SecurityTracker.com Archives - QuickTime Movie File External URL Bug Lets Remote Users Obtain Information

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

Home | View Topics | Search | Contact Us | Help |

SecurityTracker
Archives

Click to Sign Up

Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Sign Up!

Category: Application (Multimedia) > QuickTime

Vendors: Apple Computer

QuickTime Movie File External URL Bug Lets Remote Users Obtain Information

SecurityTracker Alert ID: 1019758

SecurityTracker URL: http://securitytracker.com/id?1019758

CVE Reference: CVE-2008-1014 (Links to External Site)

Date: Apr 3 2008

Impact: Disclosure of system information, Disclosure of user information

Fix Available: Yes Vendor Confirmed: Yes

Advisory: Apple Security Advisory

Version(s): prior to 7.4.5

Description: A vulnerability was reported in QuickTime in the processing of movie files. A remote user can obtain information from the target user's system.

A remote user can create a specially crafted QuickTime movie file that, when loaded by the target user, will open external URLs. A remote user may be able to exploit this to obtain information from the target user's system.

Jorge Escala of Open Tech Solutions and Vinoo Thomas and Rahul Mohandas of McAfee Avert Labs reported this vulnerability.

Impact: A remote user can obtain information from the target user's system.

Solution: The vendor has issued a fixed version (7.4.5), available from the Software Update application, or from the Apple Downloads site at:

http://www.apple.com/support/downloa ds/

For Mac OS X v10.5 or later
The download file is named: "QuickTime745Leopard.dmg"
Its SHA-1 digest is: 764ec0031f18ef999a95c6b20f417f8d2c05a10f

For Mac OS X v10.4.9 through Mac OS X v10.4.11
The download file is named: "QuickTime745Tiger.dmg"
Its SHA-1 digest is: 60c9b3e205e4995324dc53b2a4500318fc994e6b

For Mac OS X v10.3.9
The download file is named: "QuickTime745Panther.dmg"
Its SHA-1 digest is: 2b3230fbb4dcd1436bf8856b87281915a654f821

For Windows Vista / XP SP2
The download file is named: "QuickTimeInstaller.exe"
Its SHA-1 digest is: 4e507f48610f9a65be18b2c37ceead18da2d4c03

QuickTime with iTunes for Windows XP or Vista
The download file is named: "iTunesSetup.exe"
Its SHA-1 digest is: ff2a3c234d164f30f8b1d05297a49a55f3f4e8c0

The vendor's advisory is available at:

http://support.apple.com/kb/HT1232

Vendor URL: support.apple.com/kb/HT1232 (Links to External Site)

Cause: Access control error

Underlying OS: UNIX (OS X), Windows (Vista), Windows (XP)

Reported By: Apple Product Security <product-security-noreply@lists.apple.com>

Message History: None.

Source Message Contents

 

[Original Message Not Available for Viewing]

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2007, SecurityGlobal.net LLC