John's Tech Blog

Additionally, there are *lot* of updates (one large patch: 2006-003) for Mac OS X:
http://docs.info.apple.com/article.html?artnum=303737

IMHO, Apple was lying through their teeth in this ad:
http://www.apple.com/getamac/ads/ -> "Restarting."
(Not linked, as it starts Quickime immediately -- oh, the irony.) Granted, the ad is addressing the need to reboot because of system instability, but the need to reboot because of updates/patches is quite annoying.

In the Linux world, the only time you have to reboot is to update your kernel (the core of the OS) or when you change hardware (duh! [unless it's very expensive hotswap hardware). Now, if you'll excuse me, it's time to apply this update...and reboot.

Quicktime upgrade time, (Fri, May 12th): "Apple released a Quicktime upgrade to version 7.1 that fixes a number of vulnerabilities in the Quicktime viewer.

Normally I'd like suggest to read the release notes for details, but they are typically thin in explaining what's been fixed and/or otherwise changed.

Basically viewing crafted images:


JPEGs [CVE-2006-1458],
Flashpix [CVE-2006-1249],
PICT [CVE-2006-1453, CVE-2006-1454],
BMP [CVE-2006-2238]and movies:


Quicktime [CVE-2006-1459, CVE-2006-1460]
Flash [CVE-2006-1461]
H.264 [CVE-2006-1462, CVE-2006-1463],
MPEG-4 [CVE-2006-1464]
AVI [CVE-2006-1465]can lead to arbitrary code execution.

The fixed version is available for both OS X and Windows. The best about it all is that at least we don't get the implicit insults we should only visit trusted websites.

Without more information the only option is not to use quicktime or upgrade.

--
Swa Frantzen - Section 66"

From: SANS ISC