Forum Thread: Apple QuickTime QTPlugin.ocx Input Validation Vulnerability

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Programs

Relating to this vendor:
Apple
And, this specific program:
Apple QuickTime 7.x

This thread has been marked as locked.
Kurosh Apple QuickTime QTPlugin.ocx Input Validation Vulnerability
Member 3rd Sep, 2010 06:04
Ranking: 3
Posts: 64
User Since: 30th Mar, 2009
System Score: N/A
Location: CA
Hi,

This is showing up in my "Secure Browsing" tab of PSI 1.5.0.2 for Google Chrome 5.x as "Insecure, no solution". However, isn't this only an ActiveX problem? If so, shouldn't it only affect Internet Explorer (and related) browsers?

Here's the related advisory:

http://secunia.com/advisories/41213/

Thanks!

This user no longer exists RE: Apple QuickTime QTPlugin.ocx Input Validation Vulnerability
Member 3rd Sep, 2010 10:28
Hi,

Yes, this advisory only applies to the ActiveX componets of QuickTime, and our tests have only demonstrated the flaw in ActiveX.

However, QuickTime is tied to all browsers where it is installed by default. The PSI does not discriminate between the different browsers in the Auto-Update tab in this manner. The setting is not advisory-specific, but set for each product.

hope this helps.
Was this reply relevant?
+0
-0
Kurosh RE: Apple QuickTime QTPlugin.ocx Input Validation Vulnerability
Member 3rd Sep, 2010 13:00
Score: 3
Posts: 64
User Since: 30th Mar 2009
System Score: N/A
Location: CA
on 3rd Sep, 2010 10:28, wrote:
Hi,
However, QuickTime is tied to all browsers where it is installed by default. The PSI does not discriminate between the different browsers in the Auto-Update tab in this manner. The setting is not advisory-specific, but set for each product.

hope this helps.


Thanks for confirming this is only an ActiveX issue.

Please note I was talking about the "Secure Browsing" tab, not the "Auto-Update" tab (which I believe is part of PSI 2.0, not 1.5.0.2). If the PSI does not distinguish between browsers in assessing their "secure" status, I suggest this should be implemented so that the PSI does not give inaccurate / misleading information to PSI users and cause concern.
Was this reply relevant?
+1
-0

This thread has been marked as locked.