APPLE-SA-2007-03-05 QuickTime 7.1.5
APPLE-SA-2007-03-05 QuickTime 7.1.5
- Subject: APPLE-SA-2007-03-05 QuickTime 7.1.5
- From: Apple Product Security <email@hidden>
- Date: Mon, 5 Mar 2007 13:19:54 -0800
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2007-03-05 QuickTime 7.1.5
QuickTime 7.1.5 is now available. Along with functionality
improvements (see release notes), it also provides fixes for the
following security issues:
QuickTime
CVE-ID: CVE-2007-0711
Available for: Windows Vista/XP/2000
Impact: Viewing a maliciously-crafted 3GP file may lead to an
application crash or arbitrary code execution
Description: An integer overflow exists in QuickTime's handling
of 3GP video files. By enticing a user to open a malicious
movie, an attacker can trigger the overflow, which may lead
to an application crash or arbitrary code execution. This update
addresses the issue by performing additional validation of 3GP
video files. This issue does not affect Mac OS X. Credit to JJ
Reyes for reporting this issue.
QuickTime
CVE-ID: CVE-2007-0712
Available for: Mac OS X v10.3.9 and later, Windows Vista/XP/2000
Impact: Viewing a maliciously-crafted MIDI file may lead to an
application crash or arbitrary code execution
Description: A heap buffer overflow exists in QuickTime's
handling of MIDI files. By enticing a user to open a malicious
MIDI file, an attacker can trigger the overflow, which may lead
to an application crash or arbitrary code execution. This update
addresses the issue by performing additional validation of MIDI
files. Credit to Mike Price of McAfee AVERT Labs for reporting
this issue.
QuickTime
CVE-ID: CVE-2007-0713
Available for: Mac OS X v10.3.9 and later, Windows Vista/XP/2000
Impact: Viewing a maliciously-crafted Quicktime movie file may
lead to an application crash or arbitrary code execution
Description: A heap buffer overflow exists in QuickTime's
handling of QuickTime movie files. By enticing a user to access
a maliciously-crafted movie, an attacker can trigger the
overflow, which may lead to an application crash or arbitrary
code execution. This update addresses the issue by performing
additional validation of QuickTime movies. Credit to Mike Price
of McAfee AVERT Labs, Piotr Bania, and Artur Ogloza (Czestochowa,
Poland) for reporting this issue.
QuickTime
CVE-ID: CVE-2007-0714
Available for: Mac OS X v10.3.9 and later, Windows Vista/XP/2000
Impact: Viewing a maliciously-crafted Quicktime movie file may
lead to an application crash or arbitrary code execution
Description: An integer overflow exists in QuickTime's handling
of UDTA atoms in movie files. By enticing a user to access a
maliciously-crafted movie, an attacker can trigger the overflow,
which may lead to an application crash or arbitrary code
execution. This update addresses the issue by performing
additional validation of QuickTime movies. Credit to Sowhat of
Nevis Labs, and an anonymous researcher working with TippingPoint
and the Zero Day Initiative for reporting this issue.
QuickTime
CVE-ID: CVE-2007-0715
Available for: Mac OS X v10.3.9 and later, Windows Vista/XP/2000
Impact: Viewing a maliciously-crafted PICT file may lead to an
application crash or arbitrary code execution
Description: A heap buffer overflow exists in QuickTime's
handling of PICT files. By enticing a user to open a malicious
PICT image file an attacker can trigger the overflow, which may
lead to arbitrary code execution. This update addresses the
issue by performing additional validation of PICT files. Credit
to Mike Price of McAfee AVERT Labs for reporting this issue.
QuickTime
CVE-ID: CVE-2007-0716
Available for: Mac OS X v10.3.9 and later, Windows Vista/XP/2000
Impact: Opening a maliciously-crafted QTIF file may lead to an
application crash or arbitrary code execution
Description: A stack buffer overflow exists in QuickTime's
handling of QTIF files. By enticing a user to access a
maliciously-crafted QTIF file, an attacker can trigger the
overflow, which may lead to an application crash or arbitrary
code execution. This update addresses the issue by performing
additional validation of QTIF files. Credit to Mike Price of
McAfee AVERT Labs for reporting this issue.
QuickTime
CVE-ID: CVE-2007-0717
Available for: Mac OS X v10.3.9 and later, Windows Vista/XP/2000
Impact: Opening a maliciously-crafted QTIF file may lead to an
application crash or arbitrary code execution
Description: An integer overflow exists in QuickTime's handling
of QTIF files. By enticing a user to access a maliciously-crafted
QTIF file, an attacker can trigger the overflow, which may lead to
an application crash or arbitrary code execution. This update
addresses the issue by performing additional validation of QTIF
files. Credit to Mike Price of McAfee AVERT Labs for reporting
this issue.
QuickTime
CVE-ID: CVE-2007-0718
Available for: Mac OS X v10.3.9 and later, Windows Vista/XP/2000
Impact: Opening a maliciously-crafted QTIF file may lead to an
application crash or arbitrary code execution
Description: A heap buffer overflow exists in QuickTime's
handling of QTIF files. By enticing a user to access a
maliciously-crafted QTIF file, an attacker can trigger the
overflow, which may lead to an application crash or arbitrary
code execution. This update addresses the issue by performing
additional validation of QTIF files. Credit to Ruben Santamarta
working with the iDefense Vulnerability Contributor Program, and
JJ Reyes for reporting this issue.
QuickTime 7.1.5 may be obtained from the Software Update
application, or from the Download area in the QuickTime site
http://www.apple.com/quicktime/download/
For Mac OS X v10.3.9 or later
The download file is named: "QuickTime715.dmg"
Its SHA-1 digest is: 68e621a81560610a37bbf8be5695c751c006627d
QuickTime 7.1.5 for Windows Vista/XP/2000
The download file is named: "QuickTimeInstaller.exe"
Its SHA-1 digest is: 138d028e7b7c77b8938ae65a14369587a7752a85
QuickTime 7.1.5 with iTunes for Windows Vista/XP/2000
The download file is named: "iTunesSetup.exe"
Its SHA-1 digest is: 0a32a8c929cd8f893793a5c260d437726728fe0d
Information will also be posted to the Apple Product Security
web site: http://docs.info.apple.com/article.html?artnum=61798
This message is signed with Apple's Product Security PGP key,
and details are available at:
http://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.6 (Build 6060)
iQEVAwUBRexyRImzP5/bU5rtAQi+vAgAkStJiumk4+tJaygYj6cwzTPlZiPzTfqi
0n8/mUw8XXXHhMYGcnpBnPW1yRlQeZtTpcK7qtb0pQs2Qhc/Uok/SgbUF/ELcgVw
GMh3oqRx8kWqXClT+IEgH+H+wZb2+8UEUgztcbaXCwuCevHSv5oVJ1cx4iphbObk
aKYDBx9DIj18pdcQsbazQmsIrH5Hgt6hpxR/5RTHqORrA2A4EPpXXdCtr4087u+u
IhrpUR9h6noToOXSpCAIS5L4t7B2wJRydsbqEk+VCvP8qqMGxrvoVcKQ2ic+DTBm
IhRUYUP9Z3D3WUsEQ2QCMXMdwIKbA5ypHxuWXp5viPLUUQESXqRTSA==
=BkfW
-----END PGP SIGNATURE-----
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden