U.S. Flag Official website of the Department of Homeland Security

Note: This page is part of the us-cert.gov archive.This document is part of the US-CERT website archive. These documents are no longer updated and may contain outdated information. Links may also no longer function. Please contact info@us-cert.gov if you have any questions about the US-CERT website archive.

TLP:WHITE

Alert (TA06-256A)

Apple QuickTime Vulnerabilties

Original release date: September 13, 2006

Systems Affected

Apple QuickTime on systems running
  • Apple Mac OS X
  • Microsoft Windows

Overview

Apple QuickTime contains multiple vulnerabilities. Exploitation of these vulnerabilities could allow a remote attacker to execute arbitrary code or cause a denial-of-service condition.

Description

Apple QuickTime 7.1.3 resolves multiple vulnerabilities in the way different types of image and media files are handled. An attacker could exploit these vulnerabilities by convincing a user to access a specially crafted image or media file with a vulnerable version of QuickTime. Since QuickTime configures most web browsers to handle QuickTime media files, an attacker could exploit these vulnerabilities using a web page.

Note that QuickTime ships with Apple iTunes.

For more information, please refer to the Vulnerability Notes.

Impact

These vulnerabilities could allow a remote, unauthenticated attacker to execute arbitrary code or commands and cause a denial-of-service condition. For further information, please see the Vulnerability Notes.

Solution

Upgrade QuickTime

Upgrade to QuickTime 7.1.3. This and other updates for Mac OS X are available via Apple Update.

Disable QuickTime in your web browser

An attacker may be able to exploit this vulnerability by persuading a user to access a specially crafted file with a web browser. Disabling QuickTime in your web browser will defend against this attack vector. For more information, refer to the Securing Your Web Browser document.


References


Revision History

  • September 13, 2006: Initial release

This product is provided subject to this Notification and this Privacy & Use policy.

Was this document helpful?  Yes  |  Somewhat  |  No

Back to Top