Patch/Configuration Management, Vulnerability Management

Apple offering Windows users unpatched QuickTime version

Researchers with Secunia reported on Thursday that Windows users who download the latest version of the QuickTime are still vulnerable to attack - less than a week after Apple patched the flaw.

The vulnerability was revealed Jan 1. by the Month of Apple Bugs project.

According to Secunia, there is no way for Windows users to download a secure version of the program.

"Rather than supplying the correct fixed version for download, Apple still provides the old vulnerable version," wrote Thomas Kristensen, CTO of Secunia, in the company blog. "To get the actual security upgrade, users have to go through a rigorous update process, which is entirely different from the download process. To make matters worse, the update process isn't documented anywhere, so users may not even know where to begin!"

Kristensen said Secunia was made aware of the problem by an "enormous" amount of feedback from users of the company’s free Secunia Software Inspector. Users complained that after downloading the latest version of QuickTime, the inspector was still returning results that the program was vulnerable.

Users thought Secunia’s tool was broken, but after a quick download of the latest version of QuickTime, Secunia researchers were able to exploit it. They highly recommend Windows QuickTime users run the Apple Software Update application that is bundled with QuickTime and install the available update called "Security Update 2007-1."

Click here to email West Coast Bureau Chief Ericka Chickowski.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.