Languages

Archived - About the security content of QuickTime 7.5

This document describes the security content of QuickTime 7.5, which can be downloaded and installed via Software Update preferences, or from Apple Downloads.

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key."

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To learn about other Security Updates, see "Apple Security Updates."

 

This article has been archived and is no longer updated by Apple.

QuickTime 7.5

  • QuickTime
    CVE-ID: CVE-2008-1581
    Available for: Windows Vista, XP SP2
    Impact: Opening a maliciously crafted PICT image file may lead to an unexpected application termination or arbitrary code execution
    Description: An issue in QuickTime's handling of PixData structures when processing a PICT image may result in a heap buffer overflow. Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. This issue does not affect systems running Mac OS X. Credit to Dyon Balding of Secunia Research for reporting this issue.
  • QuickTime

    CVE-ID: CVE-2008-1582
    Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2
    Impact: Opening a maliciously crafted AAC-encoded media content may lead to an unexpected application termination or arbitrary code execution
    Description: A memory corruption issue exists in QuickTime's handling of AAC-encoded media content. Opening a maliciously crafted media file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of media files. Credit to Dave Soldera of NGS Software, and Jens Alfke for reporting this issue.

     

  • QuickTime

    CVE-ID: CVE-2008-1583
    Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2
    Impact: Opening a maliciously crafted PICT image file may lead to an unexpected application termination or arbitrary code execution
    Description: A heap buffer overflow exists in QuickTime's handling of PICT images. Opening a maliciously crafted PICT image file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to Liam O Murchu of Symantec for reporting this issue.

     

  • QuickTime

    CVE-ID: CVE-2008-1584
    Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2
    Impact: Viewing maliciously crafted Indeo 4 video media content may lead to an unexpected application termination or arbitrary code execution
    Description: An issue in QuickTime's handling of Indeo video codec content may result in a stack buffer overflow. Viewing a maliciously crafted movie file with Indeo video codec content may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by not rendering Indeo 4 video codec content. Credit to an anonymous researcher working with TippingPoint's Zero Day Initiative for reporting this issue.

     

  • QuickTime

    CVE-ID: CVE-2008-1585
    Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2
    Impact: Playing maliciously crafted QuickTime content in QuickTime Player may lead to arbitrary code execution
    Description: A URL handling issue exists in QuickTime's handling of file: URLs. This may allow arbitrary applications and files to be launched when a user plays maliciously crafted QuickTime content in QuickTime Player. This update addresses the issue by revealing files in Finder or Windows Explorer rather than launching them. Credit to Vinoo Thomas and Rahul Mohandas of McAfee Avert Labs, and Petko D. (pdp) Petkov of GNUCITIZEN working with TippingPoint's Zero Day Initiative for reporting this issue.

     

  • QuickTime

    CVE-ID: CVE-2008-2319
    Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2
    Impact: Opening a maliciously crafted PICT image file may lead to an unexpected application termination or arbitrary code execution
    Description: A sign extension issue in QuickTime's handling of PICT images may lead to a heap buffer overflow. Opening a maliciously crafted PICT image file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by treating the value as unsigned. Credit to Sergio 'shadown' Alvarez of n.runs AG for reporting this issue.

     

Last Modified: Nov 6, 2011
Helpful?
Yes
No
  • Last Modified: Nov 6, 2011
  • Article: HT1991
  • Views:

    null

Additional Product Support Information

Start a Discussion
in Apple Support Communities
See all questions on this article See all questions I have asked