CVE-2005-2755
Description
Apple QuickTime Player before 7.0.3 allows user-assisted attackers to cause a denial of service (crash) via a crafted file with a missing movie attribute, which leads to a null dereference.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apple QuickTime Player before 7.0.3 crashes when opening a crafted file with a missing movie attribute due to a null pointer dereference.
Vulnerability
In Apple QuickTime Player before 7.0.3, a crafted QuickTime movie file that omits a required movie attribute causes a null pointer dereference during parsing. This bug exists because the software fails to validate the presence of the movie attribute before accessing it. Versions prior to 7.0.3 are affected [1][2].
Exploitation
An attacker must craft a malicious QuickTime file lacking the movie attribute and convince a user to open it via email, web download, or other means. No authentication or special network position is required; only user interaction is needed [1][2].
Impact
Successful exploitation results in a crash of QuickTime Player, leading to a denial of service. No code execution or data compromise is reported [1][2].
Mitigation
Apple released QuickTime Player 7.0.3 to fix the issue. Users should upgrade to this version or later. No workaround is available for earlier versions [1][2].
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
8cpe:2.3:a:apple:quicktime:6.5.2:*:mac_os_x_10.2:*:*:*:*:*+ 6 more
- cpe:2.3:a:apple:quicktime:6.5.2:*:mac_os_x_10.2:*:*:*:*:*
- cpe:2.3:a:apple:quicktime:6.5.2:*:mac_os_x_10.3:*:*:*:*:*
- cpe:2.3:a:apple:quicktime:7.0.1:*:mac_os_x_10.3:*:*:*:*:*
- cpe:2.3:a:apple:quicktime:7.0.1:*:mac_os_x_10.4:*:*:*:*:*
- cpe:2.3:a:apple:quicktime:7.0.1:*:windows:*:*:*:*:*
- cpe:2.3:a:apple:quicktime:7.0:*:windows:*:*:*:*:*
- cpe:2.3:a:apple:quicktime:*:*:windows:*:*:*:*:*range: <=7.0.2
- Range: <7.0.3
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Null pointer dereference when QuickTime Player accesses a missing movie attribute in a crafted file."
Attack vector
An attacker crafts a malicious QuickTime movie file that lacks a required movie attribute. The attacker must convince a user to open this file in Apple QuickTime Player before version 7.0.3. When the player attempts to read the missing attribute, it dereferences a null pointer, causing the application to crash [ref_id=1].
Affected code
The advisory does not specify the exact function or file path within Apple QuickTime Player. The vulnerability is triggered when the application processes a crafted movie file that is missing a required movie attribute, leading to a null pointer dereference [ref_id=1].
What the fix does
The advisory does not include a patch diff. Apple addressed the issue in QuickTime Player 7.0.3 by adding proper validation for the missing movie attribute before it is accessed, preventing the null pointer dereference [ref_id=1]. No further technical details about the fix are provided in the available reference.
Preconditions
- inputThe victim must open a crafted QuickTime movie file using Apple QuickTime Player before version 7.0.3.
- inputThe crafted file must be missing a required movie attribute.
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- securitytracker.com/idnvdPatchVendor Advisory
- pb.specialised.info/all/adv/quicktime-mov-dos-adv.txtnvdVendor Advisory
- secunia.com/advisories/17428nvdVendor Advisory
- archives.neohapsis.com/archives/fulldisclosure/2005-11/0102.htmlnvd
- docs.info.apple.com/article.htmlnvd
- securityreason.com/securityalert/145nvd
- www.osvdb.org/20477nvd
- www.securityfocus.com/archive/1/415717/30/0/threadednvd
- www.securityfocus.com/bid/15307nvd
- www.vupen.com/english/advisories/2005/2293nvd
News mentions
0No linked articles in our index yet.