Home / mailings APPLE-SA-2009-01-21 QuickTime MPEG-2 Playback Component
Posted on 21 January 2009
Apple Security-announce-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2009-01-21 QuickTime MPEG-2 Playback Component
The QuickTime MPEG-2 Playback Component for Windows is now available
and addresses the following issue:
CVE-ID: CVE-2009-0008
Available for: Windows Vista, XP SP2 and SP3
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: An input validation issue exists in the QuickTime
MPEG-2 Playback Component for Windows. Accessing a maliciously
crafted movie file may lead to an unexpected application termination
or arbitrary code execution. This update addresses the issue by
performing additional validation of MPEG-2 files. This issue does not
affect systems running Mac OS X. Credit to Richard Lemon of Code
Lemon for reporting this issue.
The QuickTime MPEG-2 Playback Component is not installed by default,
and is provided separately from QuickTime. Details are available via
http://www.apple.com/quicktime/mpeg2/ Users who have paid for and
downloaded an earlier version of the QuickTime MPEG-2 Playback
Component from the Apple Store may download the updated version for
free.
The steps to determine that a system has the updated version are
listed at http://support.apple.com/kb/HT3381.
The version number of the updated QuickTime MPEG-2 Playback
Component for Windows is 7.60.92.0.
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
http://www.apple.com/support/security/pgp/
