site_archiver@lists.apple.com Delivered-To: security-announce@lists.apple.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2007-05-01 QuickTime 7.1.6 QuickTime 7.1.6 is now available. Along with functionality improvements (see release notes), it also addresses the following security issue: QuickTime CVE-ID: CVE-2007-2175 Available for: Mac OS X v10.3.9, Mac OS X v10.4.9, Windows XP SP2, Windows 2000 SP4 Impact: Visiting a malicious website may lead to arbitrary code execution Description: An implementation issue exists in QuickTime for Java, which may allow reading or writing out of the bounds of the allocated heap. By enticing a user to visit a web page containing a maliciously-crafted Java applet, an attacker can trigger the issue which may lead to arbitrary code execution. This update addresses the issue by performing additional bounds checking when creating QTPointerRef objects. Credit to Dino Dai Zovi working with TippingPoint and the Zero Day Initiative for reporting this issue. QuickTime 7.1.6 may be obtained from the Software Update application, or from the Download area in the QuickTime site http://www.apple.com/quicktime/download/ For Mac OS X v10.4.9 and Mac OS X v10.3.9 The download file is named: "QuickTime716.dmg" Its SHA-1 digest is: 275327dadcb28b704eb2ed40db3ee300103cea6f QuickTime 7.1.6 for Windows XP/2000 The download file is named: "QuickTimeInstaller.exe" Its SHA-1 digest is: 2ebfbab44f7ee26ce15f88373d5f843ef2232ed4 QuickTime 7.1.6 with iTunes for Windows XP/2000 The download file is named: "iTunesSetup.exe" Its SHA-1 digest is: 528be70403b1675597e8563bafe2f9f728eda6dd Information will also be posted to the Apple Product Security web site: http://docs.info.apple.com/article.html?artnum=61798 This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.6 (Build 6060) iQEVAwUBRjd8SImzP5/bU5rtAQjwcwf/cS2ooYOgvphfAPMnkoeFqELnKHg81bFd hRbWCAtIoKA8wK6r4ipCihYtwjJLB/5rmr8mwAicXh7zI5FcAWt1oO7WJo63FAbY e2DViNNwclBZZwS1l/ZBmDETJ9NDJopTIDOZzURjXJIFexXmFqYHIEaznKW93tCQ G8NhGZQfA87HU1swx2JQOftu+HkyLGbxrnkW76GGiM7E8A5gkk0a4zp/OIPhafGZ 633LfJ0Fkyo2sWVdAW+y0shB2Lj5hNEdz8II+r+dOQZ0pr03kwjhHD32Pe60HLb+ H7Y6p78goiFgXvcpaqjgzCPyNcWhiR2Blp2afo1hV7QLwMH1I/SxZQ== =9v9q -----END PGP SIGNATURE----- _______________________________________________ Do not post admin requests to the list. They will be ignored. Security-announce mailing list (Security-announce@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/security-announce/site_archiver%40lis... This email sent to site_archiver@lists.apple.com