Languages

Archived - About the security content of QuickTime 7.0.4

This article has been archived and is no longer updated by Apple.

This document describes the security content of QuickTime 7.0.4, which can be downloaded and installed via Software Update preferences, or from Apple Downloads.

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key."

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To learn about other Security Updates, see "Apple Security Updates."

QuickTime 7.0.4

The following issues are addressed in QuickTime 7.0.4, and affect QuickTime 7.0.3 and earlier versions.

  • QuickTime

    CVE-ID: CVE-2005-2340

    Available for: Mac OS X v10.3.9 and later, Microsoft Windows XP, Microsoft Windows 2000

    Impact: A maliciously-crafted JPEG image may result in arbitrary code execution

    Description: By carefully crafting a corrupt JPEG image, an attacker can trigger a heap buffer overflow which may result in arbitrary code execution. This update addresses the issue by performing additional validation of JPEG images. Credit to Varun Uppal of Kanbay, Dennis Rand of CIRT.DK, and Fang Xing of eEye Digital Security (eeye.com) for reporting this issue.

  • QuickTime

    CVE-ID: CVE-2005-3707, CVE-2005-3708, CVE-2005-3709

    Available for: Mac OS X v10.3.9 and later, Microsoft Windows XP, Microsoft Windows 2000

    Impact: Viewing a maliciously-crafted TGA image may result in arbitrary code execution

    Description: By carefully crafting a corrupt TGA image, an attacker can trigger a buffer overflow, integer overflow, or integer underflow that may result in a denial-of-service or arbitrary code execution. This update addresses the issue by performing additional validation of images. Credit to Dejun Meng of Fortinet for reporting this issue.

  • QuickTime

    CVE-ID: CVE-2005-3710, CVE-2005-3711

    Available for: Mac OS X v10.3.9 and later, Microsoft Windows XP, Microsoft Windows 2000

    Impact: Viewing a maliciously-crafted TIFF image may result in arbitrary code execution

    Description: By carefully crafting a corrupt TIFF image, an attacker can trigger an integer overflow which may result in a denial-of-service or arbitrary code execution. This update addresses the issue by performing additional validation of TIFF images. Credit to Dejun Meng of Fortinet for reporting this issue.

  • QuickTime

    CVE-ID: CVE-2005-3713

    Available for: Mac OS X v10.3.9 and later, Microsoft Windows XP, Microsoft Windows 2000

    Impact: A maliciously-crafted GIF image may result in arbitrary code execution

    Description: By carefully crafting a corrupt GIF image, an attacker can trigger a heap buffer overflow which may result in arbitrary code execution. This update addresses the issue by performing additional validation of GIF images. Credit to Karl Lynn of eEye Digital Security (eeye.com) for reporting this issue.

  • QuickTime

    CVE-ID: CVE-2005-4092

    Available for: Mac OS X v10.3.9 and later, Microsoft Windows XP, Microsoft Windows 2000

    Impact: A maliciously-crafted media file may result in arbitrary code execution

    Description: By carefully crafting a corrupt media file, an attacker can trigger a heap buffer overflow which may result in arbitrary code execution. This update addresses the issue by performing additional validation of media files. Credit to Karl Lynn of eEye Digital Security (eeye.com) for reporting this issue.

QuickTime 7.0.4 may be obtained from the Software Update pane in System Preferences, or from the Download tab in the QuickTime website.

Last Modified: Feb 19, 2012
  • Last Modified: Feb 19, 2012
  • Article: TA23845
  • Views:

    2189

Additional Product Support Information