CVE-2007-0646

Name of the Vulnerable Software and Affected Versions iMovie HD version 6.0.3 Apple Mac OS X versions 10.4 through 10.4.10

Description The issue allows remote user-assisted attackers to cause a denial of service (crash) via format string specifiers in a filename. This occurs because the filename is not properly handled when calling the NSRunCriticalAlertPanel Apple AppKit function.

Recommendations For iMovie HD version 6.0.3, consider avoiding the use of format string specifiers in filenames until a fix is available. For Apple Mac OS X versions 10.4 through 10.4.10, restrict the ability to call the NSRunCriticalAlertPanel function with untrusted filenames to minimize the risk of exploitation.