Severity: High
5 November, 2007
Summary:
Apple just released an update that fixes seven vulnerabilities in Quicktime for Windows and OS X. By enticing one of your users into running a maliciously crafted Quicktime file, an attacker could exploit any one of these vulnerabilities to execute code on your user’s computer, possibly gaining control of it. If you allow Quicktime or iTunes in your network (or suspect that users have installed them), you should have users either remove the applications or install Apple’s Quicktime 7.3 update as soon as possible..
Exposure:
Today, Apple released an alert fixing seven previously unpatched security vulnerabilities in their popular media player application, Quicktime. Current versions of iTunes also ship with Quicktime. If your users have iTunes, they most likely have Quicktime. These applications run on Windows and Macintosh computers, and both platforms are susceptible to exploitation of these security flaws. Apple’s alert specifies Vista and XP SP2 as the vulnerable versions of Windows.
Severity: High
5 November, 2007
Summary:
Apple just released an update that fixes seven vulnerabilities in Quicktime for Windows and OS X. By enticing one of your users into running a maliciously crafted Quicktime file, an attacker could exploit any one of these vulnerabilities to execute code on your user’s computer, possibly gaining control of it. If you allow Quicktime or iTunes in your network (or suspect that users have installed them), you should have users either remove the applications or install Apple’s Quicktime 7.3 update as soon as possible..
Exposure:
Today, Apple released an alert fixing seven previously unpatched security vulnerabilities in their popular media player application, Quicktime. Current versions of iTunes also ship with Quicktime. If your users have iTunes, they most likely have Quicktime. These applications run on Windows and Macintosh computers, and both platforms are susceptible to exploitation of these security flaws. Apple’s alert specifies Vista and XP SP2 as the vulnerable versions of Windows.
Six of the vulnerabilities relate to different processes in Quicktime (for example, how it opens a picture file, how it displays movie files, how it interprets file descriptors, and so on), but the flaws share a similar result if successfully exploited. If an attacker can get one of your users to open a maliciously crafted file, any of the flaws could be triggered, allowing the attacker to execute his code on your user’s computer, with the same privileges and permissions your user has. If your users have local administrative privileges, the attacker could gain complete control of their machines.
The seventh flaw allows an attacker to exploit a flaw in Quicktime for Java to elevate his privileges in ways that could inappropriately disclose sensitive information.
Solution Path:
Apple has released an update for Quicktime (version 7.3 or later) that corrects the flaws. If you allow (or suspect that users have installed) Quicktime or iTunes in your network, we recommend that users either remove the applications or install the upgrade.
The latest versions of Quicktime and iTunes for Windows ship with Apple Software Update. Apple Software Update automatically detects updates such as this one for Quicktime, then informs you, so that you can install the update as soon as possible. If you choose to allow Quicktime or iTunes in your network, we recommend you set Apple Software Update to check for new updates daily and allow it to assist you in keeping your Apple software current.
Note: By default, Apple ships Quicktime combined with iTunes. If you do not want iTunes, download the standalone version of Quicktime.
For All Users:
These attacks rely on one of your users downloading and opening any of several different file types, ranging from audio and video to graphic images. Most of these file formats have legitimate business uses and should not be blocked in their entirety at your firewall. Unless you want to block all the media types that Quicktime supports, you should insist that users either remove Quicktime and iTunes, or install Apple’s Quicktime update as soon as possible.
Status:
Apple released Quicktime 7.3, which fixes this issue.