Apple released QuickTime 7.6.6 Tuesday, an update for Windows 7 and Vista, as well as Mac OS X 10.5.x, Leopard. The patch addresses some 16 different issues affecting Windows and Leopard, including several that could allow the bad guys to take over your PC or Mac.
You can download the update through Software Update in Leopard, or through the Apple Software Updater application in Windows. Alternately, you can find the update at Apple’s QuickTime download site.
- QuickTime
CVE-ID: CVE-2009-2837
Available for: Windows 7, Vista, XP SP2
Impact: Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in the handling of PICT images. Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution. The issue is addressed through improved validation of PICT images. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.2, and for Mac OS X v10.5 systems it is addressed in Security Update 2009-006. Credit to Nicolas Joly of VUPEN Vulnerability Research Team for reporting this issue. - QuickTime
CVE-ID: CVE-2010-0059
Available for: Mac OS X v10.5.8, Windows 7, Vista, XP SP2
Impact: Playing maliciously crafted audio content may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in the handling of QDM2 encoded audio content. Playing maliciously crafted audio content may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.3. Credit to an anonymous researcher working with TippingPoint’s Zero Day Initiative for reporting this issue. - QuickTime
CVE-ID: CVE-2010-0060
Available for: Mac OS X v10.5.8, Windows 7, Vista, XP SP2
Impact: Playing maliciously crafted audio content may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in the handling of QDMC encoded audio content. Playing maliciously crafted audio content may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.3. Credit to an anonymous researcher working with TippingPoint’s Zero Day Initiative for reporting this issue. - QuickTime
CVE-ID: CVE-2010-0062
Available for: Mac OS X v10.5.8, Windows 7, Vista, XP SP2
Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in the handling of H.263 encoded movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This issue is addressed by performing additional validation of H.263 encoded movie files. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.3. Credit to Damian Put working with TippingPoint’s Zero Day Initiative for reporting this issue. - QuickTime
CVE-ID: CVE-2010-0514
Available for: Mac OS X v10.5.8, Windows 7, Vista, XP SP2
Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in the handling of H.261 encoded movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This issue is addressed by performing additional validation of H.261 encoded movie files. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.3. Credit to Will Dormann of the CERT/CC for reporting this issue. - QuickTime
CVE-ID: CVE-2010-0515
Available for: Mac OS X v10.5.8, Windows 7, Vista, XP SP2
Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption in the handling of H.264 encoded movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This issue is addressed by performing additional validation of H.264 encoded movie files. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.3. - QuickTime
CVE-ID: CVE-2010-0516
Available for: Mac OS X v10.5.8, Windows 7, Vista, XP SP2
Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: A heap buffer overflow in the handling of RLE encoded movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This issue is addressed by performing additional validation of RLE encoded movie files. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.3. Credit to an anonymous researcher working with TippingPoint’s Zero Day Initiative for reporting this issue. - QuickTime
CVE-ID: CVE-2010-0517
Available for: Mac OS X v10.5.8, Windows 7, Vista, XP SP2
Description: A heap buffer overflow in the handling of M-JPEG encoded movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This issue is addressed by performing additional
validation of M-JPEG encoded movie files. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.3. Credit to Damian Put working with TippingPoint’s Zero Day Initiative for reporting this issue. - QuickTime
CVE-ID: CVE-2010-0518
Available for: Mac OS X v10.5.8, Windows 7, Vista, XP SP2
Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in the handling of Sorenson encoded movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This issue is addressed by performing additional validation of Sorenson encoded movie files. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.3. Credit to Will Dormann of the CERT/CC for reporting this issue. - QuickTime
CVE-ID: CVE-2010-0519
Available for: Mac OS X v10.5.8, Windows 7, Vista, XP SP2
Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: An integer overflow exists in the handling of FlashPix encoded movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking. For Mac OS X v10.6 systems, this issue is addressed in Mac OS Xv10.6.3. Credit to an anonymous researcher working with TippingPoint’s Zero Day Initiative for reporting this issue. - QuickTime
CVE-ID: CVE-2010-0520
Available for: Mac OS X v10.5.8, Windows 7, Vista, XP SP2
Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in the handling of FLC encoded movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This issue is addressed by performing additional
validation of FLC encoded movie files. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.3. Credit to Moritz Jodeit of n.runs AG, and Nicolas Joly of VUPEN Security working with TippingPoint’s Zero Day Initiative for reporting this issue. - QuickTime
CVE-ID: CVE-2010-0526
Available for: Mac OS X v10.5.8, Windows 7, Vista, XP SP2
Impact: Viewing a maliciously crafted MPEG file may lead to an unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in the handling of MPEG encoded movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This issue is addressed by performing additional validation of MPEG encoded movie files. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.3. Credit to an anonymous researcher working with TippingPoint’s Zero Day Initiative for reporting this issue. - QuickTime
CVE-ID: CVE-2010-0527
Available for: Windows 7, Vista, XP SP2
Impact: Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution
Description: An integer overflow exists in the handling of PICT images. Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of PICT images. This issue does not affect Mac OS X systems. Credit to Nicolas Joly of VUPEN Vulnerability Research Team for reporting this issue. - QuickTime
CVE-ID: CVE-2010-0528
Available for: Windows 7, Vista, XP SP2
Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption exists in the handling of color tables in movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This issue is addressed by performing additional
validation of color tables. This issue does not affect Mac OS X systems. Credit to an anonymous researcher working with TippingPoint’s Zero Day Initiative for reporting this issue. - QuickTime
CVE-ID: CVE-2010-0529
Available for: Windows 7, Vista, XP SP2
Impact: Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in the handling of PICT images. Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of PICT images. This issue does not affect Mac OS X systems. Credit to Damian Put working with TippingPoint’s Zero Day Initiative for reporting this issue. - QuickTime
CVE-ID: CVE-2010-0536
Available for: Windows 7, Vista, XP SP2
Impact: Opening a maliciously crafted BMP image may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in the handling of BMP images. Opening a maliciously crafted BMP image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of BMP images. This issue does not affect Mac OS X systems. Credit to SkyLined of Google, Inc. for reporting this issue.