Update your copy of the software with the download available from the supplier.
CVE-2008-1013, CVE-2008-1014, CVE-2008-1015, CVE-2008-1016, CVE-2008-1017, CVE-2008-1018, CVE-2008-1019, CVE-2008-1020, CVE-2008-1021, CVE-2008-1022, CVE-2008-1023
APPLE-SA-2008-04-02 QuickTime 7.4.5
QuickTime 7.4.5 is now available and addresses the following issues:
QuickTime
CVE-ID: CVE-2008-1013
Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista, XP SP2
Impact: Untrusted Java applets may obtain elevated privileges
Description: An implementation issue in QuickTime for Java allows untrusted Java applets to deserialize objects provided by QTJava.
Visiting a web page containing a maliciously crafted Java applet could allow the disclosure of sensitive information, or arbitrary code execution with the privileges of the current user. This update addresses the issue by disabling the ability of untrusted Java applets to deserialize QTJava objects. Credit to Adam Gowdiak for reporting this issue.
QuickTime
CVE-ID: CVE-2008-1014
Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista, XP SP2
Impact: Downloading a movie file may lead to information disclosure
Description: Specially crafted QuickTime movies can automatically open external URLs, which may lead to information disclosure. This update addresses the issue through improved handling of external URLs embedded in movie files. Credit to Jorge Escala of Open Tech Solutions, and Vinoo Thomas and Rahul Mohandas of McAfee Avert Labs for reporting this issue.
QuickTime
CVE-ID: CVE-2008-1015
Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista, XP SP2
Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: An issue in QuickTime's handling of data reference atoms may result in a buffer overflow. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of data reference atoms. Credit to Chris Ries of Carnegie Mellon University Computing Services for reporting this issue.
QuickTime
CVE-ID: CVE-2008-1016
Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista, XP SP2
Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in QuickTime's handling of movie media tracks. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved validation of movie media tracks.
QuickTime
CVE-ID: CVE-2008-1017
Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista, XP SP2
Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: An issue in QuickTime's parsing of 'crgn' atoms may result in a heap buffer overflow. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to Sanbin Li working with TippingPoint's Zero Day Initiative for reporting this issue.
QuickTime
CVE-ID: CVE-2008-1018
Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista, XP SP2
Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: An issue in QuickTime's parsing of 'chan' atoms may result in a heap buffer overflow. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to an anonymous researcher working with TippingPoint's Zero Day Initiative for reporting this issue.
QuickTime
CVE-ID: CVE-2008-1019
Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista, XP SP2
Impact: Opening a maliciously crafted PICT image file may lead to an unexpected application termination or arbitrary code execution
Description: An issue in QuickTime's handling of PICT records may result in a heap buffer overflow. Viewing a maliciously crafted PICT image file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to bugfree working with TippingPoint's Zero Day Initiative for reporting this issue.
QuickTime
CVE-ID: CVE-2008-1020
Available for: Windows Vista, XP SP2
Impact: Opening a maliciously crafted PICT image file may lead to an unexpected application termination or arbitrary code execution
Description: An issue in QuickTime's handling of error messages during PICT images processing may result in a heap buffer overflow.
Viewing a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. This issue does not affect Mac OS X systems. Credit to Ruben Santamarta of Reversemode.com working with TippingPoint's Zero Day Initiative for reporting this issue.
QuickTime
CVE-ID: CVE-2008-1021
Available for: Windows Vista, XP SP2
Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: An issue in QuickTime's handling of Animation codec content may result in a heap buffer overflow. Viewing a maliciously crafted movie file with Animation codec content may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. This issue does not affect Mac OS X systems. Credit to an anonymous researcher working with TippingPoint's Zero Day Initiative for reporting this issue.
QuickTime
CVE-ID: CVE-2008-1022
Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista, XP SP2
Impact: Viewing a maliciously crafted QuickTime VR movie file may lead to an unexpected application termination or arbitrary code execution
Description: An issue in QuickTime's parsing of 'obji' atoms may result in a stack buffer overflow. Viewing a maliciously crafted QuickTime VR movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to an anonymous researcher working with TippingPoint's Zero Day Initiative for reporting this issue.
QuickTime
CVE-ID: CVE-2008-1023
Available for: Windows Vista, XP SP2
Impact: Opening a maliciously crafted PICT image file may lead to an unexpected application termination or arbitrary code execution
Description: An issue in QuickTime's parsing of the Clip opcode may result in a heap buffer overflow. Viewing a maliciously crafted PICT image file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. This issue does not affect Mac OS X systems. Credit to Wei Wang of McAfee AVERT labs for reporting this issue.
QuickTime 7.4.5 may be obtained from the Software Update application, or from the Apple Downloads site:
This advisory contains information released by the original author. Some of the information may have changed since it was released. If the issue affects you, it may be prudent to retrieve the advisory from the site of the original source to ensure that you receive the most current information concerning that problem. Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by CPNI.
The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. CPNI shall not accept responsibility for any errors or omissions contained within this advisory. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this advisory.
CSIRTUK is a member of the Forum of Incident Response and Security Teams (FIRST) and has contacts with other international Incident Response Teams (IRTs) in order to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing amongst its members and the community at large.