ID: 3546
Date: 16/01/2008
Title: 3546 - APPLE-SA-2008-01-15 QuickTime 7.4
Platform level affected:Net Application - Client
Hardware components affected:Intel PC
Specific operating systems components affected: 32-bit Windows
Net-enabled software: Other
Security software:Other
Other software: Run-time Environment
Remediation Summary:Update your copy of the software with the download available from the supplier.
Vendors affected:Apple
Applications affected:QuickTime
Adversity source: Unknown
Attack Vector: Vulnerability exploitation
Virulence: Unknown
Warning Status: Active
Potential Damage: Remote execution/modification
Possible Duration: Open Ended
Availability of fix: Available
Type of fix: Patch
Source: Apple
Reliability of source: Trusted
Source URL: http://www.apple.com/support/downloads/
CVE: CVE-2008-0031, CVE-2008-0032, CVE-2008-0033, CVE-2008-0036
Abstract: QuickTime 7.4 is now available and addresses a number of issues.
APPLE-SA-2008-01-15 QuickTime 7.4
QuickTime 7.4 is now available and addresses the following issues:
QuickTime
CVE-ID: CVE-2008-0031
Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista, XP SP2
Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in QuickTime's handling of Sorenson 3 video files. This may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of Sorenson 3 video files. Credit to Joe Schottman of Virginia Tech for reporting this issue.
QuickTime
CVE-ID: CVE-2008-0032
Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista, XP SP2
Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in QuickTime's handling of Macintosh Resource records in movie files. Opening a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of movie files. Credit to Jun Mao of VeriSign iDefense Labs for reporting this issue.
QuickTime
CVE-ID: CVE-2008-0033
Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista, XP SP2
Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in QuickTime's parsing of Image Descriptor (IDSC) atoms. Opening a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of Image Descriptor atoms in movie files.
Credit to Cody Pierce of TippingPoint DVLabs for reporting this issue.
QuickTime
CVE-ID: CVE-2008-0036
Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista, XP SP2
Impact: Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution
Description: A buffer overflow may occur while processing a compressed PICT image. Opening a maliciously crafted compressed PICT file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by terminating decoding when the result would extend beyond the end of the destination buffer. Credit to Chris Ries of Carnegie Mellon University Computing Services for reporting this issue.
QuickTime 7.4 may be obtained from the Software Update application, or from the Apple Downloads site:
http://www.apple.com/support/downloads/
For Mac OS X v10.5
The download file is named: "QuickTime740_Leopard.dmg"
Its SHA-1 digest is: c81d8a1578ede770f313a402112d3c90377cea32
For Mac OS X v10.4.9 or later
The download file is named: "QuickTime740_Tiger.dmg"
Its SHA-1 digest is: a07f2780211cef4d255ef63c43f22355bfffa98d
For Mac OS X v10.3.9
The download file is named: "QuickTime740_Panther.dmg"
Its SHA-1 digest is: 1b93e41d8409a01c0926527e145efbd7dee13abe
For Windows Vista, XP SP2
The download file is named: "QuickTime740Installer.exe"
Its SHA-1 digest is: 155043f6fdde3b5f5700b44fc522766c35406bd
Information will also be posted to the Apple Product Security web site:
http://docs.info.apple.com/article.html?artnum=61798
This advisory contains information released by the original author. Some of the information may have changed since it was released. If the issue affects you, it may be prudent to retrieve the advisory from the site of the original source to ensure that you receive the most current information concerning that problem. Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by CPNI.
The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. CPNI shall not accept responsibility for any errors or omissions contained within this advisory. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this advisory.
CSIRTUK is a member of the Forum of Incident Response and Security Teams (FIRST) and has contacts with other international Incident Response Teams (IRTs) in order to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing amongst its members and the community at large.
Wed, 16 Jan 2008 10:30:00 GMT
Domain affected: Technical