SecurityTracker.com Archives - Apple QuickTime Bug Lets Remote Users Execute Arbitrary Code

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Partners

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Multimedia) > QuickTime

Vendors: Apple Computer

Apple QuickTime Bug Lets Remote Users Execute Arbitrary Code

SecurityTracker Alert ID: 1010010

CVE Reference: CAN-2004-0431 (Links to External Site)

Date: May 1 2004

Impact: Denial of service via network, Execution of arbitrary code via network, User access via network

Fix Available: Yes Vendor Confirmed: Yes

Version(s): prior to 6.5.1

Description: A vulnerability was reported in Apple QuickTime. A remote user can create a specially crafted movie file to execute arbitrary code on the target system.

The vendor reported that a remote user can create a specially crafted '.mov' movie file that, when loaded by the target user, will cause the target user's QuickTime player to terminate.

Apple credits eEye Digital Security with reporting this flaw.

eEye Digital Security reports that the movie file can cause arbitrary code execution, but interestingly, Apple did not report this.

Impact: A remote user can create a movie file that, when loaded by the target user, will cause the target user's QuickTime player to crash.

[Editor's note: The Apple advisory does not indicate that arbitrary code execution is possible, however, eEye Digital Security says that arbitrary code execution is possible.]

Solution: The vendor has issued a fixed version (6.5.1), available at:

http://www.apple.com/quicktime/download/

Vendor URL: www.apple.com/quicktime/ (Links to External Site)

Cause: Not specified

Underlying OS: Windows (Any)

Reported By: Apple Product Security <product-security@apple.com>

Message History: None.

Source Message Contents

Date: Fri, 30 Apr 2004 16:07:57 -0700
From: Apple Product Security <product-security@apple.com>
Subject: APPLE-SA-2004-04-30 QuickTime 6.5.1

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2004-04-30 QuickTime 6.5.1

QuickTime 6.5.1 is available, and fixes CAN-2004-0431 where playing a
malformed .mov (movie) file could cause QuickTime to terminate.
Credit to eEye Digital Security http://www.eEye.com for reporting this
issue.

QuickTime 6.5.1 is available via:

   http://www.apple.com/quicktime/download/
   
   - or -
   
   "Update Existing Software" menu item in QuickTime Player
   
   - or -
   
   Software Update pane in System Preferences


Information will also be posted to the Apple Product Security web
site:
http://www.apple.com/support/security/security_updates.html

This message is signed with Apple's Product Security PGP key, and
details are available at:
http://www.apple.com/support/security/security_pgp.html

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2

iQEVAwUBQJLbaHeI0z6bzFr0AQLhcAgAvidIzhX9MKwQeXvw34E6U7wT0t41Gz/n
CVVfr0zgA7FQXrv6BdQW4tN0msKxMb4uEJF0Mp1dzRHdpRC6BKQRJSVwPf/ECoZi
7DvDWN91vrP3mC2koskqu9wbHrBMOL5GysWygjIFY4T8CRWvTdc2klNFaR6/FL19
AKrEz0b3YFLFh7ki0ZH0rYI7bC36NnjFe4Uq7tT18XQ036HD6H7t3/N7J4zsOs/P
CM5wkARUlvl/Hvxds72dnqpxN5yYlHIfCPMfujlPc7L9lIUTofIex5aRehFoY6Og
V6FZWL0eetDn4vE64Euy0aIB+Yb5hNc1qtxPgy45jS5kuOOcxDSdYQ==
=c1ry
-----END PGP SIGNATURE-----
_______________________________________________
security-announce mailing list | security-announce@lists.apple.com
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/security-announce
Do not post admin requests to the list. They will be ignored.

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2004, SecurityGlobal.net LLC