site_archiver@lists.apple.com Delivered-To: security-announce@lists.apple.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2010-09-15-1 QuickTime 7.6.8 QuickTime 7.6.8 is now available and addresses the following: QuickTime CVE-ID: CVE-2010-1818 Available for: Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: An input validation issue exists in the QuickTime ActiveX control. An optional parameter '_Marshaled_pUnk' may be passed to the ActiveX control to specify an arbitrary integer that is later treated as a pointer. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed by ignoring the '_Marshaled_pUnk' parameter. This issue does not affect Mac OS X systems. Credit to HBelite working with TippingPoint's Zero Day Initiative for reporting this issue. QuickTime CVE-ID: CVE-2010-1819 Available for: Windows 7, Vista, XP SP2 or later Impact: Viewing an image in a maliciously prepared directory may lead to arbitrary code execution Description: A path searching issue exists in QuickTime Picture Viewer. If an attacker places a maliciously crafted DLL in the same directory as an image file, opening the image file with QuickTime Picture Viewer may lead to arbitrary code execution. This issue is addressed by removing the current working directory from the DLL search path. This issue does not affect Mac OS X systems. Credit to Haifei Li of Fortinet's FortiGuard Labs for reporting this issue. QuickTime 7.6.8 may be obtained from the Software Update application, or from the QuickTime Downloads site: http://www.apple.com/quicktime/download/ For Windows 7 / Vista / XP SP2 or later The download file is named: "QuickTimeInstaller.exe" Its SHA-1 digest is: 38e33492ea1200abeda87256872e5a3dd47e584f QuickTime 7.6.8 is not presented to Mac OS X systems. Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (Darwin) iQEcBAEBAgAGBQJMkQCVAAoJEGnF2JsdZQee518IALLozEKvWbSpuS/w7cg/vyTL jy773Ceo6KU4Y3lYfYI4Lqigm/pc405ALtMAgH7sUoxARcXGqpQHuABcoLdFVZmh i2Ax/5oLKdwrgvH1jyn5vhfTC+Zh9jONqxtmYumKX2acodfT32YQmBLgD5rfBwH1 1mWXYZprcwF6C5XelcoG5NjbclKeSw/iqCtHNQ2UtV7H8vOvY0AnjfiKW3snarcL BTYyvI672fPPZGGp+f7wBFZCs31PRUQy2Q287WrV4+SljUevL0OCnzvK0ZgmWABB cWTthHx02uz8MmLKFs/5YUSJQdtZ756rpJEEi9f5oCAsokBil/OuvqI2ZXsIbVY= =5Ehp -----END PGP SIGNATURE----- _______________________________________________ Do not post admin requests to the list. They will be ignored. Security-announce mailing list (Security-announce@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/security-announce/site_archiver%40lis... This email sent to site_archiver@lists.apple.com