ALARM Group ALERT - click for a description of ALARM, The Computing Alert System Alert Number:  042507-01 Alert Date:  04/25/07 Alert Title:  *UNPATCHED* Quicktime Java vulnerability affects Windows and Mac users Update-to:   None OS/Platform/Application:  Apple Quicktime version 7.x and earlier Category:  ALERT Severity: HIGH Attention:  System Administrators, Desktop Support Personnel, Users of Quicktime on Windows and Mac systems

Summary:  Several Internet security monitoring resources are reporting the existence of a Java handling vulnerability in Apple Quicktime that could lead to the execution of arbitrary code and potential system takeover.  The most likely vector of exploit is the visitation of a malicious website via a Java-enabled browser.  At the time of this writing Safari and FireFox are confirmed to be vulnerable on OS X systems and Firefox is presumed to be vulnerable on Windows systems.  The Opera browser may also be vulnerable to this exploit as well.  A patch for this vulnerability is not yet available from the vendor. The consensus among security resources is that the vulnerability is "critical" to "highly critical" in nature.

Recommended Actions:  At the time of this writing the actions recommended by various security resources are to avoid browsing untrusted websites and to disable Java support on vulnerable systems/browsers.  System administrators and users are encouraged to read the details of the vulnerability (links provided below) and to consider implementing a response that best fits their needs and environment. 

ITS Actions: At this time, ITS is taking no specific additional actions to address this vulnerability.  An update will be issued if the situation changes.

Resources:

FrSIRT advisory:
http://www.frsirt.com/english/advisories/2007/1496

Secunia advisory:
http://secunia.com/advisories/25011/

SANS advisory:
http://isc.sans.org/diary.html?storyid=2689

Matasano Chargen blog entry:
http://www.matasano.com/log/812/breaking-macbook-vuln-in-quicktime-affects-win32-apple-code/