From: US-CERT Technical Alerts [mailto:technical-alerts@us-cert.gov]
Sent: Wednesday, September 13, 2006 1:02 PM
To: technical-alerts@us-cert.gov
Subject: US-CERT Technical Cyber Security Alert TA06-256A -- Apple QuickTime Vulnerabilities
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA06-256A
Apple QuickTime Vulnerabilities
Original release date: September 13, 2006
Last revised: --
Source: US-CERT
Systems Affected
Apple QuickTime on systems running
* Apple Mac OS X
* Microsoft Windows
Overview
Apple QuickTime contains multiple vulnerabilities. Exploitation of
these vulnerabilities could allow a remote attacker to execute
arbitrary code or cause a denial-of-service condition.
I. Description
Apple QuickTime 7.1.3 resolves multiple vulnerabilities in the way
different types of image and media files are handled. An attacker
could exploit these vulnerabilities by convincing a user to access
a specially crafted image or media file with a vulnerable version
of QuickTime. Since QuickTime configures most web browsers to
handle QuickTime media files, an attacker could exploit these
vulnerabilities using a web page.
Note that QuickTime ships with Apple iTunes.
For more information, please refer to the Vulnerability Notes.
II. Impact
These vulnerabilities could allow a remote, unauthenticated
attacker to execute arbitrary code or commands and cause a
denial-of-service condition. For further information, please see
the Vulnerability Notes.
III. Solution
Upgrade QuickTime
Upgrade to QuickTime 7.1.3. This and other updates for Mac OS X are
available via Apple Update.
Disable QuickTime in your web browser
An attacker may be able to exploit this vulnerability by persuading
a user to access a specially crafted file with a web
browser. Disabling QuickTime in your web browser will defend
against this attack vector. For more information, refer to the
Securing Your Web Browser document.
References
* Vulnerability Notes for QuickTime 7.1.3 -
<http://www.kb.cert.org/vuls/byid?searchview&query=QuickTime_713>
* About the security content of the QuickTime 7.1.3 Update -
<http://docs.info.apple.com/article.html?artnum=304357>
* Apple QuickTime 7.1.3 -
<http://www.apple.com/support/downloads/quicktime713.html>
* Standalone Apple QuickTime Player -
<http://www.apple.com/quicktime/download/standalone.html>
* Mac OS X: Updating your software -
<http://docs.info.apple.com/article.html?artnum=106704>
* Securing Your Web Browser -
<http://www.us-cert.gov/reading_room/securing_browser/>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA06-256A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-256A Feedback VU#540348" in the
subject.
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
September 13, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRQg23exOF3G+ig+rAQK7LggAt0RUIz3jewgQYrRYp9bMDBkS61Bvh2OO
8Gp2H472UXA0ucElK/1hAXtPXU2Pmf/EjrCqSImO+srV4i0x5QIFJDo41HtbDo9s
FzQC/rmJ3YWl15L+uIjG0S1wxWwH5GyzQj4xaZCMdNLYEN7LVe31ETDsXJ3kEMMa
m19M4GLOXAFfmjyGgky4Nux0RJU1UE/0w9pZESOXg+7WXFY8skOZ8YfqBvunjqtE
pZa3LWoOcDtP/ORoEn7GY83v/uQqkX8uoAxwe9nuGXbyssvj7BQxDPvnwSWrXzUG
R59/r1NA4i/EtYNV1ONW2Pntqc5/vv0OGcs1JFM9tazV3aRbgHfCVg==
=nQVd
-----END PGP SIGNATURE-----
Sent: Wednesday, September 13, 2006 1:02 PM
To: technical-alerts@us-cert.gov
Subject: US-CERT Technical Cyber Security Alert TA06-256A -- Apple QuickTime Vulnerabilities
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA06-256A
Apple QuickTime Vulnerabilities
Original release date: September 13, 2006
Last revised: --
Source: US-CERT
Systems Affected
Apple QuickTime on systems running
* Apple Mac OS X
* Microsoft Windows
Overview
Apple QuickTime contains multiple vulnerabilities. Exploitation of
these vulnerabilities could allow a remote attacker to execute
arbitrary code or cause a denial-of-service condition.
I. Description
Apple QuickTime 7.1.3 resolves multiple vulnerabilities in the way
different types of image and media files are handled. An attacker
could exploit these vulnerabilities by convincing a user to access
a specially crafted image or media file with a vulnerable version
of QuickTime. Since QuickTime configures most web browsers to
handle QuickTime media files, an attacker could exploit these
vulnerabilities using a web page.
Note that QuickTime ships with Apple iTunes.
For more information, please refer to the Vulnerability Notes.
II. Impact
These vulnerabilities could allow a remote, unauthenticated
attacker to execute arbitrary code or commands and cause a
denial-of-service condition. For further information, please see
the Vulnerability Notes.
III. Solution
Upgrade QuickTime
Upgrade to QuickTime 7.1.3. This and other updates for Mac OS X are
available via Apple Update.
Disable QuickTime in your web browser
An attacker may be able to exploit this vulnerability by persuading
a user to access a specially crafted file with a web
browser. Disabling QuickTime in your web browser will defend
against this attack vector. For more information, refer to the
Securing Your Web Browser document.
References
* Vulnerability Notes for QuickTime 7.1.3 -
<http://www.kb.cert.org/vuls/byid?searchview&query=QuickTime_713>
* About the security content of the QuickTime 7.1.3 Update -
<http://docs.info.apple.com/article.html?artnum=304357>
* Apple QuickTime 7.1.3 -
<http://www.apple.com/support/downloads/quicktime713.html>
* Standalone Apple QuickTime Player -
<http://www.apple.com/quicktime/download/standalone.html>
* Mac OS X: Updating your software -
<http://docs.info.apple.com/article.html?artnum=106704>
* Securing Your Web Browser -
<http://www.us-cert.gov/reading_room/securing_browser/>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA06-256A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-256A Feedback VU#540348" in the
subject.
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
September 13, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRQg23exOF3G+ig+rAQK7LggAt0RUIz3jewgQYrRYp9bMDBkS61Bvh2OO
8Gp2H472UXA0ucElK/1hAXtPXU2Pmf/EjrCqSImO+srV4i0x5QIFJDo41HtbDo9s
FzQC/rmJ3YWl15L+uIjG0S1wxWwH5GyzQj4xaZCMdNLYEN7LVe31ETDsXJ3kEMMa
m19M4GLOXAFfmjyGgky4Nux0RJU1UE/0w9pZESOXg+7WXFY8skOZ8YfqBvunjqtE
pZa3LWoOcDtP/ORoEn7GY83v/uQqkX8uoAxwe9nuGXbyssvj7BQxDPvnwSWrXzUG
R59/r1NA4i/EtYNV1ONW2Pntqc5/vv0OGcs1JFM9tazV3aRbgHfCVg==
=nQVd
-----END PGP SIGNATURE-----