Insecure Online Update with quicktime?

From: Kai Kretschmann (K.Kretschmann@security-gui.de)
Date: Tue Jul 16 2002 - 06:18:44 PDT

Next message: Dullienat_private: "Re: Assembler/C References"

Previous message: Liu Die Yu: "CSS(Cross-Site Scripting) at digitalid.verisign.com, www.bbb.org & www.truste.org."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi there,

following the thread about insecure online updates of MacOS-X, how about 
the online update of the Quicktime 6 player?
It seems to connect the same way, only making a simple GET request without 
https or similar ways.
The reply is simple xml structure with embedded downloadlinks and checksums.
If I would get that far to make my own reply I could for shure make my own 
download links and checksums. A sample reply is attached.

Isn't the quicktime using community a much bigger target than MacOS-X users?

bye,


--
Think-Safety
www.security-gui.de

text/plain attachment: x.txt

Next message: Dullienat_private: "Re: Assembler/C References"
Previous message: Liu Die Yu: "CSS(Cross-Site Scripting) at digitalid.verisign.com, www.bbb.org & www.truste.org."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jul 16 2002 - 09:45:57 PDT