Rapid7 Vulnerability & Exploit Database

QuickTime: improper handling of unrecognized URIs allows arbitrary code execution via malicious file URLS (CVE-2008-1585)

Back to Search

QuickTime: improper handling of unrecognized URIs allows arbitrary code execution via malicious file URLS (CVE-2008-1585)

Severity
7
CVSS
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
Published
06/10/2008
Created
07/25/2018
Added
10/25/2010
Modified
01/30/2020

Description

A URL handling issue exists in QuickTime's handling of file: URLs. This may allow arbitrary applications and files to be launched when a user plays maliciously crafted QuickTime content in QuickTime Player. This update addresses the issue by revealing files in Finder or Windows Explorer rather than launching them. Credit to Vinoo Thomas and Rahul Mohandas of McAfee Avert Labs, and Petko D. (pdp) Petkov of GNUCITIZEN working with TippingPoint's Zero Day Initiative for reporting this issue.

Solution(s)

  • quicktime-upgrade-7_5_0

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;