Friday, August 13, 2010

Quicktime 7.6.7 security update for Windows

For 39% of all Chrome users on Windows who have the Quicktime plug-in install, it's time to update  -- version 7.6.7 fixes a critical security problem that allows all websites to take over your machine: http://support.apple.com/kb/HT4290

Download the latest version here http://www.apple.com/quicktime/download/ (no, don't give them your email, it's not required).

Or just disable the plugin and only enable it on pages you trust to show you Quicktime movies. Why have arbitrary pages including arbitrary third-party widgets attempt to show you (potentially malicious) movies?

The SecBrowsing page and our Chrome extension are already warning users with vulnerable versions. Chrome's "about:plugins" page should also show a warning, soon (Chrome beta, v6 and later).

Update: I expect this to be exploited pretty soon, as Metasploit has released sample exploit code already.