ALARM Group ALERT - click for a description of ALARM, The Computing Alert System Alert Number:  010307-01 Alert Date:  01/03/07 Alert Title:  *UNPATCHED* Quicktime vulnerability affects Windows and Mac users Update-to:   None OS/Platform/Application:  Apple Quicktime version 7.x and earlier, also (possibly) Apple iTunes 7.0.2 and earlier on Windows and Mac systems Category:  ALERT Severity:  HIGH Attention:  System Administrators, Desktop Support Personnel, Users of Quicktime/iTunes on Windows and Mac systems

Summary:   Several Internet security monitoring resources are reporting the existence of a URL handling vulnerability in Apple Quicktime that could lead to the execution of arbitrary code and potential system takeover.  The most likely vector of exploit is the visitation of a malicious website or opening of a malicious QTL (quicktime) file.  At the time of this writing (9:30 AM 1/3/07) a patch is not yet available from the vendor.  The consensus among security resources is that the vulnerability is "critical" in nature.

Recommended Actions:  A variety of suggested actions are available to address this vulnerability.  These actions range from avoiding untrusted sites/files to disabling the Quicktime software RSTP handler.  Persons who manage or maintain systems that utilize Quicktime are encouraged to read the information (see links below) related to the vulnerability and choose the response that best fits their needs and environment.

ITS Actions:  At this time, ITS is taking no specific additional actions to address this vulnerability.  An update will be issued if the situation changes.

Resources: