About Security Update 2007-001
This document describes Security Update 2007-001, which can be downloaded and installed via Software Update preferences, or from Apple Downloads.
For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.
For information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key."
Where possible, CVE IDs are used to reference the vulnerabilities for further information.
To learn about other Security Updates, see "Apple Security Updates."
Security Update 2007-001
QuickTime
CVE-ID: CVE-2007-0015
Available for: QuickTime 7.1.3 on Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.8, Mac OS X Server v10.4.8, Windows XP/2000
Impact: Visiting malicious websites may lead to arbitrary code execution.
Description: A buffer overflow exists in QuickTime's handling of RTSP URLs. By enticing a user to access a maliciously-crafted RTSP URL, an attacker can trigger the buffer overflow, which may lead to arbitrary code execution. A QTL file that triggers this issue has been published on the Month of Apple Bugs web site (MOAB-01-01-2007). This update addresses the issue by performing additional validation of RTSP URLs.
Windows information
To verify that your version of QuickTime has been updated:
In Windows Explorer, navigate to the location of QuickTimePlayer.exe. Usually this is (C:\Program Files\QuickTime\) .
Right click on QuickTimePlayer.exe, select Properties, then click the Versions tab.
If the QuickTime version is 7.1.3.191 or later, then the security update has been applied and you are finished. If the QuickTime version is earlier than 7.1.3.191, then go to step 2.
2. If Apple Software Update is not installed on your computer but QuickTime is, uninstall QuickTime:
To check if Apple Software Update is installed: From the Start menu, navigate to "All Programs." If "Apple Software Update" appears, then skip to step 3.
If Apple Software Updare is not installed: From the Start menu, navigate to "All Programs," locate "QuickTime," then choose "Uninstall QuickTime."
3. Ensure that QuickTime 7.1.3 and Apple Software Update are installed on your system.
You can determine the QuickTime version as described above in step 1.
These may be installed by selecting the option labeled "QuickTime 7.1.3 with iTunes for Windows 2000/XP" or "QuickTime 7.1.3 for Windows 2000/XP".
Select the "Install Apple Software Update for Windows" option in either the QuickTime or iTunes installer.
4. Ensure that you have version 1.0.2 or later of Apple Software Update.
To check the version:
In Windows Explorer, navigate to the location of SoftwareUpdate.exe. Usually this would be (C:\Program Files\Apple Software Update\SoftwareUpdate.exe).
Right click on SoftwareUpdate.exe, select Properties, then click the Versions tab.
To update Apple Software Update to version 1.0.2 or later:
From the "Start" menu, navigate to "All Programs," select "Apple Software Update."
When Software Update runs, you will see Apple Software Update 1.0.2 or later.
Click the "Install 1 Item" button to install the latest version of Apple Software Update.
5. Install Security Update 2007-001 via the Apple Software Update application.
If Apple Software Update is not already running, you can open it from the Start menu under "All Programs." By default, it is installed at (C:\Program Files\Apple Software Update\SoftwareUpdate.exe).
Verify that the security patch has been applied by checking the QuickTime version as described in step 1.