Executive Summary

Title Apple Quicktime Updates for Multiple Vulnerabilities
Name TA08-162C First vendor Publication 2008-06-10
Vendor US-CERT Last vendor Modification 2008-06-10
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:P)
Cvss Base Score 6.8 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores


Apple QuickTime contains multiple vulnerabilities as described in the Apple Knowledgebase article HT1991. Exploitation of these vulnerabilities could allow a remote attacker to execute arbitrary code or cause a denial-of-service condition.

I. Description

Apple QuickTime prior to version 7.5 has multiple image and media file handling vulnerabilities. An attacker could exploit these vulnerabilities by convincing a user to access a specially crafted image or media file that could be hosted on a web page. Apple QuickTime 7.5 addresses these vulnerabilities.

Note that Apple iTunes for Windows installs QuickTime, so any system with iTunes may be vulnerable.

II. Impact

These vulnerabilities could allow a remote, unauthenticated attacker to execute arbitrary code or cause a denial-of-service condition. For further information, please see Apple knowledgebase article HT1991 about the security content of QuickTime 7.5

III. Solution

Upgrade QuickTime

Upgrade to QuickTime 7.5. This and other updates for Mac OS X are available via Apple Update.

Secure your web browser

To help mitigate these and other vulnerabilities that can be exploited via a web browser, refer to Securing Your Web Browser.

Original Source

Url : http://www.us-cert.gov/cas/techalerts/TA08-162C.html

CWE : Common Weakness Enumeration

% Id Name
60 % CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer
20 % CWE-399 Resource Management Errors
20 % CWE-20 Improper Input Validation

CPE : Common Platform Enumeration

Application 208

OpenVAS Exploits

Date Description
2008-09-26 Name : Apple QuickTime Multiple Arbitrary Code Execution Vulnerabilities (Win)
File : nvt/gb_apple_quicktime_mult_vuln_win.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
46073 Apple QuickTime Embedded SMIL Text qt:next Attribute Arbitrary File Execution

46072 Apple QuickTime Indeo.qtx Indeo Video Codec File Handling Overflow

46071 Apple QuickTime PICT File Handling Overflow

46070 Apple QuickTime AAC-encoded Media Content Handling Memory Corruption

46069 Apple QuickTime PICT PixData Structure Packed Scanlines Handling Overflow

Snort® IPS/IDS

Date Description
2014-01-10 Apple QuickTime SMIL qtnext redirect file execution attempt
RuleID : 15487 - Revision : 11 - Type : FILE-MULTIMEDIA

Nessus® Vulnerability Scanner

Date Description
2008-06-10 Name : The remote Mac OS X host contains an application that is affected by multiple...
File : macosx_Quicktime75.nasl - Type : ACT_GATHER_INFO
2008-06-10 Name : The remote Windows host contains an application that is affected by multiple ...
File : quicktime_75.nasl - Type : ACT_GATHER_INFO