Apple Patches 15 Security Holes in QuickTime

| Product News

Apple released a QuickTime security patch for Mac OS X 10.5.8 and Windows users, bringing the multimedia software to version 7.6.9. The patch includes 15 different security fixes, many of which could allow the bad guys to take over your Mac or Windows PC.

Windows users can find the update in the Apple Updater utility, or download it directly from Apple’s Web site. If you’re running Mac OS X 10.5.8, you can download the update through Software Update. Apple has not yet added a standalone entry on its support site for the Mac version of the update.

[Update: We clarified the Mac aspects of the update. - Editor]

QuickTime 7.6.9

  • QuickTime
    CVE-ID: CVE-2010-3787
    Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Windows 7, Vista, XP SP2 or later
    Impact: Viewing a maliciously crafted JP2 image may lead to an unexpected application termination or arbitrary code execution
    Description: A heap buffer overflow exists in QuickTime’s handling of JP2 images. Viewing a maliciously crafted JP2 image may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.5. Credit to Nils of MWR InfoSecurity, and Will Dormann of the CERT/CC, for reporting this issue.

  • QuickTime
    CVE-ID: CVE-2010-3788
    Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Windows 7, Vista, XP SP2 or later
    Impact: Viewing a maliciously crafted JP2 image may lead to an unexpected application termination or arbitrary code execution
    Description: An uninitialized memory access issue exists in QuickTime’s handling of JP2 images. Viewing a maliciously crafted JP2 image may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved validation of JP2 images. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.5. Credit to Damian Put and Procyun, working with TippingPoint’s Zero Day Initiative for reporting this issue.

  • QuickTime
    CVE-ID: CVE-2010-3789
    Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Windows 7, Vista, XP SP2 or later
    Impact: Viewing a maliciously crafted avi file may lead to an unexpected application termination or arbitrary code execution

    Description: A memory corruption issue is in QuickTime’s handling of avi files. Viewing a maliciously crafted avi file may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of avi files. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.5. Credit to Damian Put working with TippingPoint’s Zero Day Initiative for reporting this issue.

  • QuickTime
    CVE-ID: CVE-2010-3790
    Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Windows 7, Vista, XP SP2 or later
    Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
    Description: A memory corruption issue exists in QuickTime’s handling of movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of movie files. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.5. Credit to Honggang Ren of Fortinet’s FortiGuard Labs for reporting this issue.

  • QuickTime
    CVE-ID: CVE-2010-3791
    Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Windows 7, Vista, XP SP2 or later
    Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
    Description: A buffer overflow exists in QuickTime’s handling of MPEG encoded movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.5. Credit to an anonymous researcher working with TippingPoint’s Zero Day Initiative for reporting this issue.

  • QuickTime

    CVE-ID: CVE-2010-3792

    Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Windows 7, Vista, XP SP2 or later
    Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
    Description: A signedness issue exists in QuickTime’s handling of MPEG encoded movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of MPEG encoded movie files. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.5. Credit to an anonymous researcher working with TippingPoint’s Zero Day Initiative for reporting this issue.
  • QuickTime
    CVE-ID: CVE-2010-3793
    Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Windows 7, Vista, XP SP2 or later
    Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
    Description: A memory corruption issue exists in QuickTime’s handling of Sorenson encoded movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved validation of Sorenson encoded movie files. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.5. Credit to an anonymous researcher working with TippingPoint’s Zero Day Initiative, and Carsten Eiram of Secunia Research for reporting this issue.

  • QuickTime
    CVE-ID: CVE-2010-3794
    Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Windows 7, Vista, XP SP2 or later
    Impact: Viewing a maliciously crafted FlashPix image may lead to an unexpected application termination or arbitrary code execution
    Description: An uninitialized memory access issue exists in QuickTime’s handling of FlashPix images. Viewing a maliciously crafted FlashPix image may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory management. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.5. Credit to an anonymous researcher working with TippingPoint’s Zero Day Initiative for reporting this issue.

  • QuickTime
    CVE-ID: CVE-2010-3795
    Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Windows 7, Vista, XP SP2 or later
    Impact: Viewing a maliciously crafted GIF image may lead to an unexpected application termination or arbitrary code execution
    Description: An uninitialized memory access issue exists in QuickTime’s handling of GIF images. Viewing a maliciously crafted GIF image may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory management. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.5. Credit to an anonymous researcher working with TippingPoint’s Zero Day Initiative for reporting this issue.

  • QuickTime
    CVE-ID: CVE-2010-3800
    Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Windows 7, Vista, XP SP2 or later
    Impact: Viewing a maliciously crafted PICT file may lead to an unexpected application termination or arbitrary code execution
    Description: A memory corruption issue exists in QuickTime’s handling of PICT files. Viewing a maliciously crafted PICT file may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved validation of PICT files. Credit to Moritz Jodeit of n.runs AG and Damian Put, working with TippingPoint’s Zero Day Initiative, and Hossein Lotfi (s0lute), working with VeriSign iDefense Labs for reporting this issue.

  • QuickTime
    CVE-ID: CVE-2010-3801
    Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Windows 7, Vista, XP SP2 or later
    Impact: Viewing a maliciously crafted FlashPix image may lead to an unexpected application termination or arbitrary code execution
    Description: A memory corruption issue exists in QuickTime’s handling of FlashPix images. Viewing a maliciously crafted FlashPix image may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory management. Credit to Damian Put working with TippingPoint’s Zero Day Initiative, and Rodrigo Rubira Branco from the Check Point Vulnerability Discovery Team for reporting this issue.

  • QuickTime
    CVE-ID: CVE-2010-3802
    Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Windows 7, Vista, XP SP2 or later
    Impact: Viewing a maliciously crafted QTVR movie file may lead to an unexpected application termination or arbitrary code execution
    Description: A memory corruption issue exists in QuickTime’s handling of panorama atoms in QTVR (QuickTime Virtual Reality) movie files. Viewing a maliciously crafted QTVR movie file may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of QTVR movie files. Credit to an anonymous researcher working with TippingPoint’s Zero Day Initiative for reporting this issue.

  • QuickTime
    CVE-ID: CVE-2010-1508
    Available for: Windows 7, Vista, XP SP2 or later
    Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
    Description: A heap buffer overflow exists in QuickTime’s handling of Track Header (tkhd) atoms. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking. This issue does not affect Mac OS X systems. Credit to Moritz Jodeit of n.runs AG, working with TippingPoint’s Zero Day Initiative, and Carsten Eiram of Secunia Research for reporting this issue.

  • QuickTime
    CVE-ID: CVE-2010-0530
    Available for: Windows 7, Vista, XP SP2 or later
    Impact: A local user may have access to sensitive information
    Description: A filesystem permission issue exists in QuickTime. This may allow a local user to access the contents of the “Apple Computer” directory in the user’s profile, which may lead to the disclosure of sensitive information. This issue is addressed through improved filesystem permissions. This issue does not affect Mac OS X systems. Credit to Geoff Strickler of On-Line Transaction Consultants for reporting this issue.

  • QuickTime
    CVE-ID: CVE-2010-4009
    Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Windows 7, Vista, XP SP2 or later
    Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
    Description: An integer overflow exists in QuickTime’s handling of movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking. Credit to Honggang Ren of Fortinet’s FortiGuard Labs for reporting this issue.

Sign Up for the Newsletter

Join the TMO Express Daily Newsletter to get the latest Mac headlines in your e-mail every weekday.

Comments

Tiger

They apparently pulled the Mac version, Software Update finds nothing to download (8:15 pm CST).

Nemo

Does Snow Leopard’s version 7.6.6 of the QuickTime Plugin that runs in my browsers need to be updated to 7.6.9 to deal with the security vulnerabilities corrected in version 7.6.9 of QuickTime for Leopard?  If the answer is yes, where is it?

Lancashire-Witch

Presumably those users running QuickTime (Pro)  (QuickTime 7 version 7.6.6)  under Mac OS 10.6.n are not at risk from these 15 security holes.

Lee Dronick

They apparently pulled the Mac version, Software Update finds nothing to download (8:15 pm CST).

From what I read on apple.com this update is just for Leopard.

Log-in to comment