Home / mailingsPDF  

APPLE-SA-2009-06-01-1 QuickTime 7.6.2

Posted on 01 June 2009
Apple Security-announce

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2009-06-01-1 QuickTime 7.6.2

QuickTime 7.6.2 is now available and addresses the following:

QuickTime
CVE-ID: CVE-2009-0188
Available for: Mac OS X v10.4.11, Mac OS X v10.5.7,
Windows Vista and XP SP3
Impact: Opening a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in QuickTime's
handling of Sorenson 3 video files. This may lead to an unexpected
application termination or arbitrary code execution. This update
addresses the issue by performing additional validation of Sorenson 3
video files. Credit to Carsten Eiram of Secunia Research for
reporting this issue.

QuickTime
CVE-ID: CVE-2009-0951
Available for: Mac OS X v10.4.11, Mac OS X v10.5.7,
Windows Vista and XP SP3
Impact: Opening a maliciously crafted FLC compression file may lead
to an unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in the handling of FLC
compression files. Opening a maliciously crafted FLC compression file
may lead to an unexpected application termination or arbitrary code
execution. This update addresses the issue through improved bounds
checking. Credit to an anonymous researcher working with
TippingPoint's Zero Day Initiative for reporting this issue.

QuickTime
CVE-ID: CVE-2009-0952
Available for: Mac OS X v10.4.11, Mac OS X v10.5.7,
Windows Vista and XP SP3
Impact: Viewing a maliciously crafted PSD image may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow may occur while processing a
compressed PSD image. Opening a maliciously crafted compressed PSD
file may lead to an unexpected application termination or arbitrary
code execution. This update addresses the issue through improved
bounds checking. Credit to Damian Put working with TippingPoint's
Zero Day Initiative for reporting this issue.

QuickTime
CVE-ID: CVE-2009-0010
Available for: Windows Vista and XP SP3
Impact: Opening a maliciously crafted PICT image may lead to an
unexpected application termination or arbitrary code execution
Description: An integer underflow in QuickTime's handling of PICT
images may result in a heap buffer overflow. Opening a maliciously
crafted PICT file may lead to an unexpected application termination
or arbitrary code execution. This update addresses the issue by
performing additional validation of PICT images. Credit to Sebastian
Apelt working with TippingPoint's Zero Day Initiative, and Chris Ries
of Carnegie Mellon University Computing Services for reporting this
issue.

QuickTime
CVE-ID: CVE-2009-0953
Available for: Mac OS X v10.4.11, Mac OS X v10.5.7,
Windows Vista and XP SP3
Impact: Opening a maliciously crafted PICT image may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in QuickTime's handling
of PICT images. Opening a maliciously crafted PICT file may lead to
an unexpected application termination or arbitrary code execution.
This update addresses the issue by performing additional validation
of PICT images. Credit to Sebastian Apelt working with TippingPoint's
Zero Day Initiative for reporting this issue.

QuickTime
CVE-ID: CVE-2009-0954
Available for: Windows Vista and XP SP3
Impact: Opening a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in QuickTime's handling
of Clipping Region (CRGN) atom types in a movie file. Opening a
maliciously crafted movie file may lead to an unexpected application
termination or arbitrary code execution. This update addresses the
issue through improved bounds checking. This issue does not affect
Mac OS X systems. Credit to an anonymous researcher working with
TippingPoint's Zero Day Initiative for reporting this issue.

QuickTime
CVE-ID: CVE-2009-0185
Available for: Mac OS X v10.4.11, Mac OS X v10.5.7,
Windows Vista and XP SP3
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in the handling of MS
ADPCM encoded audio data. Viewing a maliciously crafted movie file
may lead to an unexpected application termination or arbitrary code
execution. This update addresses the issue through improved bounds
checking. Credit to Alin Rad Pop of Secunia Research for reporting
this issue.

QuickTime
CVE-ID: CVE-2009-0955
Available for: Mac OS X v10.4.11, Mac OS X v10.5.7,
Windows Vista and XP SP3
Impact: Opening a maliciously crafted video file may lead to an
unexpected application termination or arbitrary code execution
Description: A sign extension issue exists in QuickTime's handling
of image description atoms. Opening a maliciously crafted Apple video
file may lead to an unexpected application termination or arbitrary
code execution. This update addresses the issue through improved
validation of description atoms. Credit to Roee Hay of IBM Rational
Application Security Research Group for reporting this issue.

QuickTime
CVE-ID: CVE-2009-0956
Available for: Mac OS X v10.4.11, Mac OS X v10.5.7,
Windows Vista and XP SP3
Impact: Viewing a movie file with a maliciously crafted user data
atom may lead to an unexpected application termination or arbitrary
code execution
Description: An uninitialized memory access issue exists in
QuickTime's handling of movie files. Viewing a movie file with a zero
user data atom size may lead to an unexpected application termination
or arbitrary code execution. This update addresses the issue by
performing additional validation of movie files, and presenting a
warning dialog to the user. Credit to Lurene Grenier of Sourcefire,
Inc. (VRT) for reporting this issue.

QuickTime
CVE-ID: CVE-2009-0957
Available for: Mac OS X v10.4.11, Mac OS X v10.5.7,
Windows Vista and XP SP3
Impact: Viewing a maliciously crafted JP2 image may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in QuickTime's handling
of JP2 images. Viewing a maliciously crafted JP2 image may lead to an
unexpected application termination or arbitrary code execution. This
update addresses the issue through improved bounds checking. Credit
to Charlie Miller of Independent Security Evaluators, and Damian Put
working with TippingPoint's Zero Day Initiative for reporting this
issue.


QuickTime 7.6.2 may be obtained from the Software Update
application, or from the QuickTime Downloads site:
http://www.apple.com/quicktime/download/

For Mac OS X v10.5.7
The download file is named: "QuickTime762_Leopard.dmg"
Its SHA-1 digest is: 9484ba3e41638935625b7eb338f0b31298f1f973

For Mac OS X v10.4.11
The download file is named: "QuickTime762_Tiger.dmg"
Its SHA-1 digest is: 74b1c170907dc402c6855b37cfe1a3432a10a92f

For Windows Vista / XP SP3
The download file is named: "QuickTimeInstaller.exe"
Its SHA-1 digest is: f8ba0b1ef3cf5a0317ea28b31db71e79c63e48b8

QuickTime with iTunes for Windows 32-bit XP or Vista
The download file is named: "iTunesSetup.exe"
Its SHA-1 digest is: 16f5b1e787b36aece842ea5ae80bfc6bf2b32b19

QuickTime with iTunes for Windows 64-bit Vista
The download file is named: "iTunes64Setup.exe"
Its SHA-1 digest is: b8739f847f2b66835f4f4b542b3308de96d418ed

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

 

TOP