Vulnerability-Lookup

CVE-2007-2397 (GCVE-0-2007-2397)

Vulnerability from cvelistv5 – Published: 2007-07-15 21:00 – Updated: 2024-08-07 13:33

Summary

QuickTime for Java in Apple Quicktime before 7.2 does not properly check permissions, which allows remote attackers to disable security controls and execute arbitrary code via crafted Java applets.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

CERTA-2007-AVI-308

Vulnerability from certfr_avis - Published: 2007-07-12 - Updated: 2007-07-12

Plusieurs vulnérabilités ont été identifiées dans le lecteur multimédia Apple QuickTime. L'exploitation de ces dernières peut entraîner un dysfonctionnement de l'application, voire l'exécution de code arbitraire à distance sur le système vulnérable.

Description

Plusieurs vulnérabilités ont été identifiées dans le lecteur multimédia Apple QuickTime. Parmi celles-ci :

l'application ne manipulerait pas correctement les vidéos au format H.264. Ce problème peut ainsi provoquer une corruption de la mémoire.
l'application ne manipulerait pas correctement les fichiers au format .m4v. Ce problème peut ainsi provoquer un débordement d'entier.
l'application ne manipulerait pas correctement les fichiers au format SMIL. Ce problème peut ainsi provoquer un débordement d'entier.
les vérifications de sécurité (permissions) peuvent être contournées, dans QuickTime pour Java. L'exploitation de cette vulnérabilité, comme les précédentes, peut entraîner, sous certaines conditions, l'exécution de code arbitraire à distance sur le système vulnérable.

Solution

Se référer au bulletin de sécurité d'Apple pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

	Vendor	Product	Description
	Apple	N/A	QuickTime 7.2 ainsi que les versions antérieures.

References

Title

Publication Time

GHSA-M3F9-6M4R-6X2C

Vulnerability from github – Published: 2022-05-01 18:03 – Updated: 2022-05-01 18:03

Details

QuickTime for Java in Apple Quicktime before 7.2 does not properly check permissions, which allows remote attackers to disable security controls and execute arbitrary code via crafted Java applets.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2007-2397"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2007-07-15T21:30:00Z",
    "severity": "HIGH"
  },
  "details": "QuickTime for Java in Apple Quicktime before 7.2 does not properly check permissions, which allows remote attackers to disable security controls and execute arbitrary code via crafted Java applets.",
  "id": "GHSA-m3f9-6m4r-6x2c",
  "modified": "2022-05-01T18:03:10Z",
  "published": "2022-05-01T18:03:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2007-2397"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/35358"
    },
    {
      "type": "WEB",
      "url": "http://docs.info.apple.com/article.html?artnum=305947"
    },
    {
      "type": "WEB",
      "url": "http://lists.apple.com/archives/Security-announce/2007/Jul/msg00001.html"
    },
    {
      "type": "WEB",
      "url": "http://osvdb.org/36132"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/26034"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/24873"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id?1018373"
    },
    {
      "type": "WEB",
      "url": "http://www.us-cert.gov/cas/techalerts/TA07-193A.html"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2007/2510"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GSD-2007-2397

Vulnerability from gsd - Updated: 2023-12-13 01:21

Details

QuickTime for Java in Apple Quicktime before 7.2 does not properly check permissions, which allows remote attackers to disable security controls and execute arbitrary code via crafted Java applets.

Aliases

CVE-2007-2397

Aliases

CVE-2007-2397

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2007-2397",
    "description": "QuickTime for Java in Apple Quicktime before 7.2 does not properly check permissions, which allows remote attackers to disable security controls and execute arbitrary code via crafted Java applets.",
    "id": "GSD-2007-2397"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2007-2397"
      ],
      "details": "QuickTime for Java in Apple Quicktime before 7.2 does not properly check permissions, which allows remote attackers to disable security controls and execute arbitrary code via crafted Java applets.",
      "id": "GSD-2007-2397",
      "modified": "2023-12-13T01:21:38.244578Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2007-2397",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "QuickTime for Java in Apple Quicktime before 7.2 does not properly check permissions, which allows remote attackers to disable security controls and execute arbitrary code via crafted Java applets."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "26034",
            "refsource": "SECUNIA",
            "url": "http://secunia.com/advisories/26034"
          },
          {
            "name": "1018373",
            "refsource": "SECTRACK",
            "url": "http://www.securitytracker.com/id?1018373"
          },
          {
            "name": "TA07-193A",
            "refsource": "CERT",
            "url": "http://www.us-cert.gov/cas/techalerts/TA07-193A.html"
          },
          {
            "name": "ADV-2007-2510",
            "refsource": "VUPEN",
            "url": "http://www.vupen.com/english/advisories/2007/2510"
          },
          {
            "name": "36132",
            "refsource": "OSVDB",
            "url": "http://osvdb.org/36132"
          },
          {
            "name": "24873",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/24873"
          },
          {
            "name": "http://docs.info.apple.com/article.html?artnum=305947",
            "refsource": "CONFIRM",
            "url": "http://docs.info.apple.com/article.html?artnum=305947"
          },
          {
            "name": "APPLE-SA-2007-07-11",
            "refsource": "APPLE",
            "url": "http://lists.apple.com/archives/Security-announce/2007/Jul/msg00001.html"
          },
          {
            "name": "quicktime-applet-code-execution(35358)",
            "refsource": "XF",
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/35358"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:apple:quicktime:7.0.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apple:quicktime:7.0.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apple:quicktime:7.1.4:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apple:quicktime:7.1.5:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apple:quicktime:7.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apple:quicktime:7.1.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apple:quicktime:7.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apple:quicktime:7.0.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apple:quicktime:7.1.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apple:quicktime:7.1.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apple:quicktime:7.0.4:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apple:quicktime:-:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2007-2397"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "QuickTime for Java in Apple Quicktime before 7.2 does not properly check permissions, which allows remote attackers to disable security controls and execute arbitrary code via crafted Java applets."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "NVD-CWE-Other"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://docs.info.apple.com/article.html?artnum=305947",
              "refsource": "CONFIRM",
              "tags": [
                "Patch"
              ],
              "url": "http://docs.info.apple.com/article.html?artnum=305947"
            },
            {
              "name": "APPLE-SA-2007-07-11",
              "refsource": "APPLE",
              "tags": [
                "Patch"
              ],
              "url": "http://lists.apple.com/archives/Security-announce/2007/Jul/msg00001.html"
            },
            {
              "name": "24873",
              "refsource": "BID",
              "tags": [],
              "url": "http://www.securityfocus.com/bid/24873"
            },
            {
              "name": "26034",
              "refsource": "SECUNIA",
              "tags": [
                "Patch",
                "Vendor Advisory"
              ],
              "url": "http://secunia.com/advisories/26034"
            },
            {
              "name": "TA07-193A",
              "refsource": "CERT",
              "tags": [
                "US Government Resource"
              ],
              "url": "http://www.us-cert.gov/cas/techalerts/TA07-193A.html"
            },
            {
              "name": "1018373",
              "refsource": "SECTRACK",
              "tags": [],
              "url": "http://www.securitytracker.com/id?1018373"
            },
            {
              "name": "36132",
              "refsource": "OSVDB",
              "tags": [],
              "url": "http://osvdb.org/36132"
            },
            {
              "name": "ADV-2007-2510",
              "refsource": "VUPEN",
              "tags": [],
              "url": "http://www.vupen.com/english/advisories/2007/2510"
            },
            {
              "name": "quicktime-applet-code-execution(35358)",
              "refsource": "XF",
              "tags": [],
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/35358"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "COMPLETE",
            "baseScore": 9.3,
            "confidentialityImpact": "COMPLETE",
            "integrityImpact": "COMPLETE",
            "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 10.0,
          "obtainAllPrivilege": true,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": true
        }
      },
      "lastModifiedDate": "2018-10-30T16:25Z",
      "publishedDate": "2007-07-15T21:30Z"
    }
  }
}

FKIE_CVE-2007-2397

Vulnerability from fkie_nvd - Published: 2007-07-15 21:30 - Updated: 2025-04-09 00:30

Severity ?

Summary

QuickTime for Java in Apple Quicktime before 7.2 does not properly check permissions, which allows remote attackers to disable security controls and execute arbitrary code via crafted Java applets.

References

URL	Tags
cve@mitre.org	http://docs.info.apple.com/article.html?artnum=305947	Patch
cve@mitre.org	http://lists.apple.com/archives/Security-announce/2007/Jul/msg00001.html	Patch
cve@mitre.org	http://osvdb.org/36132
cve@mitre.org	http://secunia.com/advisories/26034	Patch, Vendor Advisory
cve@mitre.org	http://www.securityfocus.com/bid/24873
cve@mitre.org	http://www.securitytracker.com/id?1018373
cve@mitre.org	http://www.us-cert.gov/cas/techalerts/TA07-193A.html	US Government Resource
cve@mitre.org	http://www.vupen.com/english/advisories/2007/2510
cve@mitre.org	https://exchange.xforce.ibmcloud.com/vulnerabilities/35358
af854a3a-2127-422b-91ae-364da2661108	http://docs.info.apple.com/article.html?artnum=305947	Patch
af854a3a-2127-422b-91ae-364da2661108	http://lists.apple.com/archives/Security-announce/2007/Jul/msg00001.html	Patch
af854a3a-2127-422b-91ae-364da2661108	http://osvdb.org/36132
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/26034	Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/24873
af854a3a-2127-422b-91ae-364da2661108	http://www.securitytracker.com/id?1018373
af854a3a-2127-422b-91ae-364da2661108	http://www.us-cert.gov/cas/techalerts/TA07-193A.html	US Government Resource
af854a3a-2127-422b-91ae-364da2661108	http://www.vupen.com/english/advisories/2007/2510
af854a3a-2127-422b-91ae-364da2661108	https://exchange.xforce.ibmcloud.com/vulnerabilities/35358

Impacted products

Vendor	Product	Version
apple	quicktime	-
apple	quicktime	7.0
apple	quicktime	7.0.1
apple	quicktime	7.0.2
apple	quicktime	7.0.3
apple	quicktime	7.0.4
apple	quicktime	7.1
apple	quicktime	7.1.1
apple	quicktime	7.1.2
apple	quicktime	7.1.3
apple	quicktime	7.1.4
apple	quicktime	7.1.5

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apple:quicktime:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "1EE08FAE-0862-4C36-95BC-878B04CBF397",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apple:quicktime:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F075BA0F-4A96-4F25-AF1D-C64C7DCE1CDC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apple:quicktime:7.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "8692B488-129A-49EA-AF84-6077FCDBB898",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apple:quicktime:7.0.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "1758610B-3789-489E-A751-386D605E5A08",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apple:quicktime:7.0.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "B535737C-BF32-471C-B26A-588632FCC427",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apple:quicktime:7.0.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "DF2C61F8-B376-40F9-8677-CADCC3295915",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apple:quicktime:7.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "6254BB56-5A25-49DC-A851-3CCA249BD71D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apple:quicktime:7.1.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "795E3354-7824-4EF4-A788-3CFEB75734E4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apple:quicktime:7.1.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "9419A1E9-A0DA-4846-8959-BE50B53736E5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apple:quicktime:7.1.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "952A8015-B18B-481C-AC17-60F0D7EEE085",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apple:quicktime:7.1.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "3E518B27-A79B-43A4-AFA6-E59EF8E944D3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apple:quicktime:7.1.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "AEC6EF36-93B3-49BB-9A6F-1990E3F4170E",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "QuickTime for Java in Apple Quicktime before 7.2 does not properly check permissions, which allows remote attackers to disable security controls and execute arbitrary code via crafted Java applets."
    },
    {
      "lang": "es",
      "value": "QuickTime para Java en Apple Quicktime versiones anteriores a 7.2 no comprueba los permisos apropiadamente, lo cual permite a atacantes remotos deshabilitar controles de seguridad y ejecutar c\u00f3digo de su elecci\u00f3n mediante applets Java manipulados."
    }
  ],
  "id": "CVE-2007-2397",
  "lastModified": "2025-04-09T00:30:58.490",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "COMPLETE",
          "baseScore": 9.3,
          "confidentialityImpact": "COMPLETE",
          "integrityImpact": "COMPLETE",
          "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 10.0,
        "obtainAllPrivilege": true,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ]
  },
  "published": "2007-07-15T21:30:00.000",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch"
      ],
      "url": "http://docs.info.apple.com/article.html?artnum=305947"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch"
      ],
      "url": "http://lists.apple.com/archives/Security-announce/2007/Jul/msg00001.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://osvdb.org/36132"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/26034"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.securityfocus.com/bid/24873"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.securitytracker.com/id?1018373"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "US Government Resource"
      ],
      "url": "http://www.us-cert.gov/cas/techalerts/TA07-193A.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.vupen.com/english/advisories/2007/2510"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/35358"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "http://docs.info.apple.com/article.html?artnum=305947"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "http://lists.apple.com/archives/Security-announce/2007/Jul/msg00001.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://osvdb.org/36132"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/26034"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/bid/24873"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securitytracker.com/id?1018373"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "US Government Resource"
      ],
      "url": "http://www.us-cert.gov/cas/techalerts/TA07-193A.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.vupen.com/english/advisories/2007/2510"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/35358"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-Other"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

VAR-200707-0549

Vulnerability from variot - Updated: 2025-04-10 21:11

QuickTime for Java in Apple Quicktime before 7.2 does not properly check permissions, which allows remote attackers to disable security controls and execute arbitrary code via crafted Java applets. Apple QuickTime fails to properly handle malformed movie files. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code or cause a denial-of-service condition. Apple QuickTime is prone to an information-disclosure and multiple remote code-execution vulnerabilities. Remote attackers may exploit these issues by enticing victims into opening maliciously crafted files or visiting maliciously crafted websites. Failed exploit attempts of remote code-execution issues may result in denial-of-service conditions. Successful exploits of the information-disclosure issue may lead to further attacks. Apple QuickTime is a popular multimedia player that supports a wide variety of media formats.

Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure.

The Full Featured Secunia Network Software Inspector (NSI) is now available: http://secunia.com/network_software_inspector/

The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,000 different Windows applications.

TITLE: Apple QuickTime Multiple Vulnerabilities

SECUNIA ADVISORY ID: SA26034

VERIFY ADVISORY: http://secunia.com/advisories/26034/

CRITICAL: Highly critical

IMPACT: Exposure of sensitive information, DoS, System access

WHERE:

From remote

REVISION: 1.1 originally posted 2007-07-12

SOFTWARE: Apple QuickTime 7.x http://secunia.com/product/5090/

DESCRIPTION: Some vulnerabilities have been reported in Apple QuickTime, which can be exploited by malicious people to compromise a user's system.

1) An unspecified error exists in the processing of H.264 movies. This can be exploited to cause memory corruption and may allow execution of arbitrary code when a user accesses a specially crafted H.264 movie.

2) An unspecified error exists in the processing of movie files.

3) An integer overflow error exists in the handling of .m4v files and can be exploited to execute arbitrary code when a user accesses a specially crafted .m4v file.

4) An integer overflow error exists in the handling of the "author" and "title" fields when parsing SMIL files.

6) A design error exists in QuickTime for Java, which can be exploited to bypass security checks and read and write to process memory. This can lead to execution of arbitrary code when a user visits a web site containing a specially crafted Java applet.

7) A design error exists in QuickTime for Java due to JDirect exposing interfaces that may allow loading arbitrary libraries and freeing arbitrary memory.

8) A design error exists in QuickTime for Java, which can be exploited to capture the user's screen content when a user visits a web site containing a specially crafted Java applet.

The vulnerabilities are reported in versions prior to 7.2.

SOLUTION: Update to version 7.2.

QuickTime 7.2 for Mac: http://www.apple.com/support/downloads/quicktime72formac.html

QuickTime 7.2 for Windows: http://www.apple.com/support/downloads/quicktime72forwindows.html

PROVIDED AND/OR DISCOVERED BY: 1) The vendor credits Tom Ferris, Security-Protocols.com and Matt Slot, Ambrosia Software, Inc. 2) The vendor credits Jonathan 'Wolf' Rentzsch of Red Shed Software. 3) The vendor credits Tom Ferris, Security-Protocols.com. 4) David Vaartjes of ITsec Security Services, reported via iDefense. 5, 6, 7) The vendor credits Adam Gowdiak. 8) Reported by the vendor.

CHANGELOG: 2007-07-12: Added link to US-CERT.

ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=305947

iDefense: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=556

OTHER REFERENCES: US-CERT VU#582681: http://www.kb.cert.org/vuls/id/582681

About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities.

Subscribe: http://secunia.com/secunia_security_advisories/

Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/

Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor.

Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org

. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

                    National Cyber Alert System

    Technical Cyber Security Alert TA07-193A

Apple Releases Security Updates for QuickTime

Original release date: July 12, 2007 Last revised: -- Source: US-CERT

Systems Affected

Apple QuickTime on systems running

Apple Mac OS X
Microsoft Windows

Overview

Apple QuickTime contains multiple vulnerabilities.

I. Description

Apple QuickTime 7.2 resolves multiple vulnerabilities in the way Java applets and various types of media files are handled. Since QuickTime configures most web browsers to handle QuickTime media files, an attacker could exploit these vulnerabilities using a web page.

Note that QuickTime ships with Apple iTunes.

For more information, please refer to the Vulnerability Notes Database.

II. For further information, please see the Vulnerability Notes Database.

III. Solution

Upgrade QuickTime

Upgrade to QuickTime 7.2. This and other updates for Mac OS X are available via Apple Update.

On Microsoft Windows, QuickTime users can install the update by using the built-in auto-update mechanism, Apple Software Update, or by installing the update manually. Disabling QuickTime in your web browser may defend against this attack vector. For more information, refer to the Securing Your Web Browser document. Disabling Java in your web browser may defend against this attack vector. Instructions for disabling Java can be found in the Securing Your Web Browser document.

References

Vulnerability Notes for QuickTime 7.2 - http://www.kb.cert.org/vuls/byid?searchview&query=QuickTime_72
About the security content of the QuickTime 7.2 Update - http://docs.info.apple.com/article.html?artnum=305947
How to tell if Software Update for Windows is working correctly when no updates are available - http://docs.info.apple.com/article.html?artnum=304263
Apple QuickTime 7.2 for Windows - http://www.apple.com/support/downloads/quicktime72forwindows.html
Apple QuickTime 7.2 for Mac - http://www.apple.com/support/downloads/quicktime72formac.html
Standalone Apple QuickTime Player - http://www.apple.com/quicktime/download/standalone.html
Mac OS X: Updating your software - http://docs.info.apple.com/article.html?artnum=106704
Securing Your Web Browser - http://www.us-cert.gov/reading_room/securing_browser/

The most recent version of this document can be found at:

 <http://www.us-cert.gov/cas/techalerts/TA07-193A.html>

Feedback can be directed to US-CERT Technical Staff. Please send email to cert@cert.org with "TA07-193A Feedback VU#582681" in the subject.

For instructions on subscribing to or unsubscribing from this mailing list, visit http://www.us-cert.gov/cas/signup.html.

Produced 2007 by US-CERT, a government organization.

 <http://www.us-cert.gov/legal.html>

Revision History

Thursday July 12, 2007: Initial release

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBRpZsJ/RFkHkM87XOAQKLMgf9GpK/pbKTrSe0yKCRMt8Z4lMKl8VE+Rqr 4i8GfVXYUcBKbTlA8TTyf5ucbmCVAnjGJIq0W6X5gLBeA0QxCZ6qto/iPqviuvoV 8tu92/DuerYOkZMvJcn4RjAlMhM9CWCqJh1QG6R2Csn8AyeKEOFDiKYqoDzT+LoQ zojxmlNJIbUvIIGv8Z12Xkr1LLDmD4rs1nfDEBZm7yLTWRItmXpvSidftdUGETDZ +ok1SIhkZEbPNT7gAox9RZaKyIRHV7V4wZwqDd3weo6T7UPlhsgRqe88h1R5Yfq8 a7ePH0WSbTCqdGmuoM+nir4iDldoxB8OpbMUQH1nmWcDmc9xv++MHQ== =EV1X -----END PGP SIGNATURE-----

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-200707-0549",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "quicktime",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "apple",
        "version": "7.1.1"
      },
      {
        "model": "quicktime",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "apple",
        "version": "7.0.4"
      },
      {
        "model": "quicktime",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "apple",
        "version": "7.1.2"
      },
      {
        "model": "quicktime",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "apple",
        "version": "7.1"
      },
      {
        "model": "quicktime",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "apple",
        "version": "7.1.4"
      },
      {
        "model": "quicktime",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "apple",
        "version": "7.0.3"
      },
      {
        "model": "quicktime",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "apple",
        "version": "7.0.2"
      },
      {
        "model": "quicktime",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "apple",
        "version": "7.1.5"
      },
      {
        "model": "quicktime",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "apple",
        "version": "7.1.3"
      },
      {
        "model": "quicktime",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "apple",
        "version": "7.0.1"
      },
      {
        "model": "quicktime",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "apple",
        "version": "7.0"
      },
      {
        "model": "quicktime",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "apple",
        "version": null
      },
      {
        "model": null,
        "scope": null,
        "trust": 0.8,
        "vendor": "apple computer",
        "version": null
      },
      {
        "model": "quicktime",
        "scope": "lt",
        "trust": 0.8,
        "vendor": "apple",
        "version": "version"
      },
      {
        "model": "quicktime",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "apple",
        "version": "7.2"
      },
      {
        "model": "quicktime",
        "scope": "eq",
        "trust": 0.6,
        "vendor": "apple",
        "version": "7.0.8"
      },
      {
        "model": "quicktime player",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apple",
        "version": "7.1.5"
      },
      {
        "model": "quicktime player",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apple",
        "version": "7.1.4"
      },
      {
        "model": "quicktime player",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apple",
        "version": "7.1.3"
      },
      {
        "model": "quicktime player",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apple",
        "version": "7.1.2"
      },
      {
        "model": "quicktime player",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apple",
        "version": "7.1.1"
      },
      {
        "model": "quicktime player",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apple",
        "version": "7.0.4"
      },
      {
        "model": "quicktime player",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apple",
        "version": "7.0.3"
      },
      {
        "model": "quicktime player",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apple",
        "version": "7.0.2"
      },
      {
        "model": "quicktime player",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apple",
        "version": "7.0.1"
      },
      {
        "model": "quicktime player",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apple",
        "version": "7.0"
      },
      {
        "model": "quicktime player",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apple",
        "version": "6.5.2"
      },
      {
        "model": "quicktime player",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apple",
        "version": "6.5.1"
      },
      {
        "model": "quicktime player",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apple",
        "version": "6.5"
      },
      {
        "model": "quicktime player",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apple",
        "version": "6.1"
      },
      {
        "model": "quicktime player",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apple",
        "version": "5.0.2"
      },
      {
        "model": "quicktime player",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apple",
        "version": "7.1"
      },
      {
        "model": "quicktime player",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apple",
        "version": "6"
      },
      {
        "model": "quicktime",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "apple",
        "version": "7.2"
      }
    ],
    "sources": [
      {
        "db": "CERT/CC",
        "id": "VU#582681"
      },
      {
        "db": "BID",
        "id": "24873"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2007-000525"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200707-267"
      },
      {
        "db": "NVD",
        "id": "CVE-2007-2397"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "cpe_match": [
              {
                "cpe22Uri": "cpe:/a:apple:quicktime",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2007-000525"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Jonathan \u0027Wolf\u0027 RentzschDavid VaartjesAdam Gowdiak\u203b zupa@man.poznan.pl",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-200707-267"
      }
    ],
    "trust": 0.6
  },
  "cve": "CVE-2007-2397",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "nvd@nist.gov",
            "availabilityImpact": "COMPLETE",
            "baseScore": 9.3,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 8.6,
            "id": "CVE-2007-2397",
            "impactScore": 10.0,
            "integrityImpact": "COMPLETE",
            "severity": "HIGH",
            "trust": 1.8,
            "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "VULHUB",
            "availabilityImpact": "COMPLETE",
            "baseScore": 9.3,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 8.6,
            "id": "VHN-25759",
            "impactScore": 10.0,
            "integrityImpact": "COMPLETE",
            "severity": "HIGH",
            "trust": 0.1,
            "vectorString": "AV:N/AC:M/AU:N/C:C/I:C/A:C",
            "version": "2.0"
          }
        ],
        "cvssV3": [],
        "severity": [
          {
            "author": "nvd@nist.gov",
            "id": "CVE-2007-2397",
            "trust": 1.0,
            "value": "HIGH"
          },
          {
            "author": "CARNEGIE MELLON",
            "id": "VU#582681",
            "trust": 0.8,
            "value": "8.66"
          },
          {
            "author": "NVD",
            "id": "CVE-2007-2397",
            "trust": 0.8,
            "value": "High"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-200707-267",
            "trust": 0.6,
            "value": "CRITICAL"
          },
          {
            "author": "VULHUB",
            "id": "VHN-25759",
            "trust": 0.1,
            "value": "HIGH"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "CERT/CC",
        "id": "VU#582681"
      },
      {
        "db": "VULHUB",
        "id": "VHN-25759"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2007-000525"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200707-267"
      },
      {
        "db": "NVD",
        "id": "CVE-2007-2397"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "QuickTime for Java in Apple Quicktime before 7.2 does not properly check permissions, which allows remote attackers to disable security controls and execute arbitrary code via crafted Java applets. Apple QuickTime fails to properly handle malformed movie files. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code or cause a denial-of-service condition. Apple QuickTime is prone to an information-disclosure and multiple remote code-execution vulnerabilities. \nRemote attackers may exploit these issues by enticing victims into opening maliciously crafted files or visiting maliciously crafted websites. Failed exploit attempts of remote code-execution issues may result in denial-of-service conditions. Successful exploits of the information-disclosure issue may lead to further attacks. Apple QuickTime is a popular multimedia player that supports a wide variety of media formats. \n\n----------------------------------------------------------------------\n\nTry a new way to discover vulnerabilities that ALREADY EXIST in your\nIT infrastructure. \n\nThe Full Featured Secunia Network Software Inspector (NSI) is now\navailable:\nhttp://secunia.com/network_software_inspector/\n\nThe Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT\nvulnerabilities in more than 4,000 different Windows applications. \n\n----------------------------------------------------------------------\n\nTITLE:\nApple QuickTime Multiple Vulnerabilities\n\nSECUNIA ADVISORY ID:\nSA26034\n\nVERIFY ADVISORY:\nhttp://secunia.com/advisories/26034/\n\nCRITICAL:\nHighly critical\n\nIMPACT:\nExposure of sensitive information, DoS, System access\n\nWHERE:\n\u003eFrom remote\n\nREVISION:\n1.1 originally posted 2007-07-12\n\nSOFTWARE:\nApple QuickTime 7.x\nhttp://secunia.com/product/5090/\n\nDESCRIPTION:\nSome vulnerabilities have been reported in Apple QuickTime, which can\nbe exploited by malicious people to compromise a user\u0027s system. \n\n1) An unspecified error exists in the processing of H.264 movies. \nThis can be exploited to cause memory corruption and may allow\nexecution of arbitrary code when a user accesses a specially crafted\nH.264 movie. \n\n2) An unspecified error exists in the processing of movie files. \n\n3) An integer overflow error exists in the handling of .m4v files and\ncan be exploited to execute arbitrary code when a user accesses a\nspecially crafted .m4v file. \n\n4) An integer overflow error exists in the handling of the \"author\"\nand \"title\" fields when parsing SMIL files. \n\n6) A design error exists in QuickTime for Java, which can be\nexploited to bypass security checks and read and write to process\nmemory. This can lead to execution of arbitrary code when a user\nvisits a web site containing a specially crafted Java applet. \n\n7) A design error exists in QuickTime for Java due to JDirect\nexposing interfaces that may allow loading arbitrary libraries and\nfreeing arbitrary memory. \n\n8) A design error exists in QuickTime for Java, which can be\nexploited to capture the user\u0027s screen content when a user visits a\nweb site containing a specially crafted Java applet. \n\nThe vulnerabilities are reported in versions prior to 7.2. \n\nSOLUTION:\nUpdate to version 7.2. \n\nQuickTime 7.2 for Mac:\nhttp://www.apple.com/support/downloads/quicktime72formac.html\n\nQuickTime 7.2 for Windows:\nhttp://www.apple.com/support/downloads/quicktime72forwindows.html\n\nPROVIDED AND/OR DISCOVERED BY:\n1) The vendor credits Tom Ferris, Security-Protocols.com and Matt\nSlot, Ambrosia Software, Inc. \n2) The vendor credits Jonathan \u0027Wolf\u0027 Rentzsch of Red Shed Software. \n3) The vendor credits Tom Ferris, Security-Protocols.com. \n4) David Vaartjes of ITsec Security Services, reported via iDefense. \n5, 6, 7) The vendor credits Adam Gowdiak. \n8) Reported by the vendor. \n\nCHANGELOG:\n2007-07-12: Added link to US-CERT. \n\nORIGINAL ADVISORY:\nApple:\nhttp://docs.info.apple.com/article.html?artnum=305947\n\niDefense:\nhttp://labs.idefense.com/intelligence/vulnerabilities/display.php?id=556\n\nOTHER REFERENCES:\nUS-CERT VU#582681:\nhttp://www.kb.cert.org/vuls/id/582681\n\n----------------------------------------------------------------------\n\nAbout:\nThis Advisory was delivered by Secunia as a free service to help\neverybody keeping their systems up to date against the latest\nvulnerabilities. \n\nSubscribe:\nhttp://secunia.com/secunia_security_advisories/\n\nDefinitions: (Criticality, Where etc.)\nhttp://secunia.com/about_secunia_advisories/\n\n\nPlease Note:\nSecunia recommends that you verify all advisories you receive by\nclicking the link. \nSecunia NEVER sends attached files with advisories. \nSecunia does not advise people to install third party patches, only\nuse those supplied by the vendor. \n\n----------------------------------------------------------------------\n\nUnsubscribe: Secunia Security Advisories\nhttp://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org\n\n----------------------------------------------------------------------\n\n\n. \n-----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n\n                        National Cyber Alert System\n\n\t\tTechnical Cyber Security Alert TA07-193A\n\n\nApple Releases Security Updates for QuickTime\n\n   Original release date: July 12, 2007\n   Last revised: --\n   Source: US-CERT\n\n\nSystems Affected\n\n   Apple QuickTime on systems running\n\n   * Apple Mac OS X\n   * Microsoft Windows\n\n\nOverview\n\n   Apple QuickTime contains multiple vulnerabilities. \n\n\nI. Description\n\n   Apple QuickTime 7.2 resolves multiple vulnerabilities in the way\n   Java applets and various types of media files are handled. Since QuickTime configures most\n   web browsers to handle QuickTime media files, an attacker could\n   exploit these vulnerabilities using a web page. \n\n   Note that QuickTime ships with Apple iTunes. \n\n   For more information, please refer to the Vulnerability Notes\n   Database. \n\n\nII. For further information, please see\n   the Vulnerability Notes Database. \n\n\nIII. Solution\n\nUpgrade QuickTime\n\n   Upgrade to QuickTime 7.2. This and other updates for Mac OS X are\n   available via Apple Update. \n\n   On Microsoft Windows, QuickTime users can install the update by\n   using the built-in auto-update mechanism, Apple Software Update, or\n   by installing the update manually. Disabling QuickTime in your web browser may defend\n   against this attack vector. For more information, refer to the\n   Securing Your Web Browser document. Disabling Java in your web browser may defend against\n   this attack vector. Instructions for disabling Java can be found in\n   the Securing Your Web Browser document. \n\n\nReferences\n\n   * Vulnerability Notes for QuickTime 7.2 -\n     \u003chttp://www.kb.cert.org/vuls/byid?searchview\u0026query=QuickTime_72\u003e\n\n   * About the security content of the QuickTime 7.2 Update -\n     \u003chttp://docs.info.apple.com/article.html?artnum=305947\u003e\n\n   * How to tell if Software Update for Windows is working correctly when no updates are available -\n     \u003chttp://docs.info.apple.com/article.html?artnum=304263\u003e\n\n   * Apple QuickTime 7.2 for Windows -\n     \u003chttp://www.apple.com/support/downloads/quicktime72forwindows.html\u003e\n\n   * Apple QuickTime 7.2 for Mac -\n     \u003chttp://www.apple.com/support/downloads/quicktime72formac.html\u003e\n\n   * Standalone Apple QuickTime Player -\n     \u003chttp://www.apple.com/quicktime/download/standalone.html\u003e\n\n   * Mac OS X: Updating your software -\n     \u003chttp://docs.info.apple.com/article.html?artnum=106704\u003e\n\n   * Securing Your Web Browser -\n     \u003chttp://www.us-cert.gov/reading_room/securing_browser/\u003e\n    \n\n ____________________________________________________________________\n\n   The most recent version of this document can be found at:\n\n     \u003chttp://www.us-cert.gov/cas/techalerts/TA07-193A.html\u003e\n ____________________________________________________________________\n\n   Feedback can be directed to US-CERT Technical Staff. Please send\n   email to \u003ccert@cert.org\u003e with \"TA07-193A Feedback VU#582681\" in the\n   subject. \n ____________________________________________________________________\n\n   For instructions on subscribing to or unsubscribing from this\n   mailing list, visit \u003chttp://www.us-cert.gov/cas/signup.html\u003e. \n ____________________________________________________________________\n\n   Produced 2007 by US-CERT, a government organization. \n\n   Terms of use:\n\n     \u003chttp://www.us-cert.gov/legal.html\u003e\n ____________________________________________________________________\n\n\nRevision History\n\n   Thursday July 12, 2007: Initial release\n\n\n\n\n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.2.1 (GNU/Linux)\n\niQEVAwUBRpZsJ/RFkHkM87XOAQKLMgf9GpK/pbKTrSe0yKCRMt8Z4lMKl8VE+Rqr\n4i8GfVXYUcBKbTlA8TTyf5ucbmCVAnjGJIq0W6X5gLBeA0QxCZ6qto/iPqviuvoV\n8tu92/DuerYOkZMvJcn4RjAlMhM9CWCqJh1QG6R2Csn8AyeKEOFDiKYqoDzT+LoQ\nzojxmlNJIbUvIIGv8Z12Xkr1LLDmD4rs1nfDEBZm7yLTWRItmXpvSidftdUGETDZ\n+ok1SIhkZEbPNT7gAox9RZaKyIRHV7V4wZwqDd3weo6T7UPlhsgRqe88h1R5Yfq8\na7ePH0WSbTCqdGmuoM+nir4iDldoxB8OpbMUQH1nmWcDmc9xv++MHQ==\n=EV1X\n-----END PGP SIGNATURE-----\n",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2007-2397"
      },
      {
        "db": "CERT/CC",
        "id": "VU#582681"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2007-000525"
      },
      {
        "db": "BID",
        "id": "24873"
      },
      {
        "db": "VULHUB",
        "id": "VHN-25759"
      },
      {
        "db": "PACKETSTORM",
        "id": "57697"
      },
      {
        "db": "PACKETSTORM",
        "id": "57713"
      }
    ],
    "trust": 2.88
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "USCERT",
        "id": "TA07-193A",
        "trust": 2.9
      },
      {
        "db": "NVD",
        "id": "CVE-2007-2397",
        "trust": 2.8
      },
      {
        "db": "BID",
        "id": "24873",
        "trust": 2.8
      },
      {
        "db": "SECUNIA",
        "id": "26034",
        "trust": 2.7
      },
      {
        "db": "SECTRACK",
        "id": "1018373",
        "trust": 1.7
      },
      {
        "db": "OSVDB",
        "id": "36132",
        "trust": 1.7
      },
      {
        "db": "VUPEN",
        "id": "ADV-2007-2510",
        "trust": 1.7
      },
      {
        "db": "XF",
        "id": "35358",
        "trust": 1.4
      },
      {
        "db": "CERT/CC",
        "id": "VU#582681",
        "trust": 1.2
      },
      {
        "db": "USCERT",
        "id": "SA07-193A",
        "trust": 0.8
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2007-000525",
        "trust": 0.8
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200707-267",
        "trust": 0.7
      },
      {
        "db": "APPLE",
        "id": "APPLE-SA-2007-07-11",
        "trust": 0.6
      },
      {
        "db": "CERT/CC",
        "id": "TA07-193A",
        "trust": 0.6
      },
      {
        "db": "VULHUB",
        "id": "VHN-25759",
        "trust": 0.1
      },
      {
        "db": "PACKETSTORM",
        "id": "57697",
        "trust": 0.1
      },
      {
        "db": "PACKETSTORM",
        "id": "57713",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "CERT/CC",
        "id": "VU#582681"
      },
      {
        "db": "VULHUB",
        "id": "VHN-25759"
      },
      {
        "db": "BID",
        "id": "24873"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2007-000525"
      },
      {
        "db": "PACKETSTORM",
        "id": "57697"
      },
      {
        "db": "PACKETSTORM",
        "id": "57713"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200707-267"
      },
      {
        "db": "NVD",
        "id": "CVE-2007-2397"
      }
    ]
  },
  "id": "VAR-200707-0549",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-25759"
      }
    ],
    "trust": 0.01
  },
  "last_update_date": "2025-04-10T21:11:35.945000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "QuickTime 7.2 for Mac",
        "trust": 0.8,
        "url": "http://www.apple.com/support/downloads/quicktime72formac.html"
      },
      {
        "title": "QuickTime 7.2 for Windows",
        "trust": 0.8,
        "url": "http://www.apple.com/support/downloads/quicktime72forwindows.html"
      },
      {
        "title": "About the security content of QuickTime 7.2",
        "trust": 0.8,
        "url": "http://docs.info.apple.com/article.html?artnum=305947-en"
      },
      {
        "title": "About the security content of QuickTime 7.2",
        "trust": 0.8,
        "url": "http://docs.info.apple.com/article.html?artnum=305947-ja"
      },
      {
        "title": "\u30a2\u30c3\u30d7\u30eb - QuickTime",
        "trust": 0.8,
        "url": "http://www.apple.com/jp/quicktime/download/win.html"
      },
      {
        "title": "QuickTime 7.2 for Windows",
        "trust": 0.8,
        "url": "http://www.apple.com/jp/ftp-info/reference/quicktime72forwindows.html"
      },
      {
        "title": "QuickTime 7.2 for Mac",
        "trust": 0.8,
        "url": "http://www.apple.com/jp/ftp-info/reference/quicktime72formac.html"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2007-000525"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "NVD-CWE-Other",
        "trust": 1.0
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2007-2397"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 2.8,
        "url": "http://www.us-cert.gov/cas/techalerts/ta07-193a.html"
      },
      {
        "trust": 2.5,
        "url": "http://www.securityfocus.com/bid/24873"
      },
      {
        "trust": 2.5,
        "url": "http://secunia.com/advisories/26034"
      },
      {
        "trust": 2.1,
        "url": "http://docs.info.apple.com/article.html?artnum=305947"
      },
      {
        "trust": 1.7,
        "url": "http://lists.apple.com/archives/security-announce/2007/jul/msg00001.html"
      },
      {
        "trust": 1.7,
        "url": "http://osvdb.org/36132"
      },
      {
        "trust": 1.7,
        "url": "http://www.securitytracker.com/id?1018373"
      },
      {
        "trust": 1.4,
        "url": "http://www.frsirt.com/english/advisories/2007/2510"
      },
      {
        "trust": 1.4,
        "url": "http://xforce.iss.net/xforce/xfdb/35358"
      },
      {
        "trust": 1.1,
        "url": "http://www.vupen.com/english/advisories/2007/2510"
      },
      {
        "trust": 1.1,
        "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/35358"
      },
      {
        "trust": 0.8,
        "url": "about vulnerability notes"
      },
      {
        "trust": 0.8,
        "url": "contact us about this vulnerability"
      },
      {
        "trust": 0.8,
        "url": "provide a vendor statement"
      },
      {
        "trust": 0.8,
        "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2007-2397"
      },
      {
        "trust": 0.8,
        "url": "http://jvn.jp/cert/jvnta07-193a/index.html"
      },
      {
        "trust": 0.8,
        "url": "http://jvn.jp/tr/trta07-193a/index.html"
      },
      {
        "trust": 0.8,
        "url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2007-2397"
      },
      {
        "trust": 0.8,
        "url": "http://www.us-cert.gov/cas/alerts/sa07-193a.html"
      },
      {
        "trust": 0.4,
        "url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=556"
      },
      {
        "trust": 0.4,
        "url": "http://www.kb.cert.org/vuls/id/582681"
      },
      {
        "trust": 0.3,
        "url": "http://software.cisco.com/download/navigator.html?mdfid=283613663"
      },
      {
        "trust": 0.3,
        "url": "/archive/1/473882"
      },
      {
        "trust": 0.1,
        "url": "http://secunia.com/secunia_security_advisories/"
      },
      {
        "trust": 0.1,
        "url": "http://secunia.com/product/5090/"
      },
      {
        "trust": 0.1,
        "url": "http://secunia.com/network_software_inspector/"
      },
      {
        "trust": 0.1,
        "url": "http://www.apple.com/support/downloads/quicktime72formac.html"
      },
      {
        "trust": 0.1,
        "url": "http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org"
      },
      {
        "trust": 0.1,
        "url": "http://secunia.com/advisories/26034/"
      },
      {
        "trust": 0.1,
        "url": "http://www.apple.com/support/downloads/quicktime72forwindows.html"
      },
      {
        "trust": 0.1,
        "url": "http://secunia.com/about_secunia_advisories/"
      },
      {
        "trust": 0.1,
        "url": "http://docs.info.apple.com/article.html?artnum=304263\u003e"
      },
      {
        "trust": 0.1,
        "url": "http://www.us-cert.gov/cas/techalerts/ta07-193a.html\u003e"
      },
      {
        "trust": 0.1,
        "url": "http://docs.info.apple.com/article.html?artnum=305947\u003e"
      },
      {
        "trust": 0.1,
        "url": "http://www.apple.com/quicktime/download/standalone.html\u003e"
      },
      {
        "trust": 0.1,
        "url": "http://www.apple.com/support/downloads/quicktime72formac.html\u003e"
      },
      {
        "trust": 0.1,
        "url": "http://www.apple.com/support/downloads/quicktime72forwindows.html\u003e"
      },
      {
        "trust": 0.1,
        "url": "http://www.us-cert.gov/legal.html\u003e"
      },
      {
        "trust": 0.1,
        "url": "http://docs.info.apple.com/article.html?artnum=106704\u003e"
      },
      {
        "trust": 0.1,
        "url": "http://www.us-cert.gov/cas/signup.html\u003e."
      },
      {
        "trust": 0.1,
        "url": "http://www.kb.cert.org/vuls/byid?searchview\u0026query=quicktime_72\u003e"
      },
      {
        "trust": 0.1,
        "url": "http://www.us-cert.gov/reading_room/securing_browser/\u003e"
      }
    ],
    "sources": [
      {
        "db": "CERT/CC",
        "id": "VU#582681"
      },
      {
        "db": "VULHUB",
        "id": "VHN-25759"
      },
      {
        "db": "BID",
        "id": "24873"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2007-000525"
      },
      {
        "db": "PACKETSTORM",
        "id": "57697"
      },
      {
        "db": "PACKETSTORM",
        "id": "57713"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200707-267"
      },
      {
        "db": "NVD",
        "id": "CVE-2007-2397"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "CERT/CC",
        "id": "VU#582681"
      },
      {
        "db": "VULHUB",
        "id": "VHN-25759"
      },
      {
        "db": "BID",
        "id": "24873"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2007-000525"
      },
      {
        "db": "PACKETSTORM",
        "id": "57697"
      },
      {
        "db": "PACKETSTORM",
        "id": "57713"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200707-267"
      },
      {
        "db": "NVD",
        "id": "CVE-2007-2397"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2007-07-12T00:00:00",
        "db": "CERT/CC",
        "id": "VU#582681"
      },
      {
        "date": "2007-07-15T00:00:00",
        "db": "VULHUB",
        "id": "VHN-25759"
      },
      {
        "date": "2007-07-11T00:00:00",
        "db": "BID",
        "id": "24873"
      },
      {
        "date": "2007-07-24T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2007-000525"
      },
      {
        "date": "2007-07-13T00:55:11",
        "db": "PACKETSTORM",
        "id": "57697"
      },
      {
        "date": "2007-07-13T01:43:24",
        "db": "PACKETSTORM",
        "id": "57713"
      },
      {
        "date": "2007-07-15T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-200707-267"
      },
      {
        "date": "2007-07-15T21:30:00",
        "db": "NVD",
        "id": "CVE-2007-2397"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2007-07-13T00:00:00",
        "db": "CERT/CC",
        "id": "VU#582681"
      },
      {
        "date": "2018-10-30T00:00:00",
        "db": "VULHUB",
        "id": "VHN-25759"
      },
      {
        "date": "2007-09-05T18:21:00",
        "db": "BID",
        "id": "24873"
      },
      {
        "date": "2007-07-24T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2007-000525"
      },
      {
        "date": "2007-07-18T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-200707-267"
      },
      {
        "date": "2025-04-09T00:30:58.490000",
        "db": "NVD",
        "id": "CVE-2007-2397"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "PACKETSTORM",
        "id": "57713"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200707-267"
      }
    ],
    "trust": 0.7
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Apple QuickTime fails to properly handle malformed movie files",
    "sources": [
      {
        "db": "CERT/CC",
        "id": "VU#582681"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "input validation",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-200707-267"
      }
    ],
    "trust": 0.6
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2007-2397 (GCVE-0-2007-2397)

CERTA-2007-AVI-308

Description

Solution

GHSA-M3F9-6M4R-6X2C

GSD-2007-2397

FKIE_CVE-2007-2397

VAR-200707-0549

Tags

Sightings

Nomenclature