Insecure Online Update with quicktime?

[Kai Kretschmann <K.Kretschmann () security-gui de>]

Hi there,

following the thread about insecure online updates of MacOS-X, how about 
the online update of the Quicktime 6 player?
It seems to connect the same way, only making a simple GET request without 
https or similar ways.
The reply is simple xml structure with embedded downloadlinks and checksums.
If I would get that far to make my own reply I could for shure make my own 
download links and checksums. A sample reply is attached.

Isn't the quicktime using community a much bigger target than MacOS-X users?

bye,


--
Think-Safety
www.security-gui.de

Attachment: x.txt
Description: