About the security content of QuickTime 7.4

This document describes the security content of QuickTime 7.4, which can be downloaded and installed via Software Update preferences, or from Apple Downloads.

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key."

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To learn about other Security Updates, see "Apple Security Updates."

QuickTime 7.4

QuickTime

CVE-ID: CVE-2008-0031

Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista, XP SP2

Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution.

Description: A memory corruption issue exists in QuickTime's handling of Sorenson 3 video files. This may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of Sorenson 3 video files. Credit to Joe Schottman of Virginia Tech for reporting this issue.

QuickTime

CVE-ID: CVE-2008-0032

Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista, XP SP2

Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution.

Description: A memory corruption issue exists in QuickTime's handling of Macintosh Resource records in movie files. Opening a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of movie files. Credit to Jun Mao of VeriSign iDefense Labs for reporting this issue.

QuickTime

CVE-ID: CVE-2008-0033

Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista, XP SP2

Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution.

Description: A memory corruption issue exists in QuickTime's parsing of Image Descriptor (IDSC) atoms. Opening a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of Image Descriptor atoms in movie files. Credit to Cody Pierce of TippingPoint DVLabs for reporting this issue.

QuickTime

CVE-ID: CVE-2008-0036

Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista, XP SP2

Impact: Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution.

Description: A buffer overflow may occur while processing a compressed PICT image. Opening a maliciously crafted compressed PICT file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by terminating decoding when the result would extend beyond the end of the destination buffer. Credit to Chris Ries of Carnegie Mellon University Computing Services for reporting this issue.