site_archiver@lists.apple.com Delivered-To: security-announce@lists.apple.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2008-06-09 QuickTime 7.5 QuickTime 7.5 is now available and addresses the following issues: QuickTime CVE-ID: CVE-2008-1581 Available for: Windows Vista, XP SP2 Impact: Opening a maliciously crafted PICT image file may lead to an unexpected application termination or arbitrary code execution Description: An issue in QuickTime's handling of PixData structures when processing a PICT image may result in a heap buffer overflow. Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. This issue does not affect systems running Mac OS X. Credit to Dyon Balding of Secunia Research for reporting this issue. QuickTime CVE-ID: CVE-2008-1582 Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2 Impact: Opening a maliciously crafted AAC-encoded media content may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue exists in QuickTime's handling of AAC-encoded media content. Opening a maliciously crafted media file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of media files. Credit to Dave Soldera of NGS Software, and Jens Alfke for reporting this issue. QuickTime CVE-ID: CVE-2008-1583 Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2 Impact: Opening a maliciously crafted PICT image file may lead to an unexpected application termination or arbitrary code execution Description: A heap buffer overflow exists in QuickTime's handling of PICT images. Opening a maliciously crafted PICT image file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to Liam O Murchu of Symantec for reporting this issue. QuickTime CVE-ID: CVE-2008-1584 Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2 Impact: Viewing maliciously crafted Indeo video media content may lead to an unexpected application termination or arbitrary code execution Description: An issue in QuickTime's handling of Indeo video codec content may result in a stack buffer overflow. Viewing a maliciously crafted movie file with Indeo video codec content may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by not rendering Indeo video codec content. Credit to an anonymous researcher working with TippingPoint's Zero Day Initiative for reporting this issue. QuickTime CVE-ID: CVE-2008-1585 Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2 Impact: Playing maliciously crafted QuickTime content in QuickTime Player may lead to arbitrary code execution Description: A URL handling issue exists in QuickTime's handling of file: URLs. This may allow arbitrary applications and files to be launched when a user plays maliciously crafted QuickTime content in QuickTime Player. This update addresses the issue by revealing files in Finder or Windows Explorer rather than launching them. Credit to Vinoo Thomas and Rahul Mohandas of McAfee Avert Labs, and Petko D. (pdp) Petkov of GNUCITIZEN working with TippingPoint's Zero Day Initiative for reporting this issue. QuickTime 7.5 may be obtained from the Software Update application, or from the QuickTime Downloads site: http://www.apple.com/quicktime/download/ For Mac OS X v10.5 or later The download file is named: "QuickTime75_Leopard.dmg" Its SHA-1 digest is: 207c4dcc6a6adc8e600598db3ce036c40a3926f6 For Mac OS X v10.4.9 through Mac OS X v10.4.11 The download file is named: "QuickTime75_Tiger.dmg" Its SHA-1 digest is: 5b89879be97d93e6560f95fb5000fcb0a33fbcaa For Mac OS X v10.3.9 The download file is named: "QuickTime75_Panther.dmg" Its SHA-1 digest is: 92dd692563e685ae535b9272c1ef4f3c5bdd0eef For Windows Vista / XP SP2 The download file is named: "QuickTimeInstaller.exe" Its SHA-1 digest is: 81d70a503adb132048f744c3ffc0cea487cf2cac QuickTime with iTunes for Windows XP or Vista The download file is named: "iTunesSetup.exe" Its SHA-1 digest is: 8123286fffa53d4ae2c187edccab778fb0f5f34f Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: 9.7.2.1608 wsBVAwUBSE3I+HkodeiKZIkBAQiNvggAlLOvEaScjlj0Y4ZOg3bgjXHgmQtMIGFG iG2/0v9tD0xYTfUD/1Yhu58CJ5wTvhVFx0KuSXb9EUUdEZXpCkvJGqG5W9MK1Kmq iPE7YIPGHBit2/xG4VE4U2vMh6YPtQUpSqAUhEhWU1a2o5+6C8kG1TUBeTf+hUlK RoWrlf41YMlmrgqT45ZqeT2SXEtGLgb0qYg6Unroks0pYB25xJUUl87/Q4dNKLOg N+mxsPvQwI8CY3EsigQGG7BN14jXSl+44fXQyP/Lfljy/YPjUMT/gXk7l+pP+MOI 9x7qrBkEmN54rSDK+UfB/oFaF3Cwa1csKxT+rg82DUcHnQviaxI/zw== =2/AX -----END PGP SIGNATURE----- _______________________________________________ Do not post admin requests to the list. They will be ignored. Security-announce mailing list (Security-announce@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/security-announce/site_archiver%40lis... This email sent to site_archiver@lists.apple.com