Code execution flaws hit QuickTime again
June 10th, 2008
Apple has shipped a highly critical QuickTime software update with patches for at least five code execution vulnerabilities haunting Windows XP, Windows Vista and Mac OS X users.With QuickTime 7.5, Apple corrects multiple buffer overflows, memory corruption issues and URI handling flaws that could allow malicious hackers to launch exploits with QuickTime movie or image files.
The details from Apple’s advisory:
CVE-2008-1581: Available for Windows Vista and Windows XP SP2
An issue in QuickTime’s handling of PixData structures when processing a PICT image may result in a heap buffer overflow. Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution. This issue does not affect systems running Mac OS X.
CVE-2008-1582: Available for Mac OS X v10.3.9, Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2
A memory corruption issue exists in QuickTime’s handling of AAC-encoded media content. Opening a maliciously crafted
media file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of media files.
CVE-2008-1583: Available for Mac OS X v10.3.9, Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2
A heap buffer overflow exists in QuickTime’s handling of PICT images. Opening a maliciously crafted PICT image file may
lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking.
CVE-2008-1584: Available for Mac OS X v10.3.9, Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2
An issue in QuickTime’s handling of Indeo video codec content may result in a stack buffer overflow. Viewing a maliciously
crafted movie file with Indeo video codec content may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by not rendering Indeo video codec content.
CVE-2008-1585: Available for Mac OS X v10.3.9, Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2
A URL handling issue exists in QuickTime’s handling of file: URLs. This may allow arbitrary applications and files to be
launched when a user plays maliciously crafted QuickTime content in QuickTime Player. This update addresses the issue by revealing files in Finder or Windows Explorer rather than launching them.
Post a Comment