US-CERT Technical Cyber Security Alert TA07-193A -- Apple Releases Security Updates for QuickTime

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                        National Cyber Alert System

		Technical Cyber Security Alert TA07-193A


Apple Releases Security Updates for QuickTime

   Original release date: July 12, 2007
   Last revised: --
   Source: US-CERT


Systems Affected

   Apple QuickTime on systems running

   * Apple Mac OS X
   * Microsoft Windows


Overview

   Apple QuickTime contains multiple vulnerabilities. Exploitation of
   these vulnerabilities could allow a remote attacker to execute
   arbitrary code or cause a denial-of-service condition.


I. Description

   Apple QuickTime 7.2 resolves multiple vulnerabilities in the way
   Java applets and various types of media files are handled. An
   attacker could exploit these vulnerabilities by convincing a user
   to access a specially crafted Java applet or media file with a
   vulnerable version of QuickTime. Since QuickTime configures most
   web browsers to handle QuickTime media files, an attacker could
   exploit these vulnerabilities using a web page.

   Note that QuickTime ships with Apple iTunes.

   For more information, please refer to the Vulnerability Notes
   Database.


II. Impact

   These vulnerabilities could allow a remote, unauthenticated
   attacker to execute arbitrary code or commands and cause a
   denial-of-service condition. For further information, please see
   the Vulnerability Notes Database.


III. Solution

Upgrade QuickTime

   Upgrade to QuickTime 7.2. This and other updates for Mac OS X are
   available via Apple Update.

   On Microsoft Windows, QuickTime users can install the update by
   using the built-in auto-update mechanism, Apple Software Update, or
   by installing the update manually.

Disable QuickTime in your web browser

   An attacker may be able to exploit some of these vulnerabilities by
   persuading a user to access a specially crafted media file with a
   web browser. Disabling QuickTime in your web browser may defend
   against this attack vector. For more information, refer to the
   Securing Your Web Browser document.

Disable Java in your web browser

   An attacker may be able to exploit some of these vulnerabilities by
   persuading a user to access a specially crafted Java applet with a
   web browser. Disabling Java in your web browser may defend against
   this attack vector. Instructions for disabling Java can be found in
   the Securing Your Web Browser document.


References

   * Vulnerability Notes for QuickTime 7.2 -
     <http://www.kb.cert.org/vuls/byid?searchview&query=QuickTime_72>

   * About the security content of the QuickTime 7.2 Update -
     <http://docs.info.apple.com/article.html?artnum=305947>

   * How to tell if Software Update for Windows is working correctly when no updates are available -
     <http://docs.info.apple.com/article.html?artnum=304263>

   * Apple QuickTime 7.2 for Windows -
     <http://www.apple.com/support/downloads/quicktime72forwindows.html>

   * Apple QuickTime 7.2 for Mac -
     <http://www.apple.com/support/downloads/quicktime72formac.html>

   * Standalone Apple QuickTime Player -
     <http://www.apple.com/quicktime/download/standalone.html>

   * Mac OS X: Updating your software -
     <http://docs.info.apple.com/article.html?artnum=106704>

   * Securing Your Web Browser -
     <http://www.us-cert.gov/reading_room/securing_browser/>
    

 ____________________________________________________________________

   The most recent version of this document can be found at:

     <http://www.us-cert.gov/cas/techalerts/TA07-193A.html>
 ____________________________________________________________________

   Feedback can be directed to US-CERT Technical Staff. Please send
   email to <cert@xxxxxxxx> with "TA07-193A Feedback VU#582681" in the
   subject.
 ____________________________________________________________________

   For instructions on subscribing to or unsubscribing from this
   mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
 ____________________________________________________________________

   Produced 2007 by US-CERT, a government organization.

   Terms of use:

     <http://www.us-cert.gov/legal.html>
 ____________________________________________________________________


Revision History

   Thursday July 12, 2007: Initial release




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBRpZsJ/RFkHkM87XOAQKLMgf9GpK/pbKTrSe0yKCRMt8Z4lMKl8VE+Rqr
4i8GfVXYUcBKbTlA8TTyf5ucbmCVAnjGJIq0W6X5gLBeA0QxCZ6qto/iPqviuvoV
8tu92/DuerYOkZMvJcn4RjAlMhM9CWCqJh1QG6R2Csn8AyeKEOFDiKYqoDzT+LoQ
zojxmlNJIbUvIIGv8Z12Xkr1LLDmD4rs1nfDEBZm7yLTWRItmXpvSidftdUGETDZ
+ok1SIhkZEbPNT7gAox9RZaKyIRHV7V4wZwqDd3weo6T7UPlhsgRqe88h1R5Yfq8
a7ePH0WSbTCqdGmuoM+nir4iDldoxB8OpbMUQH1nmWcDmc9xv++MHQ==
=EV1X
-----END PGP SIGNATURE-----

[Index of Archives]     [Fedora Announce]     [Linux Crypto]     [Kernel]     [Netfilter]     [Bugtraq]     [USB]     [Fedora Security]

  Powered by Linux