site_archiver@lists.apple.com Delivered-To: security-announce@lists.apple.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2007-05-29 Security Update (QuickTime 7.1.6) Security Update (QuickTime 7.1.6) is now available and provides the following security enhancements: QuickTime CVE-ID: CVE-2007-2388 Available for: QuickTime 7.1.6 on Mac OS X and Windows Impact: Visiting a malicious website may lead to arbitrary code execution Description: An implementation issue exists in QuickTime for Java, which may allow instantiation or manipulation of objects outside the bounds of the allocated heap. By enticing a user to visit a web page containing a maliciously crafted Java applet, an attacker can trigger the issue which may lead to arbitrary code execution. This update addresses the issue by performing additional validation of Java applets. Credit to John McDonald, Paul Griswold, and Tom Cross of IBM Internet Security Systems X-Force, and Dyon Balding of Secunia Research for reporting this issue. QuickTime CVE-ID: CVE-2007-2389 Available for: QuickTime 7.1.6 on Mac OS X and Windows Impact: Visiting a malicious website may lead to the disclosure of sensitive information Description: A design issue exists in QuickTime for Java, which may allow a web browser's memory to be read by a Java applet. By enticing a user to visit a web page containing a maliciously crafted Java applet, an attacker can trigger the issue which may lead to the disclosure of sensitive information. This update addresses the issue by clearing memory before allowing it to be used by untrusted Java applets. Security Update (QuickTime 7.1.6) may be obtained from the Software Update application, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ For QuickTime 7.1.6 on Mac OS X The download file is named: "SecUpdQuickTime716.dmg" Its SHA-1 digest is: 960b3d043366f214c62e94fc176e5e367eb75992 For QuickTime 7.1.6 on Windows The download file is named: "SecUpdQuickTime716.msi" Its SHA-1 digest is: 1ab14df3c1ef6f15d082cb5c13e9898097816ea9 Information will also be posted to the Apple Product Security web site: http://docs.info.apple.com/article.html?artnum=61798 This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.6 (Build 6060) iQEVAwUBRlyGJ8gAoqu4Rp5tAQj2kQf/Tpr4eaxB4begtn5Abd1LhpcdfR997AVQ gPF4r7m7dqElMA0st1Dg5hCOE5qH/nDA+3f9UitutPKayOFP2lM0xRIPkLyKP08x MFZO9A8wKV4XRy0S0SVUx6oRWJDvotZ9k/Eino0ci6OFnjnCPbVhoc19mIjl/P0c MTi/pWtYPe9lypbroTTMj+Iu7kco2Q8D2p3mCdzirzXFcgYpqUOoKdjInisQyTOH wEzo5G+hS14AOpN5+T4+yrlx27BPYeJ9YSNk1Fh5F4JA7pbUUGWWcl5DlnAOpOZ9 lLnjZRoC6R9Jphy+Zn3DYcxNu5xU/vYWeF6kkOyLXBKr2AXUuSYsqg== =ycXf -----END PGP SIGNATURE----- _______________________________________________ Do not post admin requests to the list. They will be ignored. Security-announce mailing list (Security-announce@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/security-announce/site_archiver%40lis... This email sent to site_archiver@lists.apple.com