Home / mailings APPLE-SA-2007-05-29 Security Update (QuickTime 7.1.6)
Posted on 29 May 2007
Apple Security-announce-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2007-05-29 Security Update (QuickTime 7.1.6)
Security Update (QuickTime 7.1.6) is now available and provides
the following security enhancements:
QuickTime
CVE-ID: CVE-2007-2388
Available for: QuickTime 7.1.6 on Mac OS X and Windows
Impact: Visiting a malicious website may lead to arbitrary code
execution
Description: An implementation issue exists in QuickTime for Java,
which may allow instantiation or manipulation of objects outside the
bounds of the allocated heap. By enticing a user to visit a web page
containing a maliciously crafted Java applet, an attacker can trigger
the issue which may lead to arbitrary code execution. This update
addresses the issue by performing additional validation of Java
applets. Credit to John McDonald, Paul Griswold, and Tom Cross of IBM
Internet Security Systems X-Force, and Dyon Balding of Secunia
Research for reporting this issue.
QuickTime
CVE-ID: CVE-2007-2389
Available for: QuickTime 7.1.6 on Mac OS X and Windows
Impact: Visiting a malicious website may lead to the disclosure of
sensitive information
Description: A design issue exists in QuickTime for Java, which may
allow a web browser's memory to be read by a Java applet. By enticing
a user to visit a web page containing a maliciously crafted Java
applet, an attacker can trigger the issue which may lead to the
disclosure of sensitive information. This update addresses the issue
by clearing memory before allowing it to be used by untrusted Java
applets.
Security Update (QuickTime 7.1.6) may be obtained from the Software
Update application, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/
For QuickTime 7.1.6 on Mac OS X
The download file is named: "SecUpdQuickTime716.dmg"
Its SHA-1 digest is: 960b3d043366f214c62e94fc176e5e367eb75992
For QuickTime 7.1.6 on Windows
The download file is named: "SecUpdQuickTime716.msi"
Its SHA-1 digest is: 1ab14df3c1ef6f15d082cb5c13e9898097816ea9
Information will also be posted to the Apple Product Security
web site: http://docs.info.apple.com/article.html?artnum=61798
This message is signed with Apple's Product Security PGP key,
and details are available at:
http://www.apple.com/support/security/pgp/