APPLE-SA-2009-01-21
Published: 2009-01-21 00:00:00
Updated: 2009-01-21 00:00:00
APPLE-SA-2009-01-21 QuickTime MPEG-2 Playback Component The QuickTime MPEG-2 Playback Component for Windows is now available and addresses the following issue: CVE-ID: CVE-2009-0008 Available for: Windows Vista, XP SP2 and SP3 Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: An input validation issue exists in the QuickTime MPEG-2 Playback Component for Windows. Accessing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of MPEG-2 files. This issue does not affect systems running Mac OS X. Credit to Richard Lemon of Code Lemon for reporting this issue. The QuickTime MPEG-2 Playback Component is not installed by default, and is provided separately from QuickTime. Details are available via http://www.apple.com/quicktime/mpeg2/ Users who have paid for and downloaded an earlier version of the QuickTime MPEG-2 Playback Component from the Apple Store may download the updated version for free. The steps to determine that a system has the updated version are listed at http://support.apple.com/kb/HT3381. The version number of the updated QuickTime MPEG-2 Playback Component for Windows is 7.60.92.0. Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/pgp/