Apple security update patches QuickTime exploit

in macOS edited January 2014
Apple Computer on Tuesday afternoon released a recommended security update for Mac OS X 10.4 Tiger users that patches a vulnerability discovered with the company's QuickTime for Java and Quartz Composer software items.

The release, labeled Security Update 2006-008, is available as a 1.5MB download for PowerPC-based Macs and 1.8MB Universal Binary for Intel-based Macs.

The single-fix release address a specific issue where visiting a malicious web site may lead to information disclosure.

"Java applets may use QuickTime for Java to obtain the images rendered on screen by embedded QuickTime objects and upload them to the originating web site," Apple explained. "When this facility is used in conjunction with Quartz Composer, it becomes possible to capture images that may contain local information."

The Cupertino, Calif.-based Mac maker said the update addresses the issue by disallowing Quartz Composer compositions in unsigned Java applets.

After applying the update, Quartz Composer compositions will continue to function locally, while applications and signed Java applets that utilize QuickTime and QuickTime for Java are unaffected.

Apple said the vulnerability does not affect systems prior to Mac OS X 10.4, nor does it affect the Windows platform.


  • Reply 1 of 4
    Any problems/issues with this update?
  • Reply 2 of 4
    Sorry to bring some bad news but it doesn't fix this flaw

    QuickTime HREF tracks functionality can potentiate phishing (MySpace vulnerability)

    The security update 2006-008 is for an unrelated flaw.

    Other than that no problems since updating.
  • Reply 3 of 4
    Please do your hair before surfing, your picture might still be taken.

    She now needs to apply for a free (and possibly anonymous) certificate to sign her jarfile if she wants to upload a picture of the visitors of her website with Java Quicktime. Freemail certificates will do just that.
  • Reply 4 of 4
    mydomydo Posts: 1,888member
    The way I read this bug is that they can only capture your picture IF you have a live video running of your iSight at the time. I almost never use mine so ... I'm safe?
Sign In or Register to comment.