Apple Fixes 9 Security flaws with QuickTime 7.5.5

News

John Martellaro

3:00 PM, Sep. 8th ET, 2008

Articles by Author John Martellaro on Twitter Contact Author Bio

Comments (0)

On Tuesday, Apple posted the complete list of security issues addressed with QuickTime 7.5.5 to its list server.

The fixes were for both Mac OS X and Windows systems and were described as follows:

QuickTime
CVE-ID: CVE-2008-3615
Available for: Windows Vista, XP SP2 and SP3

Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: An uninitialized memory access issue exists in the third-party Indeo v5 codec for QuickTime, which does not ship with QuickTime. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by not rendering content encoded with any version of the Indeo codec. This issue does not affect systems running Mac OS X. Credit to Paul Byrne of NGSSoftware for reporting this issue.

QuickTime
CVE-ID: CVE-2008-3635
Available for: Windows Vista, XP SP2 and SP3

Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A stack buffer overflow exists in the third-party Indeo v3.2 codec for QuickTime. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by not rendering content encoded with any version of the Indeo codec. This issue does not affect systems running Mac OS X. Credit to an anonymous researcher working with TippingPointis Zero Day Initiative for reporting this issue.


QuickTime
CVE-ID: CVE-2008-3624
Available for: Mac OS X v10.4.9 - v10.4.11,
Mac OS X v10.5 or later, Windows Vista, XP SP2 and SP3

Impact: Viewing a maliciously crafted QTVR movie file may lead to an unexpected application termination or arbitrary code execution Description: A heap buffer overflow exists in QuickTimeis handling of panorama atoms in QTVR (QuickTime Virtual Reality) movie files. Viewing a maliciously crafted QTVR file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking of panorama atoms. Credit to Roee Hay of IBM Rational Application Security Research Group for reporting this issue.

QuickTime
CVE-ID: CVE-2008-3625
Available for: Mac OS X v10.4.9 - v10.4.11,
Mac OS X v10.5 or later, Windows Vista, XP SP2 and SP3

Impact: Viewing a maliciously crafted QTVR movie file may lead to an unexpected application termination or arbitrary code execution Description: A stack buffer overflow exists in QuickTimeis handling of panorama atoms in QTVR (QuickTime Virtual Reality) movie files. Viewing a maliciously crafted QTVR file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking of panorama atoms. Credit to an anonymous researcher working with TippingPointis Zero Day Initiative for reporting this issue.

QuickTime
CVE-ID: CVE-2008-3614
Available for: Windows Vista, XP SP2 and SP3

Impact: Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution Description: An integer overflow exists in QuickTimeis handling of PICT images. Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of PICT images. Credit to an anonymous researcher working with the iDefense VCP for reporting this issue.

QuickTime
CVE-ID: CVE-2008-3626
Available for: Mac OS X v10.4.9 - v10.4.11,
Mac OS X v10.5 or later, Windows Vista, XP SP2 and SP3

Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue exists in QuickTimeis handling of STSZ atoms in movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking of STSZ atoms. Credit to an anonymous researcher working with TippingPointis Zero Day Initiative for reporting this issue.


QuickTime
CVE-ID: CVE-2008-3627
Available for: Mac OS X v10.4.9 - v10.4.11,
Mac OS X v10.5 or later, Windows Vista, XP SP2 and SP3

Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: Multiple memory corruption exist in QuickTimeis handling of H.264 encoded movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of H.264 encoded movie files. Credit to an anonymous researcher and Subreption LLC working with TippingPointis Zero Day Initiative for reporting this issue.

QuickTime
CVE-ID: CVE-2008-3628
Available for: Windows Vista, XP SP2 and SP3

Impact: Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution Description: An invalid pointer issue exists in QuickTimeis handling of PICT images. Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by correctly saving and restoring a global variable. This issue does not affect systems running Mac OS X. Credit to David Wharton for reporting this issue.

QuickTime
CVE-ID: CVE-2008-3629
Available for: Mac OS X v10.4.9 - v10.4.11,
Mac OS X v10.5 or later, Windows Vista, XP SP2 and SP3

Impact: Opening a maliciously crafted PICT image may lead to an unexpected application termination Description: An out-of-bounds read issue exists in QuickTimeis handling of PICT images. Opening a maliciously crafted PICT image may lead to an unexpected application termination. This update addresses the issue by performing additional validation of PICT images. Credit to Sergio ishadowni Alvarez of n.runs AG for reporting this issue.

The latest version of QuickTime can be downloaded from Appleis QuickTime site.

Post A Comment or Log-in. Need an account? Register here.

Recent Headlines - Updated May 25th

Fri, 12:49 PM: News - Apple Now Offering “Free App of the Week” for iOS
12:21 PM: News - Tim Cook Declines $75 Million Dividend Payout
11:25 AM: News - Absinthe 2.0 Provides Untethered Jailbreak for iOS 5.1.1
11:10 AM: Quick Look Review - F18 Carrier Landing (iOS) is a Boatload of Fun
10:51 AM: TMO Appearances - Jeff Gamet talks Cool Apps & Accessories on Not Another Mac Podcast
10:12 AM: Hot Forum Topic - Forum Poll: Which is Your Favorite Photo Sharing Service?
9:41 AM: Product News - Facebook Brings Native Photo Sharing to iPhone with New Camera App
8:58 AM: News - TSA Ready to Spend $3M on Apple Gear
8:25 AM: TMO Quick Tip - Mac OS X: Getting the Most Out of the Fonts Window
Thu, 7:56 PM: News - Jonathan Ive Tells BBC He Wants to Stay at Apple
7:44 PM: News - Apple’s European Head Departs
6:01 PM: News - Apple Pulls Rogue Amoeba’s Airfoil Speakers Touch from App Store

The Mac Observer Reader Specials

Macsales Add 2nd Hard Drive or SSD to Mac mini, MacBook or MacBook Pro. 1TB of Hard Drive or SSD Capacity from $64.99! Video Guides Make it easy - OWC DataDoubler - Macsales.com
Mac RAM Upgrades: MacBook Pro 16GB kits $475, 8GB Kits for $119.99! iMac 16GB RAM Kits (4x 4GB) for $229.99! Mac Pro Memory 32GB Kit for $399.99, 64GB Kit for $889.99! Mac Hard Drives 2TB Seagate SATA II for $249.99! Click Here!
If you're using a Mac, then you've gotta check out PokerOnAMac.com. Online casinos and poker rooms are literally giving away cash and the casino sites at Poker on a Mac do the unthinkable, they actually reward! Join today, the download is free!
Looking to find online casinos for mac? We can help you find the best real money casino sites where you can play your favorite casino games including blackjack and slots.

Buy Stuff, Support TMO via Apple or Amazon
Deals from DealBrothers.com
Reader Specials
Read TMO on Kindle
TMO on Twitter and FaceBook:

Apple Stock Quote (AAPL)

Last trade: $---.-- $---.--
Market cap: $---.--
Discuss in our Apple Finance Board

Quotes are delayed. Currency in USD

Hot Topics

What's the buzz? These articles have TMO readers talking.

Samsung: Apple’s Trial Experts Are “Slavish” Fanboys - 19 Comments
Apple Could Use 7” iPad Pricing to Punish Competitors - 18 Comments
Forrester: Maybe Apple’s TV Isn’t a TV - 9 Comments
Analyst: Apple to Offer iPhone 3GS as Pre-Paid Option - 8 Comments
Jonathan Ive Calls Apple’s Current Project the “Most Important” - 7 Comments
Estimated Apple TV Sales to Date: 6.3 Million - 7 Comments

TMO Express

Join the TMO Express Daily Newsletter to get the latest Mac headlines in your e-mail every weekday. Find out more!

Top Deals From DealBrothers.com

Recent Features

Get the latest installments of TMO Columns, Podcasts, & Blogs.

© The Mac Observer, Inc. -- All rights reserved. All information presented on this site is copyrighted by The Mac Observer, Inc. except where otherwise noted. No portion of this site may be copied without express written consent. Other sites are invited to link to any aspect of this site provided that all content is presented in its original form and is not placed within another frame. The Mac Observer is an independent publication and has not been authorized, sponsored, or otherwise approved by Apple, Inc.