SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Multimedia)  >   Apple QuickTime Vendors:   Apple
QuickTime Quartz Composer Composition Bug Lets Remote Users Obtain Information from the Target User's System
SecurityTracker Alert ID:  1017402
SecurityTracker URL:  http://securitytracker.com/id/1017402
CVE Reference:   CVE-2006-5681   (Links to External Site)
Date:  Dec 19 2006
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in QuickTime. A remote user can obtain information from the target user's system.

A remote user can create a specially crafted Java applet that, when loaded by the target user's QuickTime application, will be able to access information from the target user's system contained in images. The vulnerability occurs in QuickTime in conjunction with Quartz Composer.

Systems prior to Mac OS X v10.4 are not affected.

Windows-based systems are not affected.

Geoff Beier reported this vulnerability.

Impact:   A remote user can obtain information from the target user's system.
Solution:   The vendor has issued a fix as part of Security Update 2006-008, available from the Software Update pane in System Preferences, or Apple's Software Downloads web site at:

http://www.apple.com/support/downloads/

For Mac OS X v10.4.8 (PowerPC)
The download file is named: "SecUpd2006-008Ti.dmg"
Its SHA-1 digest is: 32af5ee777a3672117db7b6e9d5c96884c7b6bde

For Mac OS X v10.4.8 (Intel)
The download file is named: "SecUpd2006-008Univ.dmg"
Its SHA-1 digest is: 08f2353b65540d94abf6a0b905442af825318409

Vendor URL:  docs.info.apple.com/article.html?artnum=61798 (Links to External Site)
Cause:   Access control error
Underlying OS:  UNIX (macOS/OS X)

Message History:   None.


 Source Message Contents

Subject:  APPLE-SA-2006-12-19 Security Update 2006-008

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

APPLE-SA-2006-12-19 Security Update 2006-008

Security Update 2006-008 is now available and provides a fix for the
following security issue:

QuickTime for Java
Quartz Composer
CVE-ID: CVE-2006-5681
Available for: Mac OS X v10.4.8, Mac OS X Server v10.4.8
Impact: Visiting a malicious web site may lead to information
disclosure
Description: Java applets may use QuickTime for Java to obtain
the images rendered on screen by embedded QuickTime objects and
upload them to the originating web site. When this facility is
used in conjunction with Quartz Composer, it becomes possible to
capture images that may contain local information. This update
addresses the issue by disallowing Quartz Composer compositions
in unsigned Java applets. Quartz Composer compositions continue
to function locally. Applications and signed Java applets that
utilize QuickTime and QuickTime for Java are unaffected. This
issue does not affect systems prior to Mac OS X v10.4. It also
does not affect the Windows platform. Credit to Geoff Beier for
reporting this issue.

Security Update 2006-008 may be obtained from the Software Update
pane in System Preferences, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/

For Mac OS X v10.4.8 (PowerPC)
The download file is named: "SecUpd2006-008Ti.dmg"
Its SHA-1 digest is: 32af5ee777a3672117db7b6e9d5c96884c7b6bde

For Mac OS X v10.4.8 (Intel)
The download file is named: "SecUpd2006-008Univ.dmg"
Its SHA-1 digest is: 08f2353b65540d94abf6a0b905442af825318409

This message is signed with Apple's Product Security PGP key,
and details are available at:
http://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.3 (Build 2932)

iQEVAwUBRYgy44mzP5/bU5rtAQhSPwf/TiodCGyM0G7SxqkxN1yNyvb8rVbUmead
6AlpYIPeBCzfErfBlGJYu3Y77GogWQjLhqcl4JghrkJw4Bs3z+/+HPtHHakGjLw7
t4xdHcnINEuzghA9rHveoTrV4htX4RnZBfGYHN3MaN4VAt+JZGqVXbltSVu6J0LB
BkXkOhTi+QrEbYK4rqNTu/G+hGvnLtC2di/1EDjLKCG0Hn+8QqA4zMakJGFm8wpi
/nUZ6uuLv/YDpjgpoVunufWfqk2fnHKGi9pgcS9RiyaTJVEoa75NKbQfWjU2JdH1
KDnhA39FQ9PzjMdn3KJdFCRwYBR+QMSO91dVoJQJB+8SABkZYpOLDA==
=Zs9R
-----END PGP SIGNATURE-----

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list      (Security-announce@lists.apple.com)
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC