CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:P/A:P
EPSS
Percentile
94.0%
The Apple QuickTime player contains a heap buffer overflow vulnerability. This vulnerability may allow an attacker to execute arbitrary code or create a denial-of-service condition.
Apple QuickTime contains a heap buffer overflow vulnerability. This vulnerability may allow an attacker to execute arbitrary code with the privileges of the user running QuickTime. By convincing a user to open a specially crafted QuickTime movie file, an attacker can trigger the overflow.
Apple iTunes includes the QuickTime player.
Note that this vulnerability may be present in QuickTime versions prior to 7.1.5 running on Mac OS X and Microsoft Windows 2000, XP and Vista.
A remote, unauthenticated attacker can execute arbitrary code or create a denial-of-service condition. The crafted QuickTime movie file may be supplied on a web page, in an email for the victim to select, or by some other means designed to encourage them to invoke QuickTime on the exploit file.
Apple has released QuickTime 7.1.5 to address this issue.
Do not allow browsers to open QuickTime automatically
Until updates can be applied, do not allow your web browser to open files associated with QuickTime automatically. Consult your web browserβs documentation or the references section of this document for more information.
Do not open multimedia files from untrusted sources
Do not open multimedia files that are from untrusted or unknown sources. For more information, please see Using Caution with Email Attachments.
Limit privileges
Running QuickTime with reduced privileges may help mitigate the effects of this vulnerability. Users with administrator access can run QuickTime with reduced privileges by following the instructions in Microsoft knowledgebase article 294676.
880561
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Updated: March 06, 2007
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
See <http://docs.info.apple.com/article.html?artnum=305149> for more details.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23880561 Feedback>).
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
Thanks to Apple for information that was used in this report. Apple in turn thanks Mike Price of McAfee AVERT Labs Piotr Bania, and Artur Ogloza.
This document was written by Ryan Giobbi.
CVE IDs: | CVE-2007-0713 |
---|---|
Severity Metric: | 6.64 Date Public: |
docs.info.apple.com/article.html?artnum=305149
en.wikipedia.org/wiki/.mov
secunia.com/advisories/24359/
securitytracker.com/id?1017725
support.microsoft.com/default.aspx?scid=KB;EN-US;Q294676
www.apple.com/itunes/
www.apple.com/quicktime/download/
www.auscert.org.au/7356
www.cert.org/tech_tips/before_you_plug_in.html
www.ciac.org/ciac/bulletins/r-171.shtml
www.mozilla.org/support/firefox/faq
www.piotrbania.com/all/adv/quicktime-heap-adv-7.1.txt
www.securityfocus.com/bid/22827
www.securityfocus.com/bid/22843
www.us-cert.gov/cas/tips/ST04-010.html