Quartz Composer objects can be wrapped in a QuickTime track, and can be delivered as a QuickTime movie. With QuickTime 7.0, a Quartz Composer object can gather local data and send it via an encoded URL to an arbitrary web location. The QuickTime 7.0.1 update modifies the QuickTime Quartz Composer Plugin to prevent access to remote web locations.
QuickTime 7.0.1 is now available and delivers the following security improvement for the Quartz Composer Plugin:
Available for: QuickTime 7.0
Impact: With QuickTime 7.0, a QuickTime movie containing a maliciously crafted Quartz Composer object can leak a data to an arbitrary web location.
This issue does not occur in QuickTime for Windows. Credit to David Remahl of www.remahl.se/david
for reporting this issue.
QuickTime 7.0.1 is available at http://www.apple.com/quicktime/download/mac.html for QuickTime version 7