About the security content of QuickTime 7.1.5
This document describes the security content of QuickTime 7.1.5.
This document describes the security content of QuickTime 7.1.5, which can be downloaded and installed via Software Update preferences, or from here.
For the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To find out more about Apple Product Security, see the Apple Product Security website.
For information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key".
Where possible, CVE IDs are used to reference the vulnerabilities for further information.
To find out more about other Security Updates, see "Apple Security Updates".
QuickTime 7.1.5 Update
QuickTime
CVE-ID: CVE-2007-0711
Available for: Windows Vista/XP/2000
Impact: Viewing a maliciously crafted 3GP file may lead to an application crash or arbitrary code execution.
Description: An integer overflow exists in QuickTime's handling of 3GP video files. By enticing a user to open a malicious film, an attacker can trigger the overflow, which may lead to an application crash or arbitrary code execution. This update addresses the issue by performing additional validation of 3GP video files. This issue does not affect Mac OS X. Credit to JJ Reyes for reporting this issue.
QuickTime
CVE-ID: CVE-2007-0712
Available for: Mac OS X v10.3.9 and later, Windows Vista/XP/2000
Impact: Viewing a maliciously crafted MIDI file may lead to an application crash or arbitrary code execution.
Description: A heap buffer overflow exists in QuickTime's handling of MIDI files. By enticing a user to open a malicious MIDI file, an attacker can trigger the overflow, which may lead to an application crash or arbitrary code execution. This update addresses the issue by performing additional validation of MIDI files. Credit to Mike Price of McAfee AVERT Labs for reporting this issue.
QuickTime
CVE-ID: CVE-2007-0713
Available for: Mac OS X v10.3.9 and later, Windows Vista/XP/2000
Impact: Viewing a maliciously crafted QuickTime movie file may lead to an application crash or arbitrary code execution.
Description: A heap buffer overflow exists in QuickTime's handling of QuickTime movie files. By enticing a user to access a maliciously crafted film, an attacker can trigger the overflow, which may lead to an application crash or arbitrary code execution. This update addresses the issue by performing additional validation of QuickTime movies. Credit Mike Price of McAfee AVERT Labs, Piotr Bania, and Artur Ogloza for reporting this issue.
QuickTime
CVE-ID: CVE-2007-0714
Available for: Mac OS X v10.3.9 and later, Windows Vista/XP/2000
Impact: Viewing a maliciously crafted QuickTime movie file may lead to an application crash or arbitrary code execution.
Description: An integer overflow exists in QuickTime's handling of UDTA atoms in movie files. By enticing a user to access a maliciously crafted film, an attacker can trigger the overflow, which may lead to an application crash or arbitrary code execution. This update addresses the issue by performing additional validation of QuickTime movies. Credit to Sowhat of Nevis Labs, and an anonymous researcher working with TippingPoint and the Zero Day Initiative for reporting this issue.
QuickTime
CVE-ID: CVE-2007-0715
Available for: Mac OS X v10.3.9 and later, Windows Vista/XP/2000
Impact: Viewing a maliciously crafted PICT file may lead to an application crash or arbitrary code execution.
Description: A heap buffer overflow exists in QuickTime's handling of PICT files. By enticing a user to open a malicious PICT image file an attacker can trigger the overflow, which may lead to arbitrary code execution. This update addresses the issue by performing additional validation of PICT files. Credit to Mike Price of McAfee AVERT Labs for reporting this issue.
QuickTime
CVE-ID: CVE-2007-0716
Available for: Mac OS X v10.3.9 and later, Windows Vista/XP/2000
Impact: Opening a maliciously crafted QTIF file may lead to an application crash or arbitrary code execution.
Description: A stack buffer overflow exists in QuickTime's handling of QTIF files. By enticing a user to access a maliciously crafted QTIF file, an attacker can trigger the overflow, which may lead to an application crash or arbitrary code execution. This update addresses the issue by performing additional validation of QTIF files. Credit to Mike Price of McAfee AVERT Labs for reporting this issue.
QuickTime
CVE-ID: CVE-2007-0717
Available for: Mac OS X v10.3.9 and later, Windows Vista/XP/2000
Impact: Opening a maliciously crafted QTIF file may lead to an application crash or arbitrary code execution.
Description: An integer overflow exists in QuickTime's handling of QTIF files. By enticing a user to access a maliciously crafted QTIF file, an attacker can trigger the overflow, which may lead to an application crash or arbitrary code execution. This update addresses the issue by performing additional validation of QTIF files. Credit to Mike Price of McAfee AVERT Labs for reporting this issue.
QuickTime
CVE-ID: CVE-2007-0718
Available for: Mac OS X v10.3.9 and later, Windows Vista/XP/2000
Impact: Opening a maliciously crafted QTIF file may lead to an application crash or arbitrary code execution.
Description: A heap buffer overflow exists in QuickTime's handling of QTIF files. By enticing a user to access a maliciously crafted QTIF file, an attacker can trigger the overflow, which may lead to an application crash or arbitrary code execution. This update addresses the issue by performing additional validation of QTIF files. Credit to Ruben Santamarta working with the iDefense Vulnerability Contributor Program, and JJ Reyes for reporting this issue.
QuickTime
CVE-ID: CVE-2006-4965, CVE-2007-0059
Available for: Mac OS X v10.3.9 and later, Windows Vista/XP/2000
Impact: Viewing a maliciously crafted QuickTime movie file or QTL file may lead to arbitrary JavaScript code execution in context of the local domain.
Description: A cross-zone scripting issue exists in QuickTime's browser plugin. By enticing a user to open a malicious QuickTime movie file or QTL file, an attacker can trigger the issue, which may lead to arbitrary JavaScript code execution in context of the local domain. This issue has been described on the Month of Apple Bugs web site (MOAB-03-01-2007). This update addresses the issue by making the following changes to the handling of URLs in the qtnext attribute of QTL files, and HREFTracks in QuickTime movies. Only "http:" and "https:" URLs are allowed if the film is being loaded from a remote site. Only "file:" URLs are allowed if the film is being loaded locally.
QuickTime 7.1.5 for Mac or Windows may be obtained from Software Update or as a manual download from: http://www.apple.com/uk/quicktime/download/.