About Security Update 2007-001
This document describes Security Update 2007-001, which can be downloaded and installed via Software Update preferences, or from Apple Downloads.
For the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To find out more about Apple Product Security, see the Apple Product Security website.
For information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key".
Where possible, CVE IDs are used to reference the vulnerabilities for further information.
To find out more about other Security Updates, see "Apple Security Updates".
Security Update 2007-001
QuickTime
CVE-ID: CVE-2007-0015
Available for: QuickTime 7.1.3 on Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.8, Mac OS X Server v10.4.8, Windows XP/2000
Impact: Visiting malicious websites may lead to arbitrary code execution.
Description: A buffer overflow exists in QuickTime's handling of RTSP URLs. By enticing a user to access a maliciously crafted RTSP URL, an attacker can trigger the buffer overflow, which may lead to arbitrary code execution. A QTL file that triggers this issue has been published on the Month of Apple Bugs website (MOAB-01-01-2007). This update addresses the issue by performing additional validation of RTSP URLs.
Windows information
To verify that your version of QuickTime has been updated:
In Windows Explorer, navigate to the location of QuickTimePlayer.exe. Usually this is (C:\Program Files\QuickTime\).
Right-click on QuickTimePlayer.exe, select Properties, then click the Versions tab.
If the QuickTime version is 7.1.3.191 or later, then the security update has been applied and no further steps are needed. If the QuickTime version is earlier than 7.1.3.191, then go to step 2.
2. If Apple Software Update is not installed on your computer but QuickTime is, uninstall QuickTime:
To check if Apple Software Update is installed: From the Start menu, navigate to "All Programs". If "Apple Software Update" appears, then skip to step 3.
If Apple Software Update is not installed: From the Start menu, navigate to "All Programs", locate "QuickTime", then choose "Uninstall QuickTime".
3. Ensure QuickTime 7.1.3 and Apple Software Update have been installed on your system.
You can determine the QuickTime version as described above in step 1.
These may be installed by selecting the option labelled "QuickTime 7.1.3 with iTunes for Windows 2000/XP" or "QuickTime 7.1.3 for Windows 2000/XP".
Select the "Install Apple Software Update for Windows" option in either the QuickTime or iTunes installer.
4. Ensure you are running version 1.0.2 or later of Apple Software Update.
To check the version:
In Windows Explorer, navigate to the location of SoftwareUpdate.exe. Usually this would be (C:\Program Files\Apple Software Update\SoftwareUpdate.exe).
Right-click on SoftwareUpdate.exe, select Properties, then click the Versions tab.
To update Apple Software Update to version 1.0.2 or later:
From the "Start" menu, navigate to "All Programs" and select "Apple Software Update".
When Software Update runs, you will see Apple Software Update 1.0.2 or later.
Click the "Install 1 Item" button to install the latest version of Apple Software Update.
5. Install Security Update 2007-001 via the Apple Software Update application.
If Apple Software Update is not already running, you can open it from the Start menu under "All Programs". By default, it is installed at (C:\Program Files\Apple Software Update\SoftwareUpdate.exe).
Verify that the security patch has been applied by checking the QuickTime version using the process outlined in step 1.