Apple QuickTime bitten by code execution flaws
Apple today released QuickTime 7.6 to fix at least seven serious security flaws that expose Mac OS X and Windows users to remote code execution attacks.
The latest upgrade, available for Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista and Windows XP SP2 and SP3, covers vulnerabilities that could be exploited via malicious URLs or booby-trapped movie or audio files.
Here’s the skinny:
- CVE-2009-0001 — A heap buffer overflow exists in QuickTime’s handling of RTSP URLs. Accessing a maliciously crafted RTSP URL may lead to an unexpected application termination or arbitrary code execution.
- CVE-2009-0002 — A heap buffer overflow exists in QuickTime’s handling of THKD atoms in QTVR (QuickTime Virtual Reality) movie files. Viewing a maliciously crafted QTVR file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking.
- CVE-2009-0003 — A heap buffer overflow may occur while processing an AVI movie file. Opening a maliciously crafted AVI movie file may lead to an unexpected application termination or arbitrary code execution.
- CVE-2009-0004 — A buffer overflow exists in the handling of MPEG-2 video files with MP3 audio content. Viewing a maliciously crafted
movie file may lead to an unexpected application termination or arbitrary code execution. - CVE-2009-0005 — A memory corruption exists in QuickTime’s handling of H.263 encoded movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution.
- CVE-2009-0006 — A signedness issue exists in QuickTime’s handling of Cinepak encoded movie files, which may result in a heap buffer
overflow. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. - CVE-2009-0007 — A heap buffer overflow exists in QuickTime’s handling of jpeg atoms in QuickTime movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution.
The patch is available via the software update utility on Mac OS X and the automatic-updating tool for Windows XP and Vista. Additionally, QuickTime 7.6 may be obtained from QuickTime Downloads site.
UPDATE: Apple issued a separate advisory for an input validation issue in the QuickTime MPEG-2 Playback Component for Windows:
- CVE-2009-0008 (available for Windows Vista, XP SP2 and SP3): Accessing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of MPEG-2 files. This issue does not affect systems running Mac OS X.
Post a Comment