Languages

Archived - About the security content of QuickTime 7.3

This document describes the security content of QuickTime 7.3, which can be downloaded and installed via Software Update preferences, or from Apple Downloads.

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key."

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To learn about other Security Updates, see Apple Security Updates.

This article has been archived and is no longer updated by Apple.

QuickTime 7.3

  • QuickTime

    CVE-ID: CVE-2007-2395

    Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5, Windows Vista, XP SP2

    Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution

    Description: A memory corruption issue exists in QuickTime's handling of image description atoms. By enticing a user to open a maliciously crafted movie file, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of QuickTime image descriptions. Credit to Dylan Ashe of Adobe Systems Incorporated for reporting this issue.

  • QuickTime

    CVE-ID: CVE-2007-3750

    Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5, Windows Vista, XP SP2

    Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution

    Description: A heap buffer overflow exists in QuickTime Player's handling of Sample Table Sample Descriptor (STSD) atoms. By enticing a user to open a maliciously crafted movie file, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of STSD atoms. Credit to Tobias Klein of www.trapkit.de for reporting this issue.

  • QuickTime

    CVE-ID: CVE-2007-3751

    Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5, Windows Vista, XP SP2

    Impact: Untrusted Java applets may obtain elevated privileges

    Description: Multiple vulnerabilities exist in QuickTime for Java, which may allow untrusted Java applets to obtain elevated privileges. By enticing a user to visit a web page containing a maliciously crafted Java applet, an attacker may cause the disclosure of sensitive information and arbitrary code execution with elevated privileges. This update addresses the issues by making QuickTime for Java no longer accessible to untrusted Java applets. Credit to Adam Gowdiak for reporting this issue.

  • QuickTime

    CVE-ID: CVE-2007-4672

    Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5, Windows Vista, XP SP2

    Impact: Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution

    Description: A stack buffer overflow exists in PICT image processing. By enticing a user to open a maliciously crafted image, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of PICT files. Credit to Ruben Santamarta of reversemode.com working with TippingPoint and the Zero Day Initiative for reporting this issue.

  • QuickTime

    CVE-ID: CVE-2007-4676

    Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5, Windows Vista, XP SP2

    Impact: Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution

    Description: A heap buffer overflow exists in PICT image processing. By enticing a user to open a maliciously crafted image, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of PICT files. Credit to Ruben Santamarta of reversemode.com working with TippingPoint and the Zero Day Initiative for reporting this issue.

  • QuickTime

    CVE-ID: CVE-2007-4675

    Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5, Windows Vista, XP SP2

    Impact: Viewing a maliciously crafted QTVR movie file may lead to an unexpected application termination or arbitrary code execution

    Description: A heap buffer overflow exists in QuickTime's handling of panorama sample atoms in QTVR (QuickTime Virtual Reality) movie files. By enticing a user to view a maliciously crafted QTVR file, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue by performing bounds checking on panorama sample atoms. Credit to Mario Ballano from 48bits.com working with the VeriSign iDefense VCP for reporting this issue.

  • QuickTime

    CVE-ID: CVE-2007-4677

    Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5, Windows Vista, XP SP2

    Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution

    Description: A heap buffer overflow exists in the parsing of the color table atom when opening a movie file. By enticing a user to open a maliciously crafted movie file, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of color table atoms. Credit to Ruben Santamarta of reversemode.com and Mario Ballano of 48bits.com working with TippingPoint and the Zero Day Initiative for reporting this issue.

  • QuickTime

    CVE-ID: CVE-2007-4674

    Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5, Windows Vista, XP SP2

    Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution.

    Description: An integer arithmetic issue in QuickTime's handling of certain movie file atoms may lead to a stack buffer overflow. By enticing a user to open a maliciously crafted movie file, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of atom length fields in movie files. Credit to Cody Pierce of TippingPoint DVLabs for reporting this issue.

Important: Information about products not manufactured by Apple is provided for information purposes only and does not constitute Apple’s recommendation or endorsement. Please contact the vendor for additional information.
Last Modified: Nov 5, 2011
Helpful?
Yes
No
  • Last Modified: Nov 5, 2011
  • Article: HT2047
  • Views:

    1464
  • Rating:
    • 100.0

    (1 Responses)

Additional Product Support Information

Start a Discussion
in Apple Support Communities
See all questions on this article See all questions I have asked