Languages

Archived - About the security content of QuickTime 7.4.5

This document describes the security content of QuickTime 7.4.5.

This article has been archived and is no longer updated by Apple.

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key."

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To learn about other Security Updates, see "Apple Security Updates".


QuickTime 7.4.5
 

  • QuickTime

    CVE-ID: CVE-2008-1013

    Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista, XP SP2

    Impact: Untrusted Java applets may obtain elevated privileges

    Description: An implementation issue in QuickTime for Java allows untrusted Java applets to deserialize objects provided by QTJava. Visiting a web page containing a maliciously crafted Java applet could allow the disclosure of sensitive information, or arbitrary code execution with the privileges of the current user. This update addresses the issue by disabling the ability of untrusted Java applets to deserialize QTJava objects. Credit to Adam Gowdiak for reporting this issue.

  • QuickTime

    CVE-ID: CVE-2008-1014

    Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista, XP SP2

    Impact: Downloading a movie file may lead to information disclosure

    Description: Specially crafted QuickTime movies can automatically open external URLs, which may lead to information disclosure. This update addresses the issue through improved handling of external URLs embedded in movie files. Credit to Jorge Escala of Open Tech Solutions, and Vinoo Thomas and Rahul Mohandas of McAfee Avert Labs for reporting this issue.

  • QuickTime

    CVE-ID: CVE-2008-1015

    Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista, XP SP2

    Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution

    Description: An issue in QuickTime's handling of data reference atoms may result in a buffer overflow. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of data reference atoms. Credit to Chris Ries of Carnegie Mellon University Computing Services for reporting this issue.

  • QuickTime

    CVE-ID: CVE-2008-1016

    Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista, XP SP2

    Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution

    Description: A memory corruption issue exists in QuickTime's handling of movie media tracks. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved validation of movie media tracks.

  • QuickTime

    CVE-ID: CVE-2008-1017

    Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista, XP SP2

    Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution

    Description: An issue in QuickTime's parsing of 'crgn' atoms may result in a heap buffer overflow. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to Sanbin Li working with TippingPoint's Zero Day Initiative for reporting this issue.

  • QuickTime

    CVE-ID: CVE-2008-1018

    Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista, XP SP2

    Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution

    Description: An issue in QuickTime's parsing of 'chan' atoms may result in a heap buffer overflow. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to an anonymous researcher working with TippingPoint's Zero Day Initiative for reporting this issue.

  • QuickTime

    CVE-ID: CVE-2008-1019

    Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista, XP SP2

    Impact: Opening a maliciously crafted PICT image file may lead to an unexpected application termination or arbitrary code execution

    Description: An issue in QuickTime's handling of PICT records may result in a heap buffer overflow. Viewing a maliciously crafted PICT image file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to bugfree working with TippingPoint's Zero Day Initiative for reporting this issue.

  • QuickTime

    CVE-ID: CVE-2008-1020

    Available for: Windows Vista, XP SP2

    Impact: Opening a maliciously crafted PICT image file may lead to an unexpected application termination or arbitrary code execution

    Description: An issue in QuickTime's handling of error messages during PICT images processing may result in a heap buffer overflow. Viewing a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. This issue does not affect Mac OS X systems. Credit to Ruben Santamarta of Reversemode.com working with TippingPoint's Zero Day Initiative for reporting this issue.

  • QuickTime

    CVE-ID: CVE-2008-1021

    Available for: Windows Vista, XP SP2

    Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution

    Description: An issue in QuickTime's handling of Animation codec content may result in a heap buffer overflow. Viewing a maliciously crafted movie file with Animation codec content may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. This issue does not affect Mac OS X systems. Credit to an anonymous researcher working with TippingPoint's Zero Day Initiative for reporting this issue.

  • QuickTime

    CVE-ID: CVE-2008-1022

    Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista, XP SP2

    Impact: Viewing a maliciously crafted QuickTime VR movie file may lead to an unexpected application termination or arbitrary code execution

    Description: An issue in QuickTime's parsing of 'obji' atoms may result in a stack buffer overflow. Viewing a maliciously crafted QuickTime VR movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to an anonymous researcher working with TippingPoint's Zero Day Initiative for reporting this issue.

  • QuickTime

    CVE-ID: CVE-2008-1023

    Available for: Windows Vista, XP SP2

    Impact: Opening a maliciously crafted PICT image file may lead to an unexpected application termination or arbitrary code execution

    Description: An issue in QuickTime's parsing of the Clip opcode may result in a heap buffer overflow. Viewing a maliciously crafted PICT image file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. This issue does not affect Mac OS X systems. Credit to Wei Wang of McAfee AVERT labs, and David Wharton for reporting this issue.

  • QuickTime

    CVE-ID: CVE-2008-1739

    Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista, XP SP2

    Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution

    Description: An issue in QuickTime's parsing of 'ftyp' atoms may result in memory corruption. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to the Mu Security research team for reporting this issue.

Important: Information about products not manufactured by Apple is provided for information purposes only and does not constitute Apple’s recommendation or endorsement. Please contact the vendor for additional information.
Last Modified: Apr 20, 2012
Helpful?
Yes
No
  • Last Modified: Apr 20, 2012
  • Article: HT1241
  • Views:

    3589
  • Rating:
    • 20.0

    (1 Responses)

Additional Product Support Information

Start a Discussion
in Apple Support Communities
See all questions on this article See all questions I have asked