About the security content of QuickTime 7.6.2
This document describes the security content of QuickTime 7.6.2.
For the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To find out more about Apple Product Security, see the Apple Product Security website.
For information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key."
Where possible, CVE IDs are used to reference the vulnerabilities for further information.
To find out more about other Security Updates, see "Apple Security Updates".
QuickTime 7.6.2
QuickTime
CVE-ID: CVE-2009-0188
Available for: Mac OS X v10.4.11, Mac OS X v10.5.7, Windows Vista and XP SP3
Impact: Opening a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in QuickTime’s handling of Sorenson 3 video files. This may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of Sorenson 3 video files. Credit to Carsten Eiram of Secunia Research for reporting this issue.
QuickTime
CVE-ID: CVE-2009-0951
Available for: Mac OS X v10.4.11, Mac OS X v10.5.7, Windows Vista and XP SP3
Impact: Opening a maliciously crafted FLC compression file may lead to an unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in the handling of FLC compression files. Opening a maliciously crafted FLC compression file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to an anonymous researcher working with TippingPoint's Zero Day Initiative for reporting this issue.
QuickTime
CVE-ID: CVE-2009-0952
Available for: Mac OS X v10.4.11, Mac OS X v10.5.7, Windows Vista and XP SP3
Impact: Viewing a maliciously crafted PSD image may lead to an unexpected application termination or arbitrary code execution
Description: A buffer overflow may occur while processing a compressed PSD image. Opening a maliciously crafted compressed PSD file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to Damian Put working with TippingPoint’s Zero Day Initiative for reporting this issue.
QuickTime
CVE-ID: CVE-2009-0010
Available for: Windows Vista and XP SP3
Impact: Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution
Description: An integer underflow in QuickTime’s handling of PICT images may result in a heap buffer overflow. Opening a maliciously crafted PICT file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of PICT images. Credit to Sebastian Apelt working with TippingPoint’s Zero Day Initiative, and Chris Ries of Carnegie Mellon University Computing Services for reporting this issue.
QuickTime
CVE-ID: CVE-2009-0953
Available for: Mac OS X v10.4.11, Mac OS X v10.5.7, Windows Vista and XP SP3
Impact: Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in QuickTime’s handling of PICT images. Opening a maliciously crafted PICT file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of PICT images. Credit to Sebastian Apelt working with TippingPoint’s Zero Day Initiative for reporting this issue.
QuickTime
CVE-ID: CVE-2009-0954
Available for: Windows Vista and XP SP3
Impact: Opening a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in QuickTime’s handling of Clipping Region (CRGN) atom types in a movie file. Opening a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. This issue does not affect Mac OS X systems. Credit to an anonymous researcher working with TippingPoint's Zero Day Initiative for reporting this issue.
QuickTime
CVE-ID: CVE-2009-0185
Available for: Mac OS X v10.4.11, Mac OS X v10.5.7, Windows Vista and XP SP3
Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in the handling of MS ADPCM encoded audio data. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to Alin Rad Pop of Secunia Research for reporting this issue.
QuickTime
CVE-ID: CVE-2009-0955
Available for: Mac OS X v10.4.11, Mac OS X v10.5.7, Windows Vista and XP SP3
Impact: Opening a maliciously crafted video file may lead to an unexpected application termination or arbitrary code execution
Description: A sign extension issue exists in QuickTime’s handling of image description atoms. Opening a maliciously crafted Apple video file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved validation of description atoms. Credit to Roee Hay of IBM Rational Application Security Research Group for reporting this issue.
QuickTime
CVE-ID: CVE-2009-0956
Available for: Mac OS X v10.4.11, Mac OS X v10.5.7, Windows Vista and XP SP3
Impact: Viewing a movie file with a maliciously crafted user data atom may lead to an unexpected application termination or arbitrary code execution
Description: An uninitialised memory access issue exists in QuickTime’s handling of movie files. Viewing a movie file with a zero user data atom size may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of movie files and presenting a warning dialogue to the user. Credit to Lurene Grenier of Sourcefire, Inc. (VRT) for reporting this issue.
QuickTime
CVE-ID: CVE-2009-0957
Available for: Mac OS X v10.4.11, Mac OS X v10.5.7, Windows Vista and XP SP3
Impact: Viewing a maliciously crafted JP2 image may lead to an unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in QuickTime’s handling of JP2 images. Viewing a maliciously crafted JP2 image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to Charlie Miller of Independent Security Evaluators and Damian Put working with TippingPoint’s Zero Day Initiative for reporting this issue.
Important: Information about products not manufactured by Apple is provided for information purposes only and does not constitute Apple’s recommendation or endorsement. Please contact the vendor for additional information.