Home / mailingsPDF  

APPLE-SA-2010-09-15-1 QuickTime 7.6.8

Posted on 15 September 2010
Apple Security-announce

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2010-09-15-1 QuickTime 7.6.8

QuickTime 7.6.8 is now available and addresses the following:

QuickTime
CVE-ID: CVE-2010-1818
Available for: Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: An input validation issue exists in the QuickTime
ActiveX control. An optional parameter '_Marshaled_pUnk' may be
passed to the ActiveX control to specify an arbitrary integer that is
later treated as a pointer. Visiting a maliciously crafted website
may lead to an unexpected application termination or arbitrary code
execution. This issue is addressed by ignoring the '_Marshaled_pUnk'
parameter. This issue does not affect Mac OS X systems. Credit to
HBelite working with TippingPoint's Zero Day Initiative for reporting
this issue.

QuickTime
CVE-ID: CVE-2010-1819
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing an image in a maliciously prepared directory may
lead to arbitrary code execution
Description: A path searching issue exists in QuickTime Picture
Viewer. If an attacker places a maliciously crafted DLL in the same
directory as an image file, opening the image file with QuickTime
Picture Viewer may lead to arbitrary code execution. This issue is
addressed by removing the current working directory from the DLL
search path. This issue does not affect Mac OS X systems. Credit to
Haifei Li of Fortinet's FortiGuard Labs for reporting this issue.


QuickTime 7.6.8 may be obtained from the Software Update
application, or from the QuickTime Downloads site:
http://www.apple.com/quicktime/download/

For Windows 7 / Vista / XP SP2 or later
The download file is named: "QuickTimeInstaller.exe"
Its SHA-1 digest is: 38e33492ea1200abeda87256872e5a3dd47e584f

QuickTime 7.6.8 is not presented to Mac OS X systems.

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

 

TOP

Mailings :

Exploits :