Alert Number:  112607-01
Alert Date:  11/26/07
Alert Title:  *UNPATCHED* vulnerability affects iTunes and Quicktime users 
Update-to:  None
OS/Platform/Application:
Please note this vulnerability may affect Operating Systems other than the ones listed below
Apple Quicktime 7.2, 7.3 on Microsoft Windows Vista
Apple Quicktime 7.2, 7.3 on Microsoft XP
Apple iTunes (Quicktime is a component of iTunes)
Category:  ALERT
Severity:  HIGH
Attention:  System Administrators, Desktop Support Personnel, Quicktime and iTunes users.

Summary:  Several Internet Security-related websites are reporting the existence of a vulnerability in Quicktime that could result in system takeover.  The most likely vector of exploitation is the visitation of a maliciously-crafted website or opening of a maliciously-crafted piece of website content (such as a Quicktime Media Link file).  At the time of this writing (9:10 AM 11/26/07) no patch has been made available from the vendor to address this issue and exploit code for this vulnerability is known to be circulating publicly on the Internet.

Please note that QuickTime is a component of Apple iTunes.  According to at least one Internet Security resource, the relationship between QuickTime and iTunes makes iTunes installations vulnerable to this exploit as well.

Recommended Actions:   Quicktime and iTunes users should avoid clicking on content from untrusted websites such as media flies or links.  The same caution should be extended to visiting untrusted websites.  System Administrators and iTunes/Quicktime users are encouraged to read the security information (safe links provided below) for more information on this vulnerability and install the necessary patches as soon as they are made available from the vendor.

Readers are encouraged to share this alert with family, friends, and associates who may use Quicktime or iTunes on their home PCs.

ITS Actions:  N/A

Resources:

US-CERT Vulnerability notice:
http://www.kb.cert.org/vuls/id/659761

Secunia notice:
http://secunia.com/advisories/27755/