Languages

Archived - About the security content of QuickTime 7.2

This article has been archived and is no longer updated by Apple.

This document describes the security content of QuickTime 7.2, which can be downloaded and installed via Software Update preferences, or from Apple Downloads.

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key."

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To learn about other Security Updates, see "Apple Security Updates."

QuickTime 7.2

  • QuickTime

    CVE-ID: CVE-2007-2295

    Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Windows Vista, XP SP2

    Impact: Viewing a maliciously crafted H.264 movie may lead to an unexpected application termination or arbitrary code execution

    Description: A memory corruption issue exists in QuickTime's handling of H.264 movies. By enticing a user to access a maliciously crafted H.264 movie, an attacker can trigger the issue which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of QuickTime H.264 movies. Credit to Tom Ferris of Security-Protocols.com, and Matt Slot of Ambrosia Software, Inc. for reporting this issue.

  • QuickTime

    CVE-ID: CVE-2007-2392

    Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Windows Vista, XP SP2

    Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution

    Description: A memory corruption issue exists in QuickTime's handling of movie files. By enticing a user to access a maliciously crafted movie file, an attacker can trigger the issue which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of movie files. Credit to Jonathan 'Wolf' Rentzsch of Red Shed Software for reporting this issue.

  • QuickTime

    CVE-ID: CVE-2007-2296

    Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Windows Vista, XP SP2

    Impact: Viewing a maliciously crafted .m4v file may lead to an unexpected application termination or arbitrary code execution

    Description: An integer overflow vulnerability exists in QuickTime's handling of .m4v files. By enticing a user to access a maliciously crafted .m4v file, an attacker can trigger the issue which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of .m4v files. Credit to Tom Ferris of Security-Protocols.com for reporting this issue.

  • QuickTime

    CVE-ID: CVE-2007-2394

    Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Windows Vista, XP SP2

    Impact: Viewing a maliciously crafted SMIL file may lead to an unexpected application termination or arbitrary code execution

    Description: An integer overflow vulnerability exists in QuickTime's handling of SMIL files. By enticing a user to access a maliciously crafted SMIL file, an attacker can trigger the issue which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of SMIL files. Credit to David Vaartjes of ITsec Security Services, working with the iDefense VCP, for reporting this issue.

  • QuickTime

    CVE-ID: CVE-2007-2397

    Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Windows Vista, XP SP2

    Impact: Visiting a malicious website may lead to arbitrary code execution

    Description: A design issue exists in QuickTime for Java, which may allow security checks to be disabled. By enticing a user to visit a web page containing a maliciously crafted Java applet, an attacker can trigger the issue which may lead to arbitrary code execution. This update addresses the issue by performing a more accurate permissions check. Credit to Adam Gowdiak for reporting this issue.

  • QuickTime

    CVE-ID: CVE-2007-2393

    Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Windows Vista, XP SP2

    Impact: Visiting a malicious website may lead to arbitrary code execution

    Description: A design issue exists in QuickTime for Java. This may allow Java applets to bypass security checks in order to read and write process memory. By enticing a user to visit a web page containing a maliciously crafted Java applet, an attacker can trigger the issue which may lead to arbitrary code execution. This update addresses the issue by performing additional validation of Java applets. Credit to Adam Gowdiak for reporting this issue.

  • QuickTime

    CVE-ID: CVE-2007-2396

    Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Windows Vista, XP SP2

    Impact: Visiting a malicious website may lead to arbitrary code execution

    Description: A design issue exists in QuickTime for Java. JDirect exposes interfaces that may allow loading arbitrary libraries and freeing arbitrary memory. By enticing a user to visit a web page containing a maliciously crafted Java applet, an attacker can trigger the issue which may lead to arbitrary code execution. This update addresses the issue by removing support for JDirect from QuickTime for Java. Credit to Adam Gowdiak for reporting this issue.

  • QuickTime

    CVE-ID: CVE-2007-2402

    Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Windows Vista, XP SP2

    Impact: Visiting a malicious website may lead to the disclosure of sensitive information

    Description: A design issue exists in QuickTime for Java, which may allow a malicious website to capture a client's screen content. By enticing a user to visit a web page containing a maliciously crafted Java applet, an attacker can trigger the issue which may lead to the disclosure of sensitive information. This update addresses the issue by performing a more accurate access control check.

Last Modified: Feb 20, 2012
Print this page
  • Last Modified: Feb 20, 2012
  • Article: TA24829
  • Views:

    80029
  • Rating:
    • 90.0

    (4 Responses)

Additional Product Support Information