Mac QuickTime 7.0.1: Security enhancements update available

http://docs.info.apple.com/article.html?artnum=301714 ^ | 5/31/2005 | Apple.com

[Swordmaker]

This document describes the security enhancements included with QuickTime 7.0.1, which can be downloaded and installed using Software Update, or from Apple Downloads.

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see "How To Use The Apple Product Security PGP Key."

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To learn about other Security Updates, see "Apple Security Updates."

QuickTime 7.0.1

QuickTime Quartz Composer Plugin
CVE-ID: CAN-2005-1334
Available for: QuickTime 7.0
Impact: With QuickTime 7.0, a QuickTime movie containing a maliciously crafted Quartz Composer object can leak data to an arbitrary web location.
Description: Quartz Composer objects can be wrapped in a QuickTime track and delivered as a QuickTime movie. With QuickTime 7.0, a Quartz Composer object can gather local data and send it using an encoded URL to an arbitrary web location. The QuickTime 7.0.1 update modifies the QuickTime Quartz Composer Plugin to prevent access to remote web locations. Credit to David Remahl (www.remahl.se/david) for reporting this issue.

[Swordmaker]

This is a serious vulnerability... run Software Update under your Apple Menu to download and fix this vulnerability.

[Swordmaker]

Quicktime 7 security update... All Mac users with Quicktime 7 installed should run Software Update immediately and install the patch.

If you want on or off the Mac Ping List, Freepmail me.

[Swordmaker]

Further research shows this is not as serious as it looks... the data that can be leaked is almost innocuous. He rates this vulnerability as between "Not Critical" and "Less Critical".

From the discoverer's web site:

---

Impact

The information that can be leaked by this method includes (but may not be limited to):

• local user name (long and short)
• computer name
• local IP
• OS / kernel version
• CPU / RAM / GPU configuration
• names (human-readable) of Bonjour services on the local network
• local or system time
• volume of audio input
• lists of images (including PDFs) matching arbitrary spotlight queries
• lists of images (including PDFs) in specific directories (relative to / or ~) the existence of image and movie files can indicate the existance of certain software packages

This information can be used for profiling of potential victims, for further use in attacks against the user's system or phising related social engineering.

[lainde]

thanks!

[Reborn]

Thanks for the headsup. I'll go run my Update right now.

[AZLiberty]

What I found interesting about this update was the QuickTime/iTunes interaction. After reboot, a window appears that contains, among other things, a list of movie trailers. If you click on one, the movie trailer launches in iTunes. A sign of things to come?