Home / mailings APPLE-SA-2012-05-15-1 QuickTime 7.7.2
Posted on 15 May 2012
Apple Security-announce-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2012-05-15-1 QuickTime 7.7.2
QuickTime 7.7.2 is now available and addresses the following:
QuickTime
Available for: Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple stack overflows existed in QuickTime's
handling of TeXML files. These issues do not affect OS X systems.
CVE-ID
CVE-2012-0663 : Alexander Gavrun working with HP's Zero Day
Initiative
QuickTime
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A heap overflow existed in QuickTime's handling of text
tracks. This issue does not affect OS X systems.
CVE-ID
CVE-2012-0664 : Alexander Gavrun working with HP's Zero Day
Initiative
QuickTime
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow existed in the handling of H.264
encoded movie files.
CVE-ID
CVE-2012-0665 : Luigi Auriemma working with HP's Zero Day Initiative
QuickTime
Available for: Windows 7, Vista, XP SP2 or later
Impact: Opening a maliciously crafted MP4 encoded file may lead to
an unexpected application termination or arbitrary code execution
Description: An uninitialized memory access issue existed in the
handling of MP4 encoded files. For OS X Lion systems, this issue is
addressed in OS X Lion v10.7.3. For Mac OS X v10.6 systems, this
issue is addressed in Security Update 2012-001.
CVE-ID
CVE-2011-3458 : Luigi Auriemma and pa_kt both working with HP's Zero
Day Initiative
QuickTime
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: An off by one buffer overflow existed in the handling
of rdrf atoms in QuickTime movie files. For OS X Lion systems, this
issue is addressed in OS X Lion v10.7.3. For Mac OS X v10.6 systems,
this issue is addressed in Security Update 2012-001.
CVE-ID
CVE-2011-3459 : Luigi Auriemma working with HP's Zero Day Initiative
QuickTime
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted movie file during progressive
download may lead to an unexpected application termination or
arbitrary code execution
Description: A buffer overflow existed in the handling of audio
sample tables. For OS X Lion systems, this issue is addressed in OS X
Lion v10.7.4. For Mac OS X v10.6 systems, this issue is addressed in
Security Update 2012-002.
CVE-ID
CVE-2012-0658 : Luigi Auriemma working with HP's Zero Day Initiative
QuickTime
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted MPEG file may lead to an
unexpected application termination or arbitrary code execution
Description: An integer overflow existed in the handling of MPEG
files. For OS X Lion systems, this issue is addressed in OS X Lion
v10.7.4. For Mac OS X v10.6 systems, this issue is addressed in
Security Update 2012-002.
CVE-ID
CVE-2012-0659 : An anonymous researcher working with HP's Zero Day
Initiative
QuickTime
Available for: Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A stack buffer overflow existed in the QuickTime
plugin's handling of QTMovie objects. This issue does not affect OS X
systems.
CVE-ID
CVE-2012-0666 : CHkr_D591 working with HP's Zero Day Initiative
QuickTime
Available for: Windows 7, Vista, XP SP2 or later
Impact: Processing a maliciously crafted PNG image may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of PNG files.
For OS X Lion systems, this issue is addressed in OS X Lion v10.7.3.
For Mac OS X v10.6 systems, this issue is addressed in Security
Update 2012-001.
CVE-ID
CVE-2011-3460 : Luigi Auriemma working with HP's Zero Day Initiative
QuickTime
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted QTVR movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A signedness issue existed in the handling of QTVR
movie files. This issue does not affect OS X systems.
CVE-ID
CVE-2012-0667 : Alin Rad Pop working with HP's Zero Day Initiative
QuickTime
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A use after free issue existed in the handling of
JPEG2000 encoded movie files. This issue does not affect systems
prior to OS X Lion. For OS X Lion systems, this issue is addressed in
OS X Lion v10.7.4.
CVE-ID
CVE-2012-0661 : Damian Put working with HP's Zero Day Initiative
QuickTime
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of RLE
encoded movie files.
CVE-ID
CVE-2012-0668 : Luigi Auriemma working with HP's Zero Day Initiative
QuickTime
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in QuickTime's handling of
Sorenson encoded movie files. This issue does not affect OS X
systems.
CVE-ID
CVE-2012-0669 : Damian Put working with HP's Zero Day Initiative
QuickTime
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: An integer overflow existed in QuickTime's handling of
sean atoms.
CVE-ID
CVE-2012-0670 : Tom Gallagher (Microsoft) and Paul Bates (Microsoft)
working with HP's Zero Day Initiative
QuickTime
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted .pict file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the handling of
.pict files.
CVE-ID
CVE-2012-0671 : Rodrigo Rubira Branco (twitter.com/bsdaemon) from the
Qualys Vulnerability & Malware Research Labs (VMRL)
QuickTime
Available for: Windows 7, Vista, XP SP2 or later
Impact: Opening a file in a maliciously crafted path may lead to an
unexpected application termination or arbitrary code execution
Description: A stack buffer overflow existed in QuickTime's handling
of file paths. This issue does not affect OS X systems.
CVE-ID
CVE-2012-0265 : Tielei Wang of Georgia Tech Information Security
Center via Secunia SVCRP
QuickTime
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted MPEG file may lead to an
unexpected application termination or arbitrary code execution
Description: An integer underflow existed in QuickTime's handling of
audio streams in MPEG files.
CVE-ID
CVE-2012-0660 : Justin Kim at Microsoft and Microsoft Vulnerability
Research (MSVR)
QuickTime 7.7.2 may be obtained from the QuickTime Downloads site:
http://www.apple.com/quicktime/download/
The download file is named: "QuickTimeInstaller.exe"
Its SHA-1 digest is: ed569d62b3f8c24ac8e9aec7275f17cbb14d2124
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/