QuickTime Riskier Than Internet Explorer?

Danish vulnerability tracker Secunia ApS has concluded that Apple Incorporated's QuickTime is three times more likely to pose a threat than Microsoft Corporation's Internet Explorer 6 and six times more likely to be a threat than Mozilla Corporation's Firefox. According to an analysis of more than 350,000 system checks done over the last six months by the free Secunia Software Inspector, 33.1% of all QuickTime 7 installations weren't up to date with security patches. AOL LLC's Winamp, was almost as likely to be outdated: 27% of Winamp 5 installations were missing needed security fixes. In comparison, IE 6 installations lacked one or more patches, while just 5.2% of Firefox 2 deployments needed updating. Secunia's data shows that outside of operating systems and browsers, users neglect regular patching.

"This constitutes a significant problem. Most people wouldn't hesitate to open an .mpg, .jpg, .mov or .mp3 file from any source if it seems the least bit interesting and relevant. It's easy to embed a movie in your home page, for example, and all it takes is one unpatched QuickTime vulnerability and a provocative video title to compromise a lot of visitors," said Jakob Balle, Secunia's development manager.

Researchers regularly identify vulnerabilities in QuickTime and Winamp. Secunia's own database, for example, pins 10 bugs on QuickTime 7, Winamp 5 sports 11 vulnerabilities. There are fairly recent bugs as well, but fixes for all have been released. Balle said that scans of business computers for unpatched applications reveal the same user behaviour that inspections of consumer computers expose. Although the free Software Inspector remains available, Secunia is also pushing a server-side edition, dubbed Network Software Inspector

News source: PC World

Report a problem with article
Previous Story

Microsoft Testing Multiple Searches on One Page

Next Story

Hundreds Click on 'Click Here to Get Infected' Ad

69 Comments

Commenting is disabled on this article.

this has probably been said, but the article doesn't weight the likelihood of the hole being exploited. An app could have only ONE security hole, but if it's a guarantee that someone is going to exploit that hole, then the app is still more of a threat than an app with 100 obscure and hard to exploit security holes.

ikyouCrow said,
is it just me or are things starting to look really sh*tty lately for Apple? especially where QuickTime is concerned...

Yeah. Record earnings really suck.

I wish quicktime would just die. I refuse to install it on my computer, and when I'm forced to use it on a Mac at my university, it is never updated and keeps prompting for an update to which I cannot perform because I am not an admin.

There needs to be a cross platform player that works equally as well on both platforms. Windows Media Player works great on Windows, and version 11 is so polished. Itunes and Quicktime on a Mac seems to work well, I don't use it as often but I like it...on a Mac.

You say you wish quicktime would "just die", going on to say that you are forced to us it on a Mac at univ. Yet in the same breath you say "on a Mac it seems to work well" and that you basically like it on a Mac. So which is it?

Quicktime is just fine. Nothing wrong with it. When you have full screen functionality it truly rocks. It's a very mature app on a Mac and works very well.

I don't use Windows anymore, really. All I care about is a media player/manager that is specifically made for OS X.

Then there's always VLC Player, which even looks good on OS X.

Yhe article fails to mention that quicktime is not installed on every pc, aldo it's installed on every mac, While internet explorer is installed on every ibm compatible computer with windows 98 and up.

Commun sense would indicate that internet explorer is more of a threat to the world than quicktime.

Now that that's out of the way, i hate quicktime. it's underwelming and mostly useless. Frankly i would rather use windows media player then quicktime. And i don't really like windows media player. VLC for the win.

Why "riskier than IE"? I mean, more browsers than IE use QT as a plugin... :p

Since IE, Firefox, and Opera all use QT as a plugin, the risks should be even, unless somehow IE is more vulnerable to poorly written plugins.

Another "good" program by Apple ? And yet they have a real big go at Microsoft..... I think that they are just as bad !!
Probably worse really as they are the ones that "live in the glass house" !
Why oh why doesn't microsoft do something so that we don't have to use these programs at all !
Where is the MS alternative to Quicktime ???

Let's make this clear now. Quicktime 7 or lower is one of the worse video apps ever still in 2007. I think most will agree with this. Apple makes better products than Microsoft usually though (software and hardware), it's just QuickTime that really lowers their quality bar.

PsykX said,
Let's make this clear now. Quicktime 7 or lower is one of the worse video apps ever still in 2007. I think most will agree with this. Apple makes better products than Microsoft usually though (software and hardware), it's just QuickTime that really lowers their quality bar.

Quicktime on Windows maybe, but have you ever seen the other side of that coin (Windows Media Player for OS X)? At least Apple keeps feature parity between Quicktime on OS X and Quicktime on Windows, something that Microsoft is either unable or unwilling to do with WMP. That being said, Quicktime on OS X is fantastic.

PsykX said,
Let's make this clear now. Quicktime 7 or lower is one of the worse video apps ever still in 2007. I think most will agree with this. Apple makes better products than Microsoft usually though (software and hardware), it's just QuickTime that really lowers their quality bar.

I have no problems whatsoever with QuickTime 7 on Mac OS X. It's a very nice media player, with a small resources footprint, a very polished interface, it plays everything I want it to and best of all it's fast.

There isn't a single reason for me not to like QuickTime 7 just because it performs poorly on Windows. And let's face it, Microsoft applications on Mac OS X don't exactly deserve a prize either.

.Neo said,

I have no problems whatsoever with QuickTime 7 on Mac OS X. It's a very nice media player, with a small resources footprint, a very polished interface, it plays everything I want it to and best of all it's fast.

There isn't a single reason for me not to like QuickTime 7 just because it performs poorly on Windows. And let's face it, Microsoft applications on Mac OS X don't exactly deserve a prize either. ;)

Exactly.

Well personally, my problem with QuickTime is the interface. I hate having 10 opened windows while having 10 videos opened. Media Player's interface is better on that side.
iTunes has that kind of feature maybe, but it doesn't support every kind of file and still isn't right.
It's true that Apple apps on Windows keep the same features compared to MS (are we talking about MSN Messenger here specifically? :P)

Common sense would prevent most silly security problems. And how is quicktime alternative safer? I'd assume Quicktime 7 would be safer because it would be patched first.

My QT is up to date because QT 7 always tells me when a new patch is out. Just like firefox. So I'm not sure why QT is less safe because someone hasn't patched it yet. Are we all so tired of pop up's, we ignore warning popups on the actual computer :P

Well for example with Winamp it doesn't do any auto-updating within the program itself like Firefox does so that's one reason why people do not update it. I know I don't as often because you have to download a whole new version.
Quicktime doesn't matter as much to me either since I use Quicktime Alternative, though agreed that if Apple itself isn't updating it then it is still vunerable.
I almost never use that plugin though.

These results brought to you by a company that stands to gain from positive light on Microsoft as Microsoft is a dominate company with a majority share Operating system and a not so great media player.

I think WMP is a great all=purpose media player, and version 11 has an assortment of excellent library management options.

Sinz said,
These results brought to you by a company that stands to gain from positive light on Microsoft as Microsoft is a dominate company with a majority share Operating system and a not so great media player.

Yeah right, if you can't attack the argument attack the person that makes the argument.

This article's title is misleading - It's making it sound as if QuickTime is not secure (it might not be, but that's not the point of the article) and Internet Explorer is more secure (again it might be, but that's out of question). All it's saying is that people don't bother to update their media players, not QuickTime is "risky" - it's not as long as you update it regularly.

Note this sentence:

Secunia's own database, for example, pins 10 bugs on QuickTime 7, Winamp 5 sports 11 vulnerabilities. There are fairly recent bugs as well, but fixes for all have been released.

wctaiwan

No you're twisting it around.

They're saying these apps are more vulnerable because people don't update them as much as the browser they're using. So technically, they actually would be more risky. Depends on the user and how often they update their software.

There's people who might update their browsers but nothing else. There's people who update Quicktime and other apps but not their broswers. Then you have the people who don't update anything.

Again, it depends on the user. I wouldn't call these people stupid either. Not everyone who uses a computer knows that you should check for updates constantly. This doesn't make them stupid.

I'm glad this time the users, not Apple, are responsible for the risks.

I myself use QT Alternative and for the matter Real Alternative.

You do realize that they both use the libraries from the actual Quicktime and Real Player packages right?

If there's a vulberability in part of that in the actual app it would be in this version as well.

NightmarE D said,
You do realize that they both use the libraries from the actual Quicktime and Real Player packages right?

If there's a vulberability in part of that in the actual app it would be in this version as well.

You're right but at least I don't get the unwanted "features".

chilliadus said,

You're right but at least I don't get the unwanted "features".

but unwanted features don't apply this to this article do they lol

chilliadus said,

You're right but at least I don't get the unwanted "features".

I didn't even say anything about features did I? I said the libraries used in BOTH apps could contain vulnerabilites and would be vulnerable no matter what it's installed with.

Nice try at twisting what I said

Comparing a media player to a web browser is an irrelevant comparison in the first place. If you are going to compare Quicktime to something, how about comparing it to Windows Media Player and VLC (for an open source app). Why did they compare Quicktime to IE and Firefox anyway? Shouldn't they compare Safari to those?

NightmarE D said,
They're not really comparing them. What they're saying is that most security issues may come from something you wouldn't expect.

That's not what the first sentence of the article implies. It says that Quicktime is more of a threat than IE or Firefox.

Danish vulnerability tracker Secunia ApS has concluded that Apple Incorporated's QuickTime is three times more likely to pose a threat than Microsoft Corporation's Internet Explorer 6 and six times more likely to be a threat than Mozilla Corporation's Firefox.

Perhaps you read that differently than I did, but it sure sounds like they are comparing a media player to two web browsers to me.

roadwarrior said,

That's not what the first sentence of the article implies. It says that Quicktime is more of a threat than IE or Firefox.

Perhaps you read that differently than I did, but it sure sounds like they are comparing a media player to two web browsers to me.

I woudl assume a media player is way easier to make secure then a browser, so whocares if they are comparing it, to be in the same league as abrowser for insecurity sasy in itself it must be bad

By that rule, is internet explorer twice as insecure as FF? Or viceversa?! Whoever thought of " X times more likely to be insecure than Y" was a good way of measuring safety ... !

Julius Caro said,
By that rule, is internet explorer twice as insecure as FF? Or viceversa?! Whoever thought of " X times more likely to be insecure than Y" was a good way of measuring safety ... !

I think it meant all the existing installations, up-to-date and out-of-date. I believe that FF makes it easier to stay up-to-date by auto update installation, including FF itself and extensions.

One thing I really could say, I would never watch movie trailer or any other video on internet using WMP. QuickTime and RealMedia Player would be in the first place for me... And I think for other people too... But I could be wrong...

I woudnt even think of installing quicktime or real player on my pc...
Media Player Classic or Windows Media Player all the way!

A modded xbox with Xbox Media Center beats all 3 hands down tho

I'd pick Windows Media for internet trailers before quicktime, any day, even with quicktime alternative.

as for RealMedia, yeah you're definately alone there, I withmost peopel I know would rather was a 1fps GIF trailer than even load a webpage with embedded real media on it, you never know how little it takes for real player to infect your computer.

Real media player?!! You almost don't even belong here, if you even admit to using that POS!!

Media Player classic or the VLC player for me.

either chad is stupid or just a smart ass, quicktime has bugs in both windwos and mac versions, although as far as i am aware the latest quicktime is sort of secure

I can hear the fanboy rage building already...

This isn't surprising at all. It seems that there's patch, after patch, after patch for security issues in QT.

The_Decryptor said,
Because you don't update it...?

I update any program I have when I'm prompted - iTunes/Quicktime/Java give me a prompt to do so, though they are not automatic. Really they should be automated like Firefox/Thunderbird... they announce when they've updated themselves and ask to restart to complete the procedure. If a program doesn't prompt me then I won't update it; I am not going to traipse around the web to see if there is an update to any one of the numerous programs I have installed.

It is the responsibility of a program's developers to make sure it is secure, particularly when it is something actively targeted by exploits (like Quicktime, Firefox, etc). Updates to any non-production tool should be automatic. Programs like Photoshop, Cubase, etc, are relied upon for business and so any update that could break them should not be automatic - however, programs like Quicktime, IE, Notepad, FlashGet, etc, can and should be updated automatically to prevent exploits as quickly as possible.

theyarecomingforyou said,

I update any program I have when I'm prompted - iTunes/Quicktime/Java give me a prompt to do so, though they are not automatic. Really they should be automated like Firefox/Thunderbird... they announce when they've updated themselves and ask to restart to complete the procedure. If a program doesn't prompt me then I won't update it; I am not going to traipse around the web to see if there is an update to any one of the numerous programs I have installed.

It is the responsibility of a program's developers to make sure it is secure, particularly when it is something actively targeted by exploits (like Quicktime, Firefox, etc). Updates to any non-production tool should be automatic. Programs like Photoshop, Cubase, etc, are relied upon for business and so any update that could break them should not be automatic - however, programs like Quicktime, IE, Notepad, FlashGet, etc, can and should be updated automatically to prevent exploits as quickly as possible.

QuickTime and IE are most certainly production applications for some of my users. It all depends on the nature of the business.

The_Decryptor said,
Because you don't update it...?

I believe that all these software updates are becoming an increasing annoyance amongst computer users, myself included. Every time I open any application it is asking me if I want to update it. No, I don't want to update it, I want to use it right now. I didn't open it because I thought I needed to update it, I opened it because I wanted to get my work done.

I think that there needs to be something in place in all of these applications that quietly updates them when the computer is idle and without nagging the user.

theyarecomingforyou said,

I update any program I have when I'm prompted - iTunes/Quicktime/Java give me a prompt to do so, though they are not automatic. Really they should be automated like Firefox/Thunderbird... they announce when they've updated themselves and ask to restart to complete the procedure. If a program doesn't prompt me then I won't update it; I am not going to traipse around the web to see if there is an update to any one of the numerous programs I have installed.

It is the responsibility of a program's developers to make sure it is secure, particularly when it is something actively targeted by exploits (like Quicktime, Firefox, etc). Updates to any non-production tool should be automatic. Programs like Photoshop, Cubase, etc, are relied upon for business and so any update that could break them should not be automatic - however, programs like Quicktime, IE, Notepad, FlashGet, etc, can and should be updated automatically to prevent exploits as quickly as possible.

Some problems with this, is that the fact this completely violates SOX compliance with businesses as well, not only out-of-date, but also allowing it to just automatically push itself onto the servers/workstations in the envionment. So, you will find that also at the corporate level, you want want an option that tells you that it's out of date and that it needs to be updated, or disable the software if it's that bad. I have this very problem with a software vendor who pushes out updates to their business software every night, regardless if you know about it or not, which no longer allows us to be SOX compliant, because we can't account for what we see being pushed to our environment. So, it's been disabled completely. :P

Shadrack said,

I believe that all these software updates are becoming an increasing annoyance amongst computer users, myself included. Every time I open any application it is asking me if I want to update it. No, I don't want to update it, I want to use it right now. I didn't open it because I thought I needed to update it, I opened it because I wanted to get my work done.

I think that there needs to be something in place in all of these applications that quietly updates them when the computer is idle and without nagging the user. :|

I think it needs to be a little more subtle, instead of in-your-face. Something like a notification pop-up like Outlooks or Messengers.

No becasue in a corporate environment where updating an application can cause everyone in an office to stop work because an update killed their PC, I don't see them as an annoyance i see them as a critical tool to help me do my job. if an updated is quietly installed and breaks something how do you know why it broke. any update tried to stick itself on my machine i will block it outright. I decide what gets installed and when.

theyarecomingforyou said,

I update any program I have when I'm prompted - iTunes/Quicktime/Java give me a prompt to do so, though they are not automatic. Really they should be automated like Firefox/Thunderbird... they announce when they've updated themselves and ask to restart to complete the procedure. If a program doesn't prompt me then I won't update it; I am not going to traipse around the web to see if there is an update to any one of the numerous programs I have installed.

It is the responsibility of a program's developers to make sure it is secure, particularly when it is something actively targeted by exploits (like Quicktime, Firefox, etc). Updates to any non-production tool should be automatic. Programs like Photoshop, Cubase, etc, are relied upon for business and so any update that could break them should not be automatic - however, programs like Quicktime, IE, Notepad, FlashGet, etc, can and should be updated automatically to prevent exploits as quickly as possible.


Update when it needs updating, if u see a vulnerability for an app you update

ROFLMAO responsibility of the programs developers, you met any developers??? non production??
Everythign is production if it's on a production machine, if quicktyime update blows out photoshop i am goinna get mad if quicktime updated itself.

All these theories may be fine in a consumer environment, but in a business environment it just won't work