Home / mailingsPDF  

APPLE-SA-2010-12-07-1 QuickTime 7.6.9

Posted on 07 December 2010
Apple Security-announce

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2010-12-07-1 QuickTime 7.6.9

QuickTime 7.6.9 is now available and addresses the following:

QuickTime
CVE-ID: CVE-2010-3787
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted JP2 image may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in QuickTime's handling
of JP2 images. Viewing a maliciously crafted JP2 image may lead to an
unexpected application termination or arbitrary code execution. This
issue is addressed through improved bounds checking. For Mac OS X
v10.6 systems, this issue is addressed in Mac OS X v10.6.5. Credit to
Nils of MWR InfoSecurity for reporting this issue.

QuickTime
CVE-ID: CVE-2010-3788
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted JP2 image may lead to an
unexpected application termination or arbitrary code execution
Description: An uninitialized memory access issue exists in
QuickTime's handling of JP2 images. Viewing a maliciously crafted JP2
image may lead to an unexpected application termination or arbitrary
code execution. This issue is addressed through improved validation
of JP2 images. For Mac OS X v10.6 systems, this issue is addressed in
Mac OS X v10.6.5. Credit to Damian Put and Procyun, working with
TippingPoint's Zero Day Initiative for reporting this issue.

QuickTime
CVE-ID: CVE-2010-3789
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted avi file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue is in QuickTime's handling of
avi files. Viewing a maliciously crafted avi file may lead to an
unexpected application termination or arbitrary code execution. This
issue is addressed through improved handling of avi files. For Mac OS
X v10.6 systems, this issue is addressed in Mac OS X v10.6.5. Credit
to Damian Put working with TippingPoint's Zero Day Initiative for
reporting this issue.

QuickTime
CVE-ID: CVE-2010-3790
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in QuickTime's
handling of movie files. Viewing a maliciously crafted movie file may
lead to an unexpected application termination or arbitrary code
execution. This issue is addressed through improved handling of movie
files. For Mac OS X v10.6 systems, this issue is addressed in Mac OS
X v10.6.5. Credit to Honggang Ren of Fortinet's FortiGuard Labs for
reporting this issue.

QuickTime
CVE-ID: CVE-2010-3791
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow exists in QuickTime's handling of
MPEG encoded movie files. Viewing a maliciously crafted movie file
may lead to an unexpected application termination or arbitrary code
execution. This issue is addressed through improved bounds checking.
For Mac OS X v10.6 systems, this issue is addressed in Mac OS X
v10.6.5. Credit to an anonymous researcher working with
TippingPoint's Zero Day Initiative for reporting this issue.

QuickTime
CVE-ID: CVE-2010-3792
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A signedness issue exists in QuickTime's handling of
MPEG encoded movie files. Viewing a maliciously crafted movie file
may lead to an unexpected application termination or arbitrary code
execution. This issue is addressed through improved handling of MPEG
encoded movie files. For Mac OS X v10.6 systems, this issue is
addressed in Mac OS X v10.6.5. Credit to an anonymous researcher
working with TippingPoint's Zero Day Initiative for reporting this
issue.

QuickTime
CVE-ID: CVE-2010-3793
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in QuickTime's
handling of Sorenson encoded movie files. Viewing a maliciously
crafted movie file may lead to an unexpected application termination
or arbitrary code execution. This issue is addressed through improved
validation of Sorenson encoded movie files. For Mac OS X v10.6
systems, this issue is addressed in Mac OS X v10.6.5. Credit to an
anonymous researcher working with TippingPoint's Zero Day Initiative,
and Carsten Eiram of Secunia Research for reporting this issue.

QuickTime
CVE-ID: CVE-2010-3794
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted FlashPix image may lead to an
unexpected application termination or arbitrary code execution
Description: An uninitialized memory access issue exists in
QuickTime's handling of FlashPix images. Viewing a maliciously
crafted FlashPix image may lead to an unexpected application
termination or arbitrary code execution. This issue is addressed
through improved memory management. For Mac OS X v10.6 systems, this
issue is addressed in Mac OS X v10.6.5. Credit to an anonymous
researcher working with TippingPoint's Zero Day Initiative for
reporting this issue.

QuickTime
CVE-ID: CVE-2010-3795
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted GIF image may lead to an
unexpected application termination or arbitrary code execution
Description: An uninitialized memory access issue exists in
QuickTime's handling of GIF images. Viewing a maliciously crafted GIF
image may lead to an unexpected application termination or arbitrary
code execution. This issue is addressed through improved memory
management. For Mac OS X v10.6 systems, this issue is addressed in
Mac OS X v10.6.5. Credit to an anonymous researcher working with
TippingPoint's Zero Day Initiative for reporting this issue.

QuickTime
CVE-ID: CVE-2010-3800
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted PICT file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in QuickTime's
handling of PICT files. Viewing a maliciously crafted PICT file may
lead to an unexpected application termination or arbitrary code
execution. This issue is addressed through improved validation of
PICT files. Credit to Moritz Jodeit of n.runs AG and Damian Put,
working with TippingPoint's Zero Day Initiative, and Hossein Lotfi
(s0lute), working with VeriSign iDefense Labs for reporting this
issue.

QuickTime
CVE-ID: CVE-2010-3801
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted FlashPix image may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in QuickTime's
handling of FlashPix images. Viewing a maliciously crafted FlashPix
image may lead to an unexpected application termination or arbitrary
code execution. This issue is addressed through improved memory
management. Credit to Damian Put working with TippingPoint's Zero Day
Initiative, and Rodrigo Rubira Branco from the Check Point
Vulnerability Discovery Team for reporting this issue.

QuickTime
CVE-ID: CVE-2010-3802
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted QTVR movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in QuickTime's
handling of panorama atoms in QTVR (QuickTime Virtual Reality) movie
files. Viewing a maliciously crafted QTVR movie file may lead to an
unexpected application termination or arbitrary code execution. This
issue is addressed through improved handling of QTVR movie files.
Credit to an anonymous researcher working with TippingPoint's Zero
Day Initiative for reporting this issue.

QuickTime
CVE-ID: CVE-2010-1508
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in QuickTime's handling
of Track Header (tkhd) atoms. Viewing a maliciously crafted movie
file may lead to an unexpected application termination or arbitrary
code execution. This issue is addressed through improved bounds
checking. This issue does not affect Mac OS X systems. Credit to
Moritz Jodeit of n.runs AG, working with TippingPoint's Zero Day
Initiative, and Carsten Eiram of Secunia Research for reporting this
issue.

QuickTime
CVE-ID: CVE-2010-0530
Available for: Windows 7, Vista, XP SP2 or later
Impact: A local user may have access to sensitive information
Description: A filesystem permission issue exists in QuickTime. This
may allow a local user to access the contents of the "Apple Computer"
directory in the user's profile, which may lead to the disclosure of
sensitive information. This issue is addressed through improved
filesystem permissions. This issue does not affect Mac OS X systems.
Credit to Geoff Strickler of On-Line Transaction Consultants for
reporting this issue.

QuickTime
CVE-ID: CVE-2010-4009
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: An integer overflow exists in QuickTime's handling of
movie files. Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution. This
issue is addressed through improved bounds checking. Credit to
Honggang Ren of Fortinet's FortiGuard Labs for reporting this issue.


QuickTime 7.6.9 may be obtained from the Software Update
application, or from the QuickTime Downloads site:
http://www.apple.com/quicktime/download/

For Mac OS X v10.5.8
The download file is named: "QuickTime769Leopard.dmg"
Its SHA-1 digest is: b580bfb4a66484f3ca12bcaf6e4adfde57574e20

For Windows 7 / Vista / XP SP3
The download file is named: "QuickTimeInstaller.exe"
Its SHA-1 digest is: 1eec8904f041d9e0ad3459788bdb690e45dbc38e

QuickTime is incorporated into Mac OS X v10.6 and later.
QuickTime 7.6.9 is not presented to systems running
Mac OS X v10.6 or later.

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

 

TOP