About the security content of QuickTime 7.6.4

This document describes the security content of QuickTime 7.6.4.

For the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To find out more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key."

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To find out more about other Security Updates, see “Apple Security Updates”.

QuickTime 7.6.4

• QuickTime

  CVE-ID: CVE-2009-2202

  Available for: Mac OS X v10.4.11, Mac OS X v10.5.8, Windows 7, Vista and XP SP3

  Impact: viewing a maliciously crafted H.264 movie may lead to an unexpected application termination or arbitrary code execution

  Description: a memory corruption issue exists in QuickTime's handling of H.264 movie files. Viewing a maliciously crafted H.264 movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to Tom Ferris of the Adobe Secure Software Engineering Team for reporting this issue.

• QuickTime

  CVE-ID: CVE-2009-2203

  Available for: Mac OS X v10.4.11, Mac OS X v10.5.8, Windows 7, Vista and XP SP3

  Impact: opening a maliciously crafted MPEG-4 video file may lead to an unexpected application termination or arbitrary code execution

  Description: a buffer overflow exists in QuickTime’s handling of MPEG-4 video files. Opening a maliciously crafted MPEG-4 video file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to Alex Selivanov for reporting this issue.

• QuickTime

  CVE-ID: CVE-2009-2798

  Available for: Mac OS X v10.4.11, Mac OS X v10.5.8, Windows 7, Vista and XP SP3

  Impact: viewing a maliciously crafted FlashPix file may lead to an unexpected application termination or arbitrary code execution

  Description: a heap buffer overflow exists in QuickTime’s handling of FlashPix files. Viewing a maliciously crafted FlashPix file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to Damian Put working with TippingPoint and the Zero Day Initiative for reporting this issue.

• QuickTime

  CVE-ID: CVE-2009-2799

  Available for: Mac OS X v10.4.11, Mac OS X v10.5.8, Windows 7, Vista and XP SP3

  Impact: viewing a maliciously crafted H.264 movie may lead to an unexpected application termination or arbitrary code execution

  Description: a heap buffer overflow exists in QuickTime’s handling of H.264 movie files. Viewing a maliciously crafted H.264 movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to an anonymous researcher working with TippingPoint and the Zero Day Initiative for reporting this issue.