CVE-2005-1579

Name of the Vulnerable Software and Affected Versions Apple QuickTime Player version 7.0 on Mac OS X 10.4

Description The issue allows remote attackers to obtain sensitive information via a .mov file with a Quartz Composer composition (.qtz) file. This is possible because compositions created with an advanced set of tools, called patches, can be embedded within the file to trigger the issue. By combining patches that provide advanced system information with patches that load information from the Internet, it is possible for a remote attacker to create a malicious *.qtz or *.mov file. This file would disclose sensitive information to a malicious server once the victim views the file, for example, in a web browser with the QuickTime plugin.

Recommendations For Apple QuickTime Player version 7.0 on Mac OS X 10.4, consider disabling the use of Quartz Composer files (*.qtz) as a temporary workaround until a patch is available. Restrict access to compositions created with the Quartz Composer application to minimize the risk of exploitation. Avoid viewing suspicious .mov files, especially those containing Quartz Composer compositions, in a web browser with the QuickTime plugin.