-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2013-05-22-1 QuickTime 7.7.4
QuickTime 7.7.4 is now available and addresses the following:
QuickTime
Available for: Windows 7, Vista, XP SP2 or later
Impact: Opening a maliciously crafted TeXML file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the handling of
TeXML files. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2013-1015 : Aniway.Anyway(a)gmail.com working with HP's Zero Day
Initiative
QuickTime
Available for: Windows 7, Vista, XP SP2 or later
Impact: Playing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of H.263
encoded movie files. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2013-1016 : Tom Gallagher (Microsoft) & Paul Bates (Microsoft)
working with HP's Zero Day Initiative
QuickTime
Available for: Windows 7, Vista, XP SP2 or later
Impact: Playing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of 'dref'
atoms. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2013-1017 : Tom Gallagher (Microsoft) & Paul Bates (Microsoft)
working with HP's Zero Day Initiative
QuickTime
Available for: Windows 7, Vista, XP SP2 or later
Impact: Playing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of H.264
encoded movie files. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2013-1018 : G. Geshev working with HP's Zero Day Initiative
QuickTime
Available for: Windows 7, Vista, XP SP2 or later
Impact: Playing a maliciously crafted MP3 file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of MP3 files.
This issue was addressed through improved bounds checking.
CVE-ID
CVE-2013-0989 : G. Geshev working with HP's Zero Day Initiative
QuickTime
Available for: Windows 7, Vista, XP SP2 or later
Impact: Playing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of Sorenson
encoded movie files. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2013-1019 : Tom Gallagher (Microsoft) & Paul Bates (Microsoft)
working with HP's Zero Day Initiative
QuickTime
Available for: Windows 7, Vista, XP SP2 or later
Impact: Playing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the handling of
JPEG encoded data. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2013-1020 : Tom Gallagher (Microsoft) & Paul Bates (Microsoft)
working with HP's Zero Day Initiative
QuickTime
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted QTIF file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the handling of
QTIF files. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2013-0987 : roob working with iDefense VCP
QuickTime
Available for: Windows 7, Vista, XP SP2 or later
Impact: Opening a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of JPEG
encoded data. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2013-1021 : Mil3s beep working with HP's Zero Day Initiative
QuickTime
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of 'enof'
atoms. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2013-0986 : Tom Gallagher (Microsoft) & Paul Bates (Microsoft)
working with HP's Zero Day Initiative
QuickTime
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted FPX file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of FPX files.
This issue was addressed through improved bounds checking.
CVE-ID
CVE-2013-0988 : G. Geshev working with HP's Zero Day Initiative
QuickTime
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer underflow existed in the handling of 'mvhd'
atoms. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2013-1022 : Andrea Micalizzi aka rgod working with HP's Zero Day
Initiative
QuickTime 7.7.4 may be obtained from the QuickTime Downloads site:
http://support.apple.com/downloads/
The download file is named: "QuickTimeInstaller.exe"
Its SHA-1 digest is: 50395ed3c9ac1f8104e0ad18c99a14c03755d060
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJRnRFuAAoJEPefwLHPlZEwxAUP/17v2uoUVcz8EqTDyfX5Hntm
uAORsTKZ14ZKIN16pNjWNyUMHJSdgOB7DJVbr8ZtaNg4zN2nrZ+tBbAi233uhbe0
1CGwkOkL4bi5JR3btZ7AxORETKMLgwATwahVJZLfRcZp9IMhiIZ5JIP/rmdgH2IL
52/dRRsWrg3Guk36EAqzznelTSeVLP2cQMw9d0ukvsz9jOIMpOJ7FXmv/7K0003c
2m6OtuScfy4Q+BIqql13kZ94cAILPUovIz2L900ry9AQVTbdwwggQ5Tgnf1lqUYy
xBnAVFsS/WWwEN4MyNbkdvsQEUc04vBgTN8dIfGUV4M/MLIRzY9TX+uamxoU/FRA
cfPSGlcQi21poOJ6a9bzVfPBkmPaz4P0M3VplSbAJAqYpALsMVH332mjd2m1o5pL
5VE8EUGcmHIa1jgdrsiWzYThzJIE+KCY6iW/PemC2DzcNz0uJUChPC/ao9UWPLII
05F0xVO4mGa+UClgX5o5OLvOFecX6redFjXuQk/QVzzDP95GIyAybLjQYeuFVpgD
1KGgF0CYjYuk19hZh+HcfZ9j7RIUOrVdCVFIH0+v+IZwRsAh+6NamvdRWTaI5fjg
PiQs1l+8IirII5xrikS6TanUewzdpIyK+pHBtz/OwneLKm79vSYdMLZDQU6deeoN
X0HHvIjtkT16kuhL1yMx
=lnE0
-----END PGP SIGNATURE-----
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list (Security-announce(a)lists.apple.com)
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/security-announce/site_archiver%40l…
This email sent to site_archiver(a)lists.apple.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2013-05-16-1 iTunes 11.0.3
iTunes 11.0.3 is now available and addresses the following:
iTunes
Available for: Mac OS X v10.6.8 or later, Windows 7, Vista,
XP SP2 or later
Impact: An attacker in a privileged network position may manipulate
HTTPS server certificates, leading to the disclosure of sensitive
information
Description: A certificate validation issue existed in iTunes. In
certain contexts, an active network attacker could present untrusted
certificates to iTunes and they would be accepted without warning.
This issue was resolved by improved certificate validation.
CVE-ID
CVE-2013-1014 : Christopher of ThinkSECURE Pte Ltd, Christopher
Hickstein of University of Minnesota
iTunes
Available for: Windows 7, Vista, XP SP2 or later
Impact: A man-in-the-middle attack while browsing the iTunes Store
via iTunes may lead to an unexpected application termination or
arbitrary code executionn
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2012-2824 : miaubiz
CVE-2012-2857 : Arthur Gerkis
CVE-2012-3748 : Joost Pol and Daan Keuper of Certified Secure working
with HP TippingPoint's Zero Day Initiative
CVE-2012-5112 : Pinkie Pie working with Google's Pwnium 2 contest
CVE-2013-0879 : Atte Kettunen of OUSPG
CVE-2013-0912 : Nils and Jon from MWR Labs working with HP
TippingPoint's Zero Day Initiative
CVE-2013-0948 : Abhishek Arya (Inferno) of the Google Chrome Security
Team
CVE-2013-0949 : Abhishek Arya (Inferno) of the Google Chrome Security
Team
CVE-2013-0950 : Abhishek Arya (Inferno) of the Google Chrome Security
Team
CVE-2013-0951 : Apple
CVE-2013-0952 : Abhishek Arya (Inferno) of the Google Chrome Security
Team
CVE-2013-0953 : Abhishek Arya (Inferno) of the Google Chrome Security
Team
CVE-2013-0954 : Dominic Cooney of Google and Martin Barbella of the
Google Chrome Security Team
CVE-2013-0955 : Apple
CVE-2013-0956 : Apple Product Security
CVE-2013-0958 : Abhishek Arya (Inferno) of the Google Chrome Security
Team
CVE-2013-0959 : Abhishek Arya (Inferno) of the Google Chrome Security
Team
CVE-2013-0960 : Apple
CVE-2013-0961 : wushi of team509 working with iDefense VCP
CVE-2013-0991 : Jay Civelli of the Chromium development community
CVE-2013-0992 : Google Chrome Security Team (Martin Barbella)
CVE-2013-0993 : Google Chrome Security Team (Inferno)
CVE-2013-0994 : David German of Google
CVE-2013-0995 : Google Chrome Security Team (Inferno)
CVE-2013-0996 : Google Chrome Security Team (Inferno)
CVE-2013-0997 : Vitaliy Toropov working with HP TippingPoint's Zero
Day Initiative
CVE-2013-0998 : pa_kt working with HP TippingPoint's Zero Day
Initiative
CVE-2013-0999 : pa_kt working with HP TippingPoint's Zero Day
Initiative
CVE-2013-1000 : Fermin J. Serna of the Google Security Team
CVE-2013-1001 : Ryan Humenick
CVE-2013-1002 : Sergey Glazunov
CVE-2013-1003 : Google Chrome Security Team (Inferno)
CVE-2013-1004 : Google Chrome Security Team (Martin Barbella)
CVE-2013-1005 : Google Chrome Security Team (Martin Barbella)
CVE-2013-1006 : Google Chrome Security Team (Martin Barbella)
CVE-2013-1007 : Google Chrome Security Team (Inferno)
CVE-2013-1008 : Sergey Glazunov
CVE-2013-1010 : miaubiz
CVE-2013-1011 : Google Chrome Security Team (Inferno)
iTunes 11.0.3 may be obtained from:
http://www.apple.com/itunes/download/
For OS X:
The download file is named: "iTunes11.0.3.dmg"
Its SHA-1 digest is: 83f4afc5d3b5698c811c87c27b975824116bbf1d
For Windows XP / Vista / Windows 7:
The download file is named: "iTunesSetup.exe"
Its SHA-1 digest is: 1e95101b584762b3c46ab597c115cd86bfd45d64
For 64-bit Windows XP / Vista / Windows 7:
The download file is named: "iTunes64Setup.exe"
Its SHA-1 digest is: 6669044bd50c1f753c8412a02556a70be09fd9f8
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJRlQ9KAAoJEPefwLHPlZEwbhcP+QHZGEAVCTw4+Z5k67ninaCS
BV11pa8iySzuv0XZ9Se+CsI37IT1P3bVqEw/A+1i989Q00kaGCBNyt9m65krxNVX
EhFLB8IxCfZqpM4C8ENhOkrY05iOfLx/DW7ioYM9TGTckpb6ayKkUBHkqn+bY3Hq
b9rVeulzPfNsm1QtNp9eRGAL5Kq8vgEAlrMebUF1vOQ8CvGoGNplk0xRBm3Wg0im
gCal7A/fwp9OQUnmlUMeASgbX+Q94ytM6RbPVXwiL1ghTK4bO2LEW1PXdp58cWhv
kNtqO8eOokMl6wwLI6T69GmyfvoL7p5FcDRvuLCtzf2R9j6JgkXYMamP2Mbpr4d3
xlNS2slJQfyRVELnJOv8bxl7Fi2EpBQtUe4WRk7StNWf34kwAb7lWUd1amfIWNcp
lZSojjpShrA7zz82FZxt3q79Tq7Y398FH7ObcJVCWdbCI89TsoBujkP/P6lcp6mz
TnRVLZq6xWnWz1SUsvM5qBfb1LjUREvKDc1anWVaiqW2BJEF0Mc87hkyL5q6YrIv
VyUFBT5cJIqAKUD7MzsUjDMIsyXALVyj9zh1lJ0+c8QdCjPetk8tUg6TCun0nw95
nkFYZJcHDZVLzn8rC/GoE2x8CwhFwN8ATzeS/zV9vxTJ1sHBN+ewkez8i8YTIj+y
9M/53y+vsPwrcmmXCS3o
=eN5K
-----END PGP SIGNATURE-----
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list (Security-announce(a)lists.apple.com)
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/security-announce/site_archiver%40l…
This email sent to site_archiver(a)lists.apple.com