Apple QuickTime Vulnerabilties
Systems Affected
Apple QuickTime on systems running
- Apple Mac OS X
- Microsoft Windows
Overview
Apple QuickTime contains multiple vulnerabilities. Exploitation of these vulnerabilities could allow a remote attacker to execute arbitrary code or cause a denial-of-service condition.
Description
Apple QuickTime 7.1.3 resolves multiple vulnerabilities in the way different types of image and media files are handled. An attacker could exploit these vulnerabilities by convincing a user to access a specially crafted image or media file with a vulnerable version of QuickTime. Since QuickTime configures most web browsers to handle QuickTime media files, an attacker could exploit these vulnerabilities using a web page.
Note that QuickTime ships with Apple iTunes.
For more information, please refer to the Vulnerability Notes.
Impact
These vulnerabilities could allow a remote, unauthenticated attacker to execute arbitrary code or commands and cause a denial-of-service condition. For further information, please see the Vulnerability Notes.
Solution
Upgrade QuickTime
Upgrade to QuickTime 7.1.3. This and other updates for Mac OS X are available via Apple Update.
Disable QuickTime in your web browser
An attacker may be able to exploit this vulnerability by persuading a user to access a specially crafted file with a web browser. Disabling QuickTime in your web browser will defend against this attack vector. For more information, refer to the Securing Your Web Browser document.
References
- Vulnerability Notes for QuickTime 7.1.3 - http://www.kb.cert.org/vuls/byid?searchview&query=QuickTime_713
- About the security content of the QuickTime 7.1.3 Update - http://docs.info.apple.com/article.html?artnum=304357
- Apple QuickTime 7.1.3 - http://www.apple.com/support/downloads/quicktime713.html
- Standalone Apple QuickTime Player - http://www.apple.com/quicktime/download/standalone.html
- Mac OS X: Updating your software - http://docs.info.apple.com/article.html?artnum=106704
- Securing Your Web Browser - http://www.us-cert.gov/reading_room/securing_browser/
Revision History
-
September 13, 2006: Initial release
This product is provided subject to this Notification and this Privacy & Use policy.