Notices - NSC-060512

Apple QuickTime Vulnerabilities

National Cyber Alert System

Technical Cyber Security Alert TA06-132B

Apple QuickTime Vulnerabilities

Original release date: May 12, 2006

Last revised: --

Source: US-CERT

Systems Affected

Apple QuickTime on systems running

* Apple Mac OS X

* Microsoft Windows

Overview

Apple QuickTime contains multiple vulnerabilities. Exploitation ofthese vulnerabilities could allow a remote attacker to executearbitrary code or cause a denial-of-service condition.

I. Description

Apple QuickTime 7.1 resolves multiple vulnerabilities in the waydifferent types of image and media files are handled. An attackercould exploit these vulnerabilities by convincing a user to accessa specially crafted image or media file with a vulnerable versionof QuickTime. Since QuickTime configures most web browsers tohandle QuickTime media files, an attacker could exploit thesevulnerabilities using a web page.For more information, please refer to the Vulnerability Notes.

II. Impact

The impacts of these vulnerabilities could allow an remote,unauthenticated attacker to execute arbitrary code or commands, andcause a denial-of-service condition. For further information,please see the Vulnerability Notes.

III. Solution

UpgradeUpgrade to QuickTime 7.1. This and other updates for Mac OS X areavailable via Apple Update.Disable QuickTime in your web browserAn attacker may be able to exploit this vulnerability by persuadinga user to access a specially crafted file with a webbrowser. Disabling QuickTime in your web browser will defendagainst this attack vector. For more information, refer to theSecuring Your Web Browser document.

Appendix A. References

* Vulnerability Notes for QuickTime 7.1 -

<http://www.kb.cert.org/vuls/byid?searchview&query=QuickTime_7.1>

* Securing Your Web Browser -

<http://www.us-cert.gov/reading_room/securing_browser/>

* About the security content of the QuickTime 7.1 Update -

<http://docs.info.apple.com/article.html?artnum=303752>

* Apple QuickTime 7.1 -

<http://www.apple.com/support/downloads/quicktime71.html>

* Standalone Apple QuickTime Player -

<http://www.apple.com/quicktime/download/standalone.html>

* Mac OS X: Updating your software -

<http://docs.info.apple.com/article.html?artnum=106704>

____________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA06-132B.html>

____________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please sendemail to <cert@cert.org> with "TA06-132B Feedback VU#289705" in thesubject.

____________________________________________________________________

For instructions on subscribing to or unsubscribing from this

mailing list, visit <http://www.us-cert.gov/cas/signup.html>.

____________________________________________________________________

Produced 2006 by US-CERT, a government organization.Terms of use:

<http://www.us-cert.gov/legal.html>

____________________________________________________________________

Revision History

May 12, 2006: Initial release

UI Home | UI A-Z Search | UI Phonebook/Email | Contact Us

Copyright © The University of Iowa. All rights reserved.