M
MEB
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA08-162C
Apple Quicktime Updates for Multiple Vulnerabilities
Original release date: June 10, 2008
Last revised: --
Source: US-CERT
Systems Affected
* Apple Mac OS X running versions of QuickTime prior to 7.5
* Microsoft Windows running versions of QuickTime prior to 7.5
Overview
Apple QuickTime contains multiple vulnerabilities as described in the
Apple
Knowledgebase article HT1991. Exploitation of these vulnerabilities could
allow a remote attacker to execute arbitrary code or cause a
denial-of-service condition.
I. Description
Apple QuickTime prior to version 7.5 has multiple image and media file
handling vulnerabilities. An attacker could exploit these vulnerabilities
by
convincing a user to access a specially crafted image or media file that
could be hosted on a web page. Apple QuickTime 7.5 addresses these
vulnerabilities.
Note that Apple iTunes for Windows installs QuickTime, so any system with
iTunes may be vulnerable.
II. Impact
These vulnerabilities could allow a remote, unauthenticated attacker to
execute arbitrary code or cause a denial-of-service condition. For
further
information, please see Apple knowledgebase article HT1991 about the
security content of QuickTime 7.5
III. Solution
Upgrade QuickTime
Upgrade to QuickTime 7.5. This and other updates for Mac OS X are
available
via Apple Update.
Secure your web browser
To help mitigate these and other vulnerabilities that can be exploited
via a
web browser, refer to Securing Your Web Browser.
IV. References
* About the security content of the QuickTime 7.5 Update -
<http://support.apple.com/kb/HT1991>
* How to tell if Software Update for Windows is working correctly when
no
updates are available -
<http://docs.info.apple.com/article.html?artnum=304263>
* Apple - QuickTime - Download -
<http://www.apple.com/quicktime/download/>
* Mac OS X: Updating your software -
<http://docs.info.apple.com/article.html?artnum=106704>
* Securing Your Web Browser -
<http://www.us-cert.gov/reading_room/securing_browser/>
* US-CERT Vulnerability Notes for QuickTime 7.5 -
<http://www.kb.cert.org/vuls/byid?searchview&query=apple_quicktime_7.5>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA08-162C.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA08-162C Feedback VU#132419" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2008 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
June 10, 2008: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBSE7bhHIHljM+H4irAQKGtQf/bW1M/gN6V35MDqIGFK3PbaIXBqnhtFws
xPl6zNdWmYVCHid6u0aZ+UYE+AESK3Qw3DdiwLRr3X9R4hoGmRUGiedv4h0owQTb
Rij3K5simf2vbNBsVopFNeVnokOowkcRYUk/n0QnGn5FUnwDeKutrMwXQ94As/Y3
8z/VsKpwqjScHgedT6Hv67f8E6kSma4BBcK2NlRC9VMTWN2oUD7MDI/BSp5kcqaM
TJfBJzqsWUywWRP3Bi8PYOLYbmC5Qj7nirl0lzCjJdNiS/GKUnT4LezHTlVhVOv5
FTnkO25morpDQph2+oBi6o+lCOBu6G6RtfQ7u15CGDCeZyme2B79eg==
=e01A
-----END PGP SIGNATURE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA08-162C
Apple Quicktime Updates for Multiple Vulnerabilities
Original release date: June 10, 2008
Last revised: --
Source: US-CERT
Systems Affected
* Apple Mac OS X running versions of QuickTime prior to 7.5
* Microsoft Windows running versions of QuickTime prior to 7.5
Overview
Apple QuickTime contains multiple vulnerabilities as described in the
Apple
Knowledgebase article HT1991. Exploitation of these vulnerabilities could
allow a remote attacker to execute arbitrary code or cause a
denial-of-service condition.
I. Description
Apple QuickTime prior to version 7.5 has multiple image and media file
handling vulnerabilities. An attacker could exploit these vulnerabilities
by
convincing a user to access a specially crafted image or media file that
could be hosted on a web page. Apple QuickTime 7.5 addresses these
vulnerabilities.
Note that Apple iTunes for Windows installs QuickTime, so any system with
iTunes may be vulnerable.
II. Impact
These vulnerabilities could allow a remote, unauthenticated attacker to
execute arbitrary code or cause a denial-of-service condition. For
further
information, please see Apple knowledgebase article HT1991 about the
security content of QuickTime 7.5
III. Solution
Upgrade QuickTime
Upgrade to QuickTime 7.5. This and other updates for Mac OS X are
available
via Apple Update.
Secure your web browser
To help mitigate these and other vulnerabilities that can be exploited
via a
web browser, refer to Securing Your Web Browser.
IV. References
* About the security content of the QuickTime 7.5 Update -
<http://support.apple.com/kb/HT1991>
* How to tell if Software Update for Windows is working correctly when
no
updates are available -
<http://docs.info.apple.com/article.html?artnum=304263>
* Apple - QuickTime - Download -
<http://www.apple.com/quicktime/download/>
* Mac OS X: Updating your software -
<http://docs.info.apple.com/article.html?artnum=106704>
* Securing Your Web Browser -
<http://www.us-cert.gov/reading_room/securing_browser/>
* US-CERT Vulnerability Notes for QuickTime 7.5 -
<http://www.kb.cert.org/vuls/byid?searchview&query=apple_quicktime_7.5>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA08-162C.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA08-162C Feedback VU#132419" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2008 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
June 10, 2008: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBSE7bhHIHljM+H4irAQKGtQf/bW1M/gN6V35MDqIGFK3PbaIXBqnhtFws
xPl6zNdWmYVCHid6u0aZ+UYE+AESK3Qw3DdiwLRr3X9R4hoGmRUGiedv4h0owQTb
Rij3K5simf2vbNBsVopFNeVnokOowkcRYUk/n0QnGn5FUnwDeKutrMwXQ94As/Y3
8z/VsKpwqjScHgedT6Hv67f8E6kSma4BBcK2NlRC9VMTWN2oUD7MDI/BSp5kcqaM
TJfBJzqsWUywWRP3Bi8PYOLYbmC5Qj7nirl0lzCjJdNiS/GKUnT4LezHTlVhVOv5
FTnkO25morpDQph2+oBi6o+lCOBu6G6RtfQ7u15CGDCeZyme2B79eg==
=e01A
-----END PGP SIGNATURE-----