Executive Summary

This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Title Apple QuickTime remote command execution vulnerability
Name VU#751808 First vendor Publication 2007-09-13
Vendor VU-CERT Last vendor Modification 2007-10-04
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score 9.3 Attack Range Network
Cvss Impact Score 10 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores


Vulnerability Note VU#751808

Apple QuickTime remote command execution vulnerability


Apple QuickTime contains a vulnerability that may allow an attacker to pass arbitrary commands to other applications.

I. Description

Apple QuickTime is a media player that is available for Microsoft Windows and Apple OS X. Apple QuickTime includes browser plugins for Internet Explorer, Safari, and Netscape-compatible browsers.

QuickTime includes the ability for developers to control how QuickTime movies are launched, what controls are displayed to the user, and other actions. To specify these parameters, developers can create QuickTime link (.qtl) files. QuickTime link files can be embedded in web pages and launched automatically when a user visits a website.

The qtnext parameter can be used in QuickTime link files to specify the url of a multimedia file to load and play. The multimedia file may be hosted on a web page or stored locally.

Apple QuickTime incorrectly determines the command line used to launch the default web browser on Microsoft Windows systems. Rather than using the ShellExecute method, QuickTime determines the default handler for .HTM files and then crafts its own command line for the registered application. Any protective flags in the registered file handler are stripped out by QuickTime.

Current proof-of-concept code targets systems where Mozilla Firefox is the default handler for .HTM files. Other applications are also affected by this vulnerability, although the impact may vary based on what command line parameters the application accepts.

II. Impact

By convincing a user to open a specially crafted QuickTime file, a remote, unauthenticated attacker may be able execute arbitrary commands on a vulnerable system.

III. Solution

Apple has released an update to address this issue. Mozilla has released Firefox which reduces the impact of this vulnerability.

Restrict access to QuickTime Movies

Until updates can be applied, the following workarounds may mitigate this vulnerability. Some web sites may allow anonymous users to upload QuickTime movies that exploit this vulnerability.

    Workarounds for users
  • Mozilla has released Firefox which may prevent exploitation of this vulnerability by removing Firefox's ability to run arbitrary scripts which are provided by command line arguments. Users are encouraged to upgrade as soon as possible.
  • Using the NoScript Firefox extension to whitelist web sites that can run scripts and access installed plugins will mitigate this vulnerability. See the NoScript FAQ for more information.
  • Running Firefox with a limited user account may prevent an attacker from accessing or overwriting files that the limited user account does not have write access to.

    Workarounds for administrators
  • Proxy servers or intrusion prevention systems may be able to filter QuickTime files and partially mitigate this vulnerability. Note that this workaround is not likely to mitigate or stop all attack vectors.

Systems Affected

VendorStatusDate Updated
Apple Computer, Inc.Vulnerable4-Oct-2007




This vulnerability was disclosed by pdp on the GNUCITIZEN website.

This document was written by Ryan Giobbi and Will Dormann.

Other Information

Date Public09/12/2007
Date First Published09/13/2007 05:00:24 PM
Date Last Updated10/04/2007
CERT Advisory 
CVE NameCVE-2007-4673
Document Revision51

Original Source

Url : http://www.kb.cert.org/vuls/id/751808

CWE : Common Weakness Enumeration

% Id Name
50 % CWE-94 Failure to Control Generation of Code ('Code Injection')
50 % CWE-78 Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection') (CWE/SANS Top 25)

CPE : Common Platform Enumeration

Application 3

OpenVAS Exploits

Date Description
2009-10-10 Name : SLES9: Security update for Mozilla
File : nvt/sles9p5018527.nasl
2009-01-28 Name : SuSE Update for MozillaFirefox,mozilla,seamonkey SUSE-SA:2007:057
File : nvt/gb_suse_2007_057.nasl
2008-09-04 Name : FreeBSD Ports: firefox
File : nvt/freebsd_firefox28.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
40434 Apple Quicktime for Windows Crafted QTL File qtnext Field Remote Command Exec...

29064 Apple QuickTime Plug-In .qtl File qtnext Field XCS

Snort® IPS/IDS

Date Description
2014-01-10 Apple QuickTime Movie link file URI security bypass attempt
RuleID : 9430 - Revision : 14 - Type : FILE-MULTIMEDIA
2014-01-10 Apple QuickTime Movie link scripting security bypass attempt
RuleID : 9429 - Revision : 9 - Type : FILE-MULTIMEDIA
2014-01-10 Apple Quicktime Plug-In Security Bypass
RuleID : 17290 - Revision : 7 - Type : WEB-CLIENT

Nessus® Vulnerability Scanner

Date Description
2007-12-13 Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_MozillaFirefox-4570.nasl - Type : ACT_GATHER_INFO
2007-10-26 Name : The remote openSUSE host is missing a security update.
File : suse_seamonkey-4596.nasl - Type : ACT_GATHER_INFO
2007-10-25 Name : The remote openSUSE host is missing a security update.
File : suse_seamonkey-4594.nasl - Type : ACT_GATHER_INFO
2007-10-24 Name : The remote openSUSE host is missing a security update.
File : suse_MozillaFirefox-4572.nasl - Type : ACT_GATHER_INFO
2007-10-24 Name : The remote openSUSE host is missing a security update.
File : suse_MozillaFirefox-4574.nasl - Type : ACT_GATHER_INFO
2007-10-04 Name : The remote Windows host contains an application that allows remote code execu...
File : quicktime_72_secupd.nasl - Type : ACT_GATHER_INFO
2007-09-24 Name : The remote FreeBSD host is missing one or more security-related updates.
File : freebsd_pkg_3ce8c7e266cf11dcb25f02e0185f8d72.nasl - Type : ACT_GATHER_INFO
2007-09-20 Name : The remote Windows host contains a web browser that may allow arbitrary code ...
File : mozilla_firefox_2007.nasl - Type : ACT_GATHER_INFO
2007-03-06 Name : The remote Windows host contains an application that is prone to multiple att...
File : quicktime_715.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
Date Informations
2013-05-11 12:26:43
  • Multiple Updates