APPLE-SA-2005-05-31 – QuickTime 7.0.1

Quartz Composer objects can be wrapped in a QuickTime track, and can be delivered as a QuickTime movie. With QuickTime 7.0, a Quartz Composer object can gather local data and send it via an encoded URL to an arbitrary web location. The QuickTime 7.0.1 update modifies the QuickTime Quartz Composer Plugin to prevent access to remote web locations.

QuickTime 7.0.1 is now available and delivers the following security improvement for the Quartz Composer Plugin:

CVE-ID:  CAN-2005-1334

Available for:  QuickTime 7.0

Impact:  With QuickTime 7.0, a QuickTime movie containing a maliciously crafted Quartz Composer object can leak a data to an arbitrary web location.

This issue does not occur in QuickTime for Windows.  Credit to David Remahl of
for reporting this issue.

QuickTime 7.0.1 is available at for QuickTime version 7

Leave a Reply