December 13, 2007 (Computerworld) -- Apple Inc. patched several bugs in QuickTime on Thursday, including a three-week-old streaming media vulnerability for which exploit code has been in circulation since the end of November.
At least one security researcher took Apple to task for its slow response and lack of information before today. "In classic Apple style, security researchers have been shouting the warning about this, and Apple has sat quietly, leaving many people wondering when an update might be available," said Andrew Storms, director of security operations at nCircle Inc. "[Then] without any advance notification, we have an update [this afternoon]. There will undoubtedly be some people working late this week to not only catch up from the big Microsoft 'Patch Tuesday' release, but now also to update Apple QuickTime."
Unveiled Thursday afternoon, QuickTime 7.3.1 patches problems in how the program handles three types of media content. The most anticipated fix, however, plugged the Real-Time Streaming Protocol hole first disclosed Nov. 23 by Polish researcher Krystian Kloskowski.
Although the proof-of-concept exploits released by Kloskowski and another researcher who used the alias InTeL fingered only QuickTime running on Windows XP SP2 and Windows Vista as vulnerable, within days other analysts confirmed that the Mac QuickTime was also buggy. By Nov. 29, Symantec Corp. was warning clients that Mac exploit code had been published, raising the stakes even higher.
-------------------
Thanks for the heads up Apple.....
I agree with Andrew.
Apple might be dealing with security researchers privately in a responsible manner, but they are leaving their public users out to dry - both Mac and Win32 users.
Apple needs to drop the crayons and join the big boys of security vulnerability PR & disclosure.
No comments:
Post a Comment