ID: 3886
Date: 10/09/2009
Title: 3886 - APPLE-SA-2009-09-09-2 QuickTime 7.6.4
Platform level affected:Operating System
Hardware components affected:Intel PC
Specific operating systems components affected: 32-bit Windows
Other software: Web Browser
Remediation Summary:Update your copy of the software with the download available from the supplier.
Vendors affected:Apple
Applications affected:Quicktime
Adversity source: Unknown
Attack Vector: Vulnerability exploitation
Virulence: Proof of Concept
Warning Status: Unknown
Potential Damage: Remote execution/modification
Possible Duration: Unknown
Availability of fix: Available
Type of fix: Patch
Source: Apple
Reliability of source: Trusted
Source URL: http://support.apple.com/kb/HT1222
Abstract: QuickTime 7.6.4 is now available and addresses a number of security vulnerabilities.
APPLE-SA-2009-09-09-2 QuickTime 7.6.4
QuickTime 7.6.4 is now available and addresses the following:
QuickTime
CVE-ID: CVE-2009-2202
Available for: Mac OS X v10.4.11, Mac OS X v10.5.8, Windows 7, Vista and XP SP3
Impact: Viewing a maliciously crafted H.264 movie may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in QuickTime's handling of H.264 movie files. Viewing a maliciously crafted H.264 movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to Tom Ferris of the Adobe Secure Software Engineering Team for reporting this issue.
QuickTime
CVE-ID: CVE-2009-2203
Available for: Mac OS X v10.4.11, Mac OS X v10.5.8, Windows 7, Vista and XP SP3
Impact: Opening a maliciously crafted MPEG-4 video file may lead to an unexpected application termination or arbitrary code execution
Description: A buffer overflow exists in QuickTime's handling of MPEG-4 video files. Opening a maliciously crafted MPEG-4 video file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to Alex Selivanov for reporting this issue.
QuickTime
CVE-ID: CVE-2009-2798
Available for: Mac OS X v10.4.11, Mac OS X v10.5.8, Windows 7, Vista and XP SP3
Impact: Viewing a maliciously crafted FlashPix file may lead to an unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in QuickTime's handling of FlashPix files. Viewing a maliciously crafted FlashPix file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to Damian Put working with TippingPoint and the Zero Day Initiative for reporting this issue.
QuickTime
CVE-ID: CVE-2009-2799
Available for: Mac OS X v10.4.11, Mac OS X v10.5.8, Windows 7, Vista and XP SP3
Impact: Viewing a maliciously crafted H.264 movie may lead to an unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in QuickTime's handling of H.264 movie files. Viewing a maliciously crafted H.264 movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to an anonymous researcher working with TippingPoint and the Zero Day Initiative for reporting this issue.
QuickTime 7.6.4 may be obtained from the Software Update application, or from the QuickTime Downloads site:
http://www.apple.com/quicktime/download/
For Mac OS X v10.5.8
The download file is named: "QuickTime764_Leopard.dmg"
Its SHA-1 digest is: f35a8f6f09ee884405ae10b1eca4b7c059f274f0
For Mac OS X v10.4.11
The download file is named: "QuickTime764_Tiger.dmg"
Its SHA-1 digest is: 8e4cdc8b5b98a314f7a67485184b64cecfb218f2
For Windows 7 / Vista / XP SP3
The download file is named: "QuickTimeInstaller.exe"
Its SHA-1 digest is: 0377256124a74db82b6a75ab9b296aa6e6306e0a
QuickTime with iTunes for Windows 32-bit XP or Vista The download file is named: "iTunesSetup.exe"
Its SHA-1 digest is: 68c84dd8d910ce6cc1508f41cb86d20de839f2e3
QuickTime with iTunes for Windows 64-bit Vista or 7 The download file is named: "iTunes64Setup.exe"
Its SHA-1 digest is: 9a492dadc7f396bd92bdfc7cb0ff4de15db1b2c2
Information will also be posted to the Apple Security Updates web site:
http://support.apple.com/kb/HT1222
This advisory contains information released by the original author. Some of the information may have changed since it was released. If the issue affects you, it may be prudent to retrieve the advisory from the site of the original source to ensure that you receive the most current information concerning that problem. Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by CPNI.
The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. CPNI shall not accept responsibility for any errors or omissions contained within this advisory. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this advisory.
CSIRTUK is a member of the Forum of Incident Response and Security Teams (FIRST) and has contacts with other international Incident Response Teams (IRTs) in order to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing amongst its members and the community at large.
Thu, 10 Sep 2009 14:05:00 GMT
Domain affected: Technical