[<prev] [next>] [day] [month] [year] [list]
Message-id: <4E39C383.6020402@lists.apple.com>
Date: Wed, 03 Aug 2011 14:54:11 -0700
From: Apple Product Security <product-security-noreply@...ts.apple.com>
To: security-announce@...ts.apple.com
Subject: APPLE-SA-2011-08-03-1 QuickTime 7.7
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2011-08-03-1 QuickTime 7.7
QuickTime 7.7 is now available and addresses the following:
QuickTime
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted pict file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in QuickTime's handling of
pict files. Viewing a maliciously crafted pict file may lead to an
unexpected application termination or arbitrary code execution. For
Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8.
This issue does not affect Mac OS X v10.7 systems.
CVE-ID
CVE-2011-0245 : Subreption LLC working with TippingPoint's Zero Day
Initiative
QuickTime
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted JPEG2000 image with QuickTime
may lead to an unexpected application termination or arbitrary code
execution
Description: Multiple memory corruption issues existed in
QuickTime's handling of JPEG2000 images. Viewing a maliciously
crafted JPEG2000 image with QuickTime may lead to an unexpected
application termination or arbitrary code execution. For Mac OS X
v10.6 systems, this issue is addressed in Mac OS X v10.6.7. This
issue does not affect Mac OS X v10.7 systems.
CVE-ID
CVE-2011-0186 : Will Dormann of the CERT/CC
QuickTime
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to the
disclosure of video data from another site
Description: A cross-origin issue existed in QuickTime plug-in's
handling of cross-site redirects. Visiting a maliciously crafted
website may lead to the disclosure of video data from another site.
This issue is addressed by preventing QuickTime from following cross-
site redirects. For Mac OS X v10.6 systems, this issue is addressed
in Mac OS X v10.6.7. This issue does not affect Mac OS X v10.7
systems.
CVE-ID
CVE-2011-0187 : Nirankush Panchbhai and Microsoft Vulnerability
Research (MSVR)
QuickTime
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Windows 7, Vista, XP SP2 or later
Impact: Playing a maliciously crafted WAV file may lead to an
unexpected application termination or arbitrary code execution
Description: An integer overflow existed in QuickTime's handling of
RIFF WAV files. Playing a maliciously crafted WAV file may lead to an
unexpected application termination or arbitrary code execution. For
Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8.
This issue does not affect Mac OS X v10.7 systems.
CVE-ID
CVE-2011-0209 : Luigi Auriemma working with TippingPoint's Zero Day
Initiative
QuickTime
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in QuickTime's
handling of sample tables in QuickTime movie files. Viewing a
maliciously crafted movie file may lead to an unexpected application
termination or arbitrary code execution. For Mac OS X v10.6 systems,
this issue is addressed in Mac OS X v10.6.8. This issue does not
affect Mac OS X v10.7 systems.
CVE-ID
CVE-2011-0210 : Honggang Ren of Fortinet's FortiGuard Labs
QuickTime
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: An integer overflow existed in QuickTime's handling of
audio channels in movie files. Viewing a maliciously crafted movie
file may lead to an unexpected application termination or arbitrary
code execution. For Mac OS X v10.6 systems, this issue is addressed
in Mac OS X v10.6.8. This issue does not affect Mac OS X v10.7
systems.
CVE-ID
CVE-2011-0211 : Luigi Auriemma working with TippingPoint's Zero Day
Initiative
QuickTime
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted JPEG file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in QuickTime's handling of
JPEG files. Viewing a maliciously crafted JPEG file may lead to an
unexpected application termination or arbitrary code execution. For
Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8.
This issue does not affect Mac OS X v10.7 systems.
CVE-ID
CVE-2011-0213 : Luigi Auriemma working with iDefense VCP
QuickTime
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted GIF image may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow existed in QuickTime's handling
of GIF images. Viewing a maliciously crafted GIF image may lead to an
unexpected application termination or arbitrary code execution. This
issue does not affect Mac OS X systems.
CVE-ID
CVE-2011-0246 : an anonymous contributor working with Beyond
Security's SecuriTeam Secure Disclosure program
QuickTime
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted H.264 movie file may lead to
an unexpected application termination or arbitrary code execution
Description: Multiple stack buffer overflows existed in the handling
of H.264 encoded movie files. Viewing a maliciously crafted H.264
movie file may lead to an unexpected application termination or
arbitrary code execution. These issues do not affect Mac OS X
systems.
CVE-ID
CVE-2011-0247 : Roi Mallo and Sherab Giovannini working with
TippingPoint's Zero Day Initiative
QuickTime
Available for: Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website using Internet
Explorer may lead to an unexpected application termination or
arbitrary code execution
Description: A stack buffer overflow existed in the QuickTime
ActiveX control's handling of QTL files. Visiting a maliciously
crafted website using Internet Explorer may lead to an unexpected
application termination or arbitrary code execution. This issue does
not affect Mac OS X systems.
CVE-ID
CVE-2011-0248 : Chkr_d591 working with TippingPoint's Zero Day
Initiative
QuickTime
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow existed in the handling of STSC
atoms in QuickTime movie files. Viewing a maliciously crafted movie
file may lead to an unexpected application termination or arbitrary
code execution. This issue does not affect Mac OS X v10.7 systems.
CVE-ID
CVE-2011-0249 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero
Day Initiative
QuickTime
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow existed in the handling of STSS
atoms in QuickTime movie files. Viewing a maliciously crafted movie
file may lead to an unexpected application termination or arbitrary
code execution. This issue does not affect Mac OS X v10.7 systems.
CVE-ID
CVE-2011-0250 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero
Day Initiative
QuickTime
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow existed in the handling of STSZ
atoms in QuickTime movie files. Viewing a maliciously crafted movie
file may lead to an unexpected application termination or arbitrary
code execution. This issue does not affect Mac OS X v10.7 systems.
CVE-ID
CVE-2011-0251 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero
Day Initiative
QuickTime
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow existed in the handling of STTS
atoms in QuickTime movie files. Viewing a maliciously crafted movie
file may lead to an unexpected application termination or arbitrary
code execution. This issue does not affect Mac OS X v10.7 systems.
CVE-ID
CVE-2011-0252 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero
Day Initiative
QuickTime 7.7 may be obtained from the Software Update
application, or from the QuickTime Downloads site:
http://www.apple.com/quicktime/download/
For Mac OS X v10.5.8
The download file is named: "QuickTime77Leopard.dmg"
Its SHA-1 digest is: 0deb99cc44015af7c396750d2c9dd4cbd59fb355
For Windows 7 / Vista / XP SP3
The download file is named: "QuickTimeInstaller.exe"
Its SHA-1 digest is: a99f61d67be6a6b42e11d17b0b4f25cd88b74dc9
QuickTime is incorporated into Mac OS X v10.6 and later.
QuickTime 7.7 is not presented to systems running
Mac OS X v10.6 or later.
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (Darwin)
iQEcBAEBAgAGBQJOOZuHAAoJEGnF2JsdZQeeNWIH/A+KRxzYTBC5nCZQ6m/sRdU0
OrauYjVbXIj1LUgMS9+I0wW4Zg7xtGBEjYBnqiuNuajP5W2+Ts8mNe75ZlEFlNto
KFQI7NS/OsTrjCTR1m1sF2zvsyMKDOjviIy90+PDGKejC8c3Zu/Y8GSdZ++I4aEf
J2g7BqhBDW/RFOemPGrcvr/iwu3twdkiAHeLXFCcecNCKjSUfoxXDuPd/Ege/kS7
95wsNkLjypSEuLpcmjATSXp5X58nzbUCsrQ2doPzLy1/8oWiG9XsiZznmcYlLhHg
trYm+KIMdqBOQWI3uhG+3dG6l2xkJxdYNxHRHXFh78QH0NblHg9u3PmhELUBeXU=
=H+iO
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists