This document describes the security enhancements included with QuickTime 7.0.1, which can be downloaded and installed using Software Update, or from Apple Downloads.
For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.
For information about the Apple Product Security PGP Key, see "How To Use The Apple Product Security PGP Key."
Where possible, CVE IDs are used to reference the vulnerabilities for further information.
To learn about other Security Updates, see "Apple Security Updates."
CVE-ID: CAN-2005-1334
Available for: QuickTime 7.0
Impact: With QuickTime 7.0, a QuickTime movie containing a maliciously crafted Quartz Composer object can leak data to an arbitrary web location.
Description: Quartz Composer objects can be wrapped in a QuickTime track and delivered as a QuickTime movie. With QuickTime 7.0, a Quartz Composer object can gather local data and send it using an encoded URL to an arbitrary web location. The QuickTime 7.0.1 update modifies the QuickTime Quartz Composer Plugin to prevent access to remote web locations. Credit to David Remahl (www.remahl.se/david) for reporting this issue.