Apple Computer Inc. Information for VU#112553

Apple QuickTime Player for Windows contains buffer overflow in processing of overly long QuickTime URLs

Status

Affected

Vendor Statement

APPLE-SA-2003-03-31 QuickTime Player for Windows

A potential vulnerability in Apple's QuickTime Player for Windows could
allow a remote attacker to compromise a target system.  This exploit is
only possible if the attacker can convince a user to load a specially
crafted QuickTime URL.  Upon successful exploitation, arbitrary code
can be executed under the privileges of the QuickTime user.

CVE Candidate ID:  CAN-2003-0168

Versions affected:  QuickTime Player versions 5.x and 6.0 for Windows.
QuickTime Player for Mac OS and Mac OS X are not affected.

Recommendation:  Install QuickTime version 6.1 for Windows

QuickTime 6.1 for Windows is available via:
 
http://www.apple.com/quicktime/download/
  - or -
  "Update Existing Software" menu item in QuickTime Player

Credit to Texonet (http://www.texonet.com/) for discovering this
vulnerability.

Apple Product Security

http://www.apple.com/support/security/

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

None

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.