Apple QuickTime Quartz Composer File Information Disclosure Vulnerability
BID:13603
Info
Apple QuickTime Quartz Composer File Information Disclosure Vulnerability
| Bugtraq ID: | 13603 |
| Class: | Design Error |
| CVE: |
CVE-2005-1334 |
| Remote: | Yes |
| Local: | No |
| Published: | May 12 2005 12:00AM |
| Updated: | Jul 12 2009 02:56PM |
| Credit: | Discovery is credited to David Remahl <[email protected]>. |
| Vulnerable: |
Apple QuickTime Player 7.0 |
| Not Vulnerable: |
Apple QuickTime Player 7.0.1 |
Discussion
Apple QuickTime Quartz Composer File Information Disclosure Vulnerability
It has been reported that QuickTime is affected by a vulnerability that may allow remote attackers to disclose sensitive information. Specifically, this vulnerability can be exploited through the QuickTime Web plugin.
The issue arises when a malformed Quartz Composer file embedded in a QuickTime Video Clip file (.mov) is handled by the application.
This may aid in other attacks against the affected computer.
QuickTime 7 is reportedly affected by this issue.
It has been reported that QuickTime is affected by a vulnerability that may allow remote attackers to disclose sensitive information. Specifically, this vulnerability can be exploited through the QuickTime Web plugin.
The issue arises when a malformed Quartz Composer file embedded in a QuickTime Video Clip file (.mov) is handled by the application.
This may aid in other attacks against the affected computer.
QuickTime 7 is reportedly affected by this issue.
Exploit / POC
Apple QuickTime Quartz Composer File Information Disclosure Vulnerability
A proof of concept is available from the following location:
http://remahl.se/david/vuln/018/demo.html
A proof of concept is available from the following location:
http://remahl.se/david/vuln/018/demo.html
Solution / Fix
Apple QuickTime Quartz Composer File Information Disclosure Vulnerability
Solution:
Apple has released an advisory (APPLE-SA-2005-05-31) and an upgrade to address this issue.
Apple QuickTime Player 7.0
Solution:
Apple has released an advisory (APPLE-SA-2005-05-31) and an upgrade to address this issue.
Apple QuickTime Player 7.0
-
Apple QuickTime 7.0.1
http://www.apple.com/quicktime/download/mac.html
References
Apple QuickTime Quartz Composer File Information Disclosure Vulnerability
References:
References:
- Apple QuickTime Homepage (Apple)
- Quartz Composer / QuickTime 7 information leakage (David Remahl)
- Quartz Composer / QuickTime 7 information leakage (David Remahl
) - QuickTime 7.0.1: Security enhancements (Apple)
- Quartz Composer / QuickTime 7 information leakage (David Remahl
)