeScaler, WebKit (and associated components and Wi-Fi (among others).

Apple watchOS 2.2: Resolves 34 CVEs and includes fixes for DiskImages, FontParser, HTTPProtocol, IOHIDFamily, watchOS kernel, libxml2, Messages, Security, syslog, TrueTypeScaler, WebKit and Wi-Fi.

Apple tvOS 9.2: Addresses 23 CVEs, the most severe present in the following components: DiskImages, FontParser, HTTPProtocol, IOHIDFamily, watchOS kernel, libxml2, Messages, Security, syslog, TrueTypeScaler, WebKit and Wi-Fi.

Apple Xcode 7.3: Resolves 2 critical CVEs.

Apple OS X El Capitan v10.11.4 and Security Update 2016-002: Resolves 59 CVEs the most severe being present in the following: apache_mod_php, AppleRAID (defined), AppleUSBNetworking, Bluetooth, Carbon, dyld, FontParser, HTTPProtocol, Intel Graphics Driver (defined), IOGraphics, IOUSBFamily, OS X kernel, libxml2, Messages, Nvidia Graphics Drivers, OpenSSH, OpenSSL, Python, QuickTime, Ruby, Security, Tcl, TrueTypeScaler, Wi-Fi.

Update: 30th March 2016:
The update for OS X 10.11 (El Capitan) also addresses a vulnerability in the System Integrity Protection (SIP) present in the most recent version of the OS. This vulnerability was assigned the following CVE: CVE-2016-1757 Further discussion of this vulnerability is available here.

Apple Safari 9.1: Resolves 12 CVEs the most critical being present in the libxml2 and WebKit (the renderer of Safari).

Apple OS X Server 5.1: Addresses 4 CVEs the most severe of which could allow information disclosure.

An alternative summary of these updates is available within Intego’s blog post.

=======================
Why Should The Critical Cryptographic Flaw Resolved in the Updated Messages App be Considered Important?
From the information that has been made available on this attack it appears to be a side-channel attack; namely one where real world data is gathered in how the cryptosystem works. This is then used to attack it. If an attacker were to access Apple’s servers without being detected and obtained cipher texts(encrypted messages sent using iMessage) they could given sufficient time decrypt the attachments of the messages which can be photos or other files providing that either the sender or receiver of that encrypted message is online.

The tests to decrypt the attachments are done by sending 2^18 (invisible) encrypted messages to the target device. For each response, an attacker can tell if they “guessed” the encryption of that segment of the attachment correctly. This process must be repeated over and over until the entire attachment has been decrypted. It took the researchers over 70 hours to complete a proof of concept attack using un-optimized code but they estimate with optimized code only a fraction of 1 day would be needed.

A more complete technical description is available in Matthew Green’s blog post.

How Can I Protect Myself From This Issue?
As mentioned below if you own any devices that have Apple iOS, watchOS, tvOS or OS X or you know someone that does, advise them to use the links below to install the most recent security updates.
=======================

If you use any of the above software, please install the appropriate updates as soon as possible.

As a routine precaution I would recommend backing up the data on any device for which you are installing updates (preferably to an external storage device that can easily be accessed by you) in order to prevent data loss in the rare event that any update causes unexpected issues.

Please see these links from Apple for advice on backing up your iPhone and iPad. Advice for updating tvOS is available here.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

Thank you.

Apple Releases QuickTime for Windows Security Update (January 2016)

On Thursday of last week Apple released a security update for QuickTime for Windows. The update brings QuickTime to version 7.7.9.

Full details of this update are available on Apple’s Security Updates page. The update resolves 9 critical security issues (formally known as CVEs (defined).

To update Apple QuickTime for Windows, open QuickTime (by searching for it using the Start menu). From the menu bar at the top of the QuickTime window choose Help->Update Existing Software

Alternatively use Apple Software Update (usually installed with Apple iTunes). Upon opening Apple Software Update it will check for updates for you and display any applicable updates for QuickTime.

As always, I recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

Apple Releases QuickTime for Windows Security Update

Late last week Apple released a security update for QuickTime for Windows. The update brings QuickTime to version 7.7.8.

Full details of this update are available on Apple’s Security Updates page. The update resolves 9 critical CVEs (defined).

To update Apple QuickTime for Windows, open QuickTime (by searching for it using the Start menu). From the menu bar at the top of the QuickTime window choose Help->Update Existing Software

Alternatively use Apple Software Update (usually installed with Apple iTunes). Upon opening Apple Software Update it will check for updates for you and display any applicable updates for QuickTime.

As always, I recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

Apple Releases Security Updates for OS X, OS X Server, Safari and iOS

Yesterday Apple made available a collection of security update for the following list of products:

—————-
Apple Safari: for OS X Yosemite (10.10), OS X Mavericks (10.9) and OS X Mountain Lion (10.8)
Apple OS X: for OS X Yosemite (10.10), OS X Mavericks (10.9) and OS X Mountain Lion (10.8)
Apple OS X Server: OS X Yosemite (10.10.5 or later)
Apple iOS 8.4.1: for iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
—————-

As always full details on all updates are available on Apple’s Security Updates page. For this large collection of security updates, I would suggest prioritizing the installation of the update for OS X since it resolves the largest number of CVEs (defined) and addresses a serious publically disclosed issue in a component known as the DYLD_PRINT_TO_FILE environment variable. This flaw is discussed further in this post and this post.

Noteworthy fixes included are as follows:

Apple Safari: Includes fixes for 26 CVEs in WebKit (the renderer of Safari) and WebKit related components (27 CVEs addressed in total).

OS X (10.10, 10.9 and 10.8): Includes fixes for Apache (the popular open source web server), Bluetooth security fixes, FontParser OS X kernel, libc, libpthread, OpenSSH, OpenSSL, PostreSQL, Python, QuickTime, sudo and tcpdump (135 CVEs addressed in total).

Apple iOS 8.4.1: Includes fixes for CoreText, FontParser, iOS kernel, libc, libpthread, Safari and 25 CVEs in WebKit (and WebKit related components)(71 CVEs addressed in total).

OS X Server: Addresses 1 CVE in ISC BIND (as discussed in a previous blog post).

If you use any of the above software, please install the appropriate updates as soon as possible. As a routine precaution I would recommend backing up the data on any device for which you are installing updates (preferably to an external storage device that can easily be accessed) in order to prevent data loss in the rare event that any update causes unexpected issues.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

Thank you.

Apple Releases Security Updates

On Tuesday of this week, Apple made available a large collection of security updates for the following products:

  • Apple Safari: for OS X Yosemite (10.10), OS X Mavericks (10.9) and OS X Mountain Lion (10.8)
  • Apple OS X: for OS X Yosemite (10.10), OS X Mavericks (10.9) and OS X Mountain Lion (10.8)
  • Apple iOS 8.4: for iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
  • EFI Updates: for OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5 based systems
  • Apple QuickTme: for Windows
  • Apple iTunes: for Windows (while this was also available for Apple systems it does not appear to contain security related changes i.e. Apple devices may not be vulnerable to those vulnerabilities).

Full details on all updates are available on Apple’s Security Updates page. For this large collection of security updates, I believe that the OS X update has the highest priority since it resolves the largest number of CVEs.

Noteworthy fixes included are as follows:

  • Apple Safari: Addresses 1 critical SQL input validation flaw (as well as 3 other CVEs).
  • OS X (10.10, 10.9 and 10.8): includes fixes for 52 critical remote code execution CVEs as well as fixes for Apache, Certificate Trust Policy, CoreTLS (to address the Logjam flaw), EFI flash memory, display drivers (for non-Intel and Intel drivers), the OS X kernel, NTP, OpenSSL, QuickTime and SQLite (77 CVEs in total, not all flaws fixed were assigned CVE numbers).
  • Apple iOS 8.4: includes fixes for CoreTLS (to address the Logjam flaw), the iOS kernel and several fixes for Safari and the WebKit library (33 CVEs in total, not all flaws fixed were assigned CVE numbers).
  • Mac EFI Security Update 2015-001: Addresses 2 privilege escalations CVEs.
  • Apple iTunes 12.2 for Windows: Addresses 39 CVEs.
  • Apple QuickTime 7.7.7 for Windows: Addresses 9 CVEs.

Excellent explanations of the issues resolved by these updates are available for both OS X and iOS.

For an explanation of the term CVE, please see the first short aside within this blog post.

If you use any of the above software, please install the appropriate updates as soon as possible (if you have not already done so). As a routine precaution I would recommend backing up the data on any device for which you are installing updates (preferably to an external storage device that can easily be accessed) in order to prevent data loss in the rare event that any update causes unexpected issues. This is especially important for the Mac EFI update mentioned above since if an issue occurs during the update, your computer may no longer start up correctly when turned on.

Thank you.