Summary:  On April 2 2008 Apple released version 7.4.5 of its popular QuickTime Media player.  Version 7.4.5 addresses 11 security vulnerabilities.  The most likely mechanism of exploit for these vulnerabilities is the visitation of a maliciously-crafted website** or the viewing of a maliciously-crafted movie file**.  Successful exploitation could result in a range of negative outcomes including application crash and complete system takeover.


Recommended Actions:   QuickTime users and System Administrators/Support Personnel should read the advisory information (safe links provided below) and install the update as soon as possible.


**It is important to note that recent research into the nature and trends of maliciously-crafted sites shows the majority of websites hosting maliciously-crafted software are ones users presume to be "legitimate" sites or advertisements for well-known and/or trusted products.  The fact that dangerous software may be hiding within seemingly innocuous websites makes it vitally important to patch all vulnerable software on any system as soon as patches are made available from the vendor.  In cases where a patch is not yet available users should consider any website and/or media file that they visit or handle as a potential source of compromise for their computer systems.


Readers are encouraged to share this alert with family, friends, and associates who may use QuickTime on their home PCs.


ITS Actions: N/A


Resources:

Security Content of Quicktime 7.4.5:
http://support.apple.com/kb/HT1241

Apple Downloads page (includes links for Windows and Mac):
http://www.apple.com/support/downloads/

SANS Advisory:
http://isc.sans.org/diary.html?storyid=4232