Focus on Apple
QuickTime 7.1.5 Security Updates (Multiple Platforms) Mar 05 2007 10:12PM
Todd Woodward (todd_woodward symantec com)
In case you haven't seen this release today, a big QuickTime update to resolve a number of potential multi-platform vulnerabilities. Please refer to Apple's Knowledge Base document for complete information:

http://docs.info.apple.com/article.html?artnum=305149

APPLE-SA-2007-03-05 QuickTime 7.1.5

QuickTime 7.1.5 is now available. Along with functionality improvements (see release notes), it also provides fixes for the following security issues:

QuickTime
CVE-ID: CVE-2007-0711
Available for: Windows Vista/XP/2000
Impact: Viewing a maliciously-crafted 3GP file may lead to an application crash or arbitrary code execution
Description: An integer overflow exists in QuickTime's handling of 3GP video files. By enticing a user to open a malicious movie, an attacker can trigger the overflow, which may lead to an application crash or arbitrary code execution. This update addresses the issue by performing additional validation of 3GP video files. This issue does not affect Mac OS X. Credit to JJ Reyes for reporting this issue.

QuickTime
CVE-ID: CVE-2007-0712
Available for: Mac OS X v10.3.9 and later, Windows Vista/XP/2000
Impact: Viewing a maliciously-crafted MIDI file may lead to an application crash or arbitrary code execution
Description: A heap buffer overflow exists in QuickTime's handling of MIDI files. By enticing a user to open a malicious MIDI file, an attacker can trigger the overflow, which may lead to an application crash or arbitrary code execution. This update addresses the issue by performing additional validation of MIDI files. Credit to Mike Price of McAfee AVERT Labs for reporting this issue.

QuickTime
CVE-ID: CVE-2007-0713
Available for: Mac OS X v10.3.9 and later, Windows Vista/XP/2000
Impact: Viewing a maliciously-crafted Quicktime movie file may lead to an application crash or arbitrary code execution
Description: A heap buffer overflow exists in QuickTime's handling of QuickTime movie files. By enticing a user to access a maliciously-crafted movie, an attacker can trigger the overflow, which may lead to an application crash or arbitrary code execution. This update addresses the issue by performing additional validation of QuickTime movies. Credit to Mike Price of McAfee AVERT Labs, Piotr Bania, and Artur Ogloza (Czestochowa,
Poland) for reporting this issue.

QuickTime
CVE-ID: CVE-2007-0714
Available for: Mac OS X v10.3.9 and later, Windows Vista/XP/2000
Impact: Viewing a maliciously-crafted Quicktime movie file may lead to an application crash or arbitrary code execution
Description: An integer overflow exists in QuickTime's handling of UDTA atoms in movie files. By enticing a user to access a maliciously-crafted movie, an attacker can trigger the overflow, which may lead to an application crash or arbitrary code execution. This update addresses the issue by performing additional validation of QuickTime movies. Credit to Sowhat of Nevis Labs, and an anonymous researcher working with TippingPoint and the Zero Day Initiative for reporting this issue.

QuickTime
CVE-ID: CVE-2007-0715
Available for: Mac OS X v10.3.9 and later, Windows Vista/XP/2000
Impact: Viewing a maliciously-crafted PICT file may lead to an application crash or arbitrary code execution
Description: A heap buffer overflow exists in QuickTime's handling of PICT files. By enticing a user to open a malicious PICT image file an attacker can trigger the overflow, which may lead to arbitrary code execution. This update addresses the issue by performing additional validation of PICT files. Credit to Mike Price of McAfee AVERT Labs for reporting this issue.

QuickTime
CVE-ID: CVE-2007-0716
Available for: Mac OS X v10.3.9 and later, Windows Vista/XP/2000
Impact: Opening a maliciously-crafted QTIF file may lead to an application crash or arbitrary code execution
Description: A stack buffer overflow exists in QuickTime's handling of QTIF files. By enticing a user to access a maliciously-crafted QTIF file, an attacker can trigger the overflow, which may lead to an application crash or arbitrary code execution. This update addresses the issue by performing additional validation of QTIF files. Credit to Mike Price of McAfee AVERT Labs for reporting this issue.

QuickTime
CVE-ID: CVE-2007-0717
Available for: Mac OS X v10.3.9 and later, Windows Vista/XP/2000
Impact: Opening a maliciously-crafted QTIF file may lead to an application crash or arbitrary code execution
Description: An integer overflow exists in QuickTime's handling of QTIF files. By enticing a user to access a maliciously-crafted QTIF file, an attacker can trigger the overflow, which may lead to an application crash or arbitrary code execution. This update addresses the issue by performing additional validation of QTIF files. Credit to Mike Price of McAfee AVERT Labs for reporting this issue.

QuickTime
CVE-ID: CVE-2007-0718
Available for: Mac OS X v10.3.9 and later, Windows Vista/XP/2000
Impact: Opening a maliciously-crafted QTIF file may lead to an application crash or arbitrary code execution
Description: A heap buffer overflow exists in QuickTime's handling of QTIF files. By enticing a user to access a maliciously-crafted QTIF file, an attacker can trigger the overflow, which may lead to an application crash or arbitrary code execution. This update addresses the issue by performing additional validation of QTIF files. Credit to Ruben Santamarta working with the iDefense Vulnerability Contributor Program, and JJ Reyes for reporting this issue.

###

____________
Todd D. Woodward
Technical Support Engineer
Security Response Researcher
Focus-Apple Moderator
Enterprise Macintosh Products
 
Symantec Corporation
www.symantec.com
Office: 541-335-7441

"Confidence in a Connected World"

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus