Languages

Archived - About the security content of QuickTime 7.1.5

This document describes the security content of QuickTime 7.1.5.

This article has been archived and is no longer updated by Apple.

This document describes the security content of QuickTime 7.1.5, which can be downloaded and installed via Software Update preferences, or from here.

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key."

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To learn about other Security Updates, see "Apple Security Updates."

QuickTime 7.1.5 Update

  • QuickTime

    CVE-ID: CVE-2007-0711

    Available for: Windows Vista/XP/2000

    Impact: Viewing a maliciously-crafted 3GP file may lead to an application crash or arbitrary code execution

    Description: An integer overflow exists in QuickTime's handling of 3GP video files. By enticing a user to open a malicious movie, an attacker can trigger the overflow, which may lead to an application crash or arbitrary code execution. This update addresses the issue by performing additional validation of 3GP video files. This issue does not affect Mac OS X. Credit to JJ Reyes for reporting this issue.

  • QuickTime

    CVE-ID: CVE-2007-0712

    Available for: Mac OS X v10.3.9 and later, Windows Vista/XP/2000

    Impact: Viewing a maliciously-crafted MIDI file may lead to an application crash or arbitrary code execution

    Description: A heap buffer overflow exists in QuickTime's handling of MIDI files. By enticing a user to open a malicious MIDI file, an attacker can trigger the overflow, which may lead to an application crash or arbitrary code execution. This update addresses the issue by performing additional validation of MIDI files. Credit to Mike Price of McAfee AVERT Labs for reporting this issue.

  • QuickTime

    CVE-ID: CVE-2007-0713

    Available for: Mac OS X v10.3.9 and later, Windows Vista/XP/2000

    Impact: Viewing a maliciously-crafted Quicktime movie file may lead to an application crash or arbitrary code execution

    Description: A heap buffer overflow exists in QuickTime's handling of QuickTime movie files. By enticing a user to access a maliciously-crafted movie, an attacker can trigger the overflow, which may lead to an application crash or arbitrary code execution. This update addresses the issue by performing additional validation of QuickTime movies. Credit Mike Price of McAfee AVERT Labs, Piotr Bania, and Artur Ogloza for reporting this issue.

  • QuickTime

    CVE-ID: CVE-2007-0714

    Available for: Mac OS X v10.3.9 and later, Windows Vista/XP/2000

    Impact: Viewing a maliciously-crafted Quicktime movie file may lead to an application crash or arbitrary code execution

    Description: An integer overflow exists in QuickTime's handling of UDTA atoms in movie files. By enticing a user to access a maliciously-crafted movie, an attacker can trigger the overflow, which may lead to an application crash or arbitrary code execution. This update addresses the issue by performing additional validation of QuickTime movies. Credit to Sowhat of Nevis Labs, and an anonymous researcher working with TippingPoint and the Zero Day Initiative for reporting this issue.

  • QuickTime

    CVE-ID: CVE-2007-0715

    Available for: Mac OS X v10.3.9 and later, Windows Vista/XP/2000

    Impact: Viewing a maliciously-crafted PICT file may lead to an application crash or arbitrary code execution

    Description: A heap buffer overflow exists in QuickTime's handling of PICT files. By enticing a user to open a malicious PICT image file an attacker can trigger the overflow, which may lead to arbitrary code execution. This update addresses the issue by performing additional validation of PICT files. Credit to Mike Price of McAfee AVERT Labs for reporting this issue.

  • QuickTime

    CVE-ID: CVE-2007-0716

    Available for: Mac OS X v10.3.9 and later, Windows Vista/XP/2000

    Impact: Opening a maliciously-crafted QTIF file may lead to an application crash or arbitrary code execution

    Description: A stack buffer overflow exists in QuickTime's handling of QTIF files. By enticing a user to access a maliciously-crafted QTIF file, an attacker can trigger the overflow, which may lead to an application crash or arbitrary code execution. This update addresses the issue by performing additional validation of QTIF files. Credit to Mike Price of McAfee AVERT Labs for reporting this issue.

  • QuickTime

    CVE-ID: CVE-2007-0717

    Available for: Mac OS X v10.3.9 and later, Windows Vista/XP/2000

    Impact: Opening a maliciously-crafted QTIF file may lead to an application crash or arbitrary code execution

    Description: An integer overflow exists in QuickTime's handling of QTIF files. By enticing a user to access a maliciously-crafted QTIF file, an attacker can trigger the overflow, which may lead to an application crash or arbitrary code execution. This update addresses the issue by performing additional validation of QTIF files. Credit to Mike Price of McAfee AVERT Labs for reporting this issue.

  • QuickTime

    CVE-ID: CVE-2007-0718

    Available for: Mac OS X v10.3.9 and later, Windows Vista/XP/2000

    Impact: Opening a maliciously-crafted QTIF file may lead to an application crash or arbitrary code execution

    Description: A heap buffer overflow exists in QuickTime's handling of QTIF files. By enticing a user to access a maliciously-crafted QTIF file, an attacker can trigger the overflow, which may lead to an application crash or arbitrary code execution. This update addresses the issue by performing additional validation of QTIF files. Credit to Ruben Santamarta working with the iDefense VulnerabilityContributor Program, and JJ Reyes for reporting this issue.

  • QuickTime

    CVE-ID: CVE-2006-4965, CVE-2007-0059

    Available for: Mac OS X v10.3.9 and later, Windows Vista/XP/2000

    Impact: Viewing a maliciously-crafted QuickTime movie file or QTL file may lead to arbitrary JavaScript code execution in context of the local domain

    Description: A cross-zone scripting issue exists in QuickTime's browser plugin. By enticing a user to open a malicious QuickTime movie file or QTL file, an attacker can trigger the issue, which may lead to arbitrary JavaScript code execution in context of the local domain. This issue has been described on the Month of Apple Bugs web site (MOAB-03-01-2007). This update addresses the issue by making the following changes to the handling of URLs in the qtnext attribute of QTL files, and HREFTracks in QuickTime movies. Only "http:" and "https:" URLs are allowed if the movie is loaded from a remote site. Only "file:" URLs are allowed if the movie is loaded locally.

QuickTime 7.1.5 for Mac or windows may be obtained from Software Update or as a manual download from: http://www.apple.com/quicktime/download/.

Last Modified: Apr 19, 2012
Helpful?
Yes
No
Not helpful Somewhat helpful Helpful Very helpful Solved my problem
Print this page
  • Last Modified: Apr 19, 2012
  • Article: HT2243
  • Views:

    173160
  • Rating:
    • 59.0

    (525 Responses)

Additional Product Support Information

Start a Discussion
in Apple Support Communities
See all questions on this article See all questions I have asked