Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > March 2007 > Update to Apple Quicktime

March 2007

Update to Apple Quicktime

ID: 83
Ref: 025/2007
Date: 07 March 2007:19:16:32
Version: 1
Title: Update to Apple Quicktime
Abstract: QuickTime 7.1.5 is now available. Along with functionality improvements, it also provides fixes for a number of security issues
Vendors affected: Apple
Applications affected: Apple
CPNI Comment:

Version QuickTime 7.1.4 and previous versions contain vulnerabilities in the handling of different media formats, potentially allowing a remote attacker to compromise a user's system when the they visit a malicious web page or opens a malicious file.

Since QuickTime is supplied as a component of Apple iTunes, iTunes installations are also affected by these vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

APPLE-SA-2007-03-05 QuickTime 7.1.5

QuickTime 7.1.5 is now available. Along with functionality improvements (see release notes), it also provides fixes for the following security issues:

QuickTime
CVE-ID: CVE-2007-0711
Available for: Windows Vista/XP/2000
Impact: Viewing a maliciously-crafted 3GP file may lead to an application crash or arbitrary code execution
Description: An integer overflow exists in QuickTime's handling of 3GP video files. By enticing a user to open a malicious movie, an attacker can trigger the overflow, which may lead to an application crash or arbitrary code execution. This update addresses the issue by performing additional validation of 3GP video files. This issue does not affect Mac OS X. Credit to JJ Reyes for reporting this issue.

QuickTime
CVE-ID: CVE-2007-0712
Available for: Mac OS X v10.3.9 and later, Windows Vista/XP/2000
Impact: Viewing a maliciously-crafted MIDI file may lead to an application crash or arbitrary code execution
Description: A heap buffer overflow exists in QuickTime's handling of MIDI files. By enticing a user to open a malicious MIDI file, an attacker can trigger the overflow, which may lead to an application crash or arbitrary code execution. This update addresses the issue by performing additional validation of MIDI files. Credit to Mike Price of McAfee AVERT Labs for reporting this issue.

QuickTime
CVE-ID: CVE-2007-0713
Available for: Mac OS X v10.3.9 and later, Windows Vista/XP/2000
Impact: Viewing a maliciously-crafted Quicktime movie file may lead to an application crash or arbitrary code execution
Description: A heap buffer overflow exists in QuickTime's handling of QuickTime movie files. By enticing a user to access a maliciously-crafted movie, an attacker can trigger the overflow, which may lead to an application crash or arbitrary code execution.
This update addresses the issue by performing additional validation of QuickTime movies. Credit to Mike Price of McAfee AVERT Labs, Piotr Bania, and Artur Ogloza (Czestochowa,
Poland) for reporting this issue.

QuickTime
CVE-ID: CVE-2007-0714
Available for: Mac OS X v10.3.9 and later, Windows Vista/XP/2000
Impact: Viewing a maliciously-crafted Quicktime movie file may lead to an application crash or arbitrary code execution
Description: An integer overflow exists in QuickTime's handling of UDTA atoms in movie files. By enticing a user to access a maliciously-crafted movie, an attacker can trigger the overflow, which may lead to an application crash or arbitrary code execution.
This update addresses the issue by performing additional validation of QuickTime movies. Credit to Sowhat of Nevis Labs, and an anonymous researcher working with TippingPoint and the Zero Day Initiative for reporting this issue.

QuickTime
CVE-ID: CVE-2007-0715
Available for: Mac OS X v10.3.9 and later, Windows Vista/XP/2000
Impact: Viewing a maliciously-crafted PICT file may lead to an application crash or arbitrary code execution
Description: A heap buffer overflow exists in QuickTime's handling of PICT files. By enticing a user to open a malicious PICT image file an attacker can trigger the overflow, which may lead to arbitrary code execution. This update addresses the issue by performing additional validation of PICT files. Credit to Mike Price of McAfee AVERT Labs for reporting this issue.

QuickTime
CVE-ID: CVE-2007-0716
Available for: Mac OS X v10.3.9 and later, Windows Vista/XP/2000
Impact: Opening a maliciously-crafted QTIF file may lead to an application crash or arbitrary code execution
Description: A stack buffer overflow exists in QuickTime's handling of QTIF files. By enticing a user to access a maliciously-crafted QTIF file, an attacker can trigger the overflow, which may lead to an application crash or arbitrary code execution. This update addresses the issue by performing additional validation of QTIF files. Credit to Mike Price of McAfee AVERT Labs for reporting this issue.

QuickTime
CVE-ID: CVE-2007-0717
Available for: Mac OS X v10.3.9 and later, Windows Vista/XP/2000
Impact: Opening a maliciously-crafted QTIF file may lead to an application crash or arbitrary code execution
Description: An integer overflow exists in QuickTime's handling of QTIF files. By enticing a user to access a maliciously-crafted QTIF file, an attacker can trigger the overflow, which may lead to an application crash or arbitrary code execution. This update addresses the issue by performing additional validation of QTIF files. Credit to Mike Price of McAfee AVERT Labs for reporting this issue.

QuickTime
CVE-ID: CVE-2007-0718
Available for: Mac OS X v10.3.9 and later, Windows Vista/XP/2000
Impact: Opening a maliciously-crafted QTIF file may lead to an application crash or arbitrary code execution
Description: A heap buffer overflow exists in QuickTime's handling of QTIF files. By enticing a user to access a maliciously-crafted QTIF file, an attacker can trigger the overflow, which may lead to an application crash or arbitrary code execution. This update addresses the issue by performing additional validation of QTIF files. Credit to Ruben Santamarta working with the iDefense Vulnerability Contributor Program, and JJ Reyes for reporting this issue.

QuickTime 7.1.5 may be obtained from the Software Update application, or from the Download area in the QuickTime site http://www.apple.com/quicktime/download/

For Mac OS X v10.3.9 or later
The download file is named: "QuickTime715.dmg"
Its SHA-1 digest is: 68e621a81560610a37bbf8be5695c751c006627d

QuickTime 7.1.5 for Windows Vista/XP/2000 The download file is named: "QuickTimeInstaller.exe"
Its SHA-1 digest is: 138d028e7b7c77b8938ae65a14369587a7752a85

QuickTime 7.1.5 with iTunes for Windows Vista/XP/2000 The download file is named: "iTunesSetup.exe"
Its SHA-1 digest is: 0a32a8c929cd8f893793a5c260d437726728fe0d

Information will also be posted to the Apple Product Security web site: http://docs.info.apple.com/article.html?artnum=61798

This message is signed with Apple's Product Security PGP key, and details are available at:
http://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.6 (Build 6060)

iQEVAwUBRexyRImzP5/bU5rtAQi+vAgAkStJiumk4+tJaygYj6cwzTPlZiPzTfqi
0n8/mUw8XXXHhMYGcnpBnPW1yRlQeZtTpcK7qtb0pQs2Qhc/Uok/SgbUF/ELcgVw
GMh3oqRx8kWqXClT+IEgH+H+wZb2+8UEUgztcbaXCwuCevHSv5oVJ1cx4iphbObk
aKYDBx9DIj18pdcQsbazQmsIrH5Hgt6hpxR/5RTHqORrA2A4EPpXXdCtr4087u+u
IhrpUR9h6noToOXSpCAIS5L4t7B2wJRydsbqEk+VCvP8qqMGxrvoVcKQ2ic+DTBm
IhRUYUP9Z3D3WUsEQ2QCMXMdwIKbA5ypHxuWXp5viPLUUQESXqRTSA==
=BkfW
-----END PGP SIGNATURE-----

______________________________________________________________________________

CPNI values your feedback.

1. Which of the following most reflects the value of the advisory to you?
(Place an 'X' next to your choice)

Very useful:__ Useful:__ Not useful:__

2. If you did not find it useful, why not?


3. Any other comments? How could we improve our advisories?


Thank you for your contribution.
______________________________________________________________________________

CPNI wishes to acknowledge the contributions of Apple for the information contained in this advisory.
______________________________________________________________________________
  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |