About the security content of QuickTime 7.6.6
This document describes the security content of QuickTime 7.6.6.
For the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To find out more about Apple Product Security, see the Apple Product Security website.
For information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key."
Where possible, CVE IDs are used to reference the vulnerabilities for further information.
To find out more about other Security Updates, see "Apple Security Updates".
QuickTime 7.6.6
QuickTime
CVE-ID: CVE-2009-2837
Available for: Windows 7, Vista, XP SP2 or later
Impact: opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution
Description: a heap buffer overflow exists in the handling of PICT images. Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution. The issue is addressed through improved validation of PICT images. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.2, and for Mac OS X v10.5 systems it is addressed in Security Update 2009-006. Credit to Nicolas Joly of VUPEN Vulnerability Research Team for reporting this issue.
QuickTime
CVE-ID: CVE-2010-0059
Available for: Mac OS X v10.5.8, Windows 7, Vista, XP SP2 or later
Impact: playing maliciously crafted audio content may lead to an unexpected application termination or arbitrary code execution
Description: a memory corruption issue exists in the handling of QDM2 encoded audio content. Playing maliciously crafted audio content may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.3. Credit to an anonymous researcher working with TippingPoint’s Zero Day Initiative for reporting this issue.
QuickTime
CVE-ID: CVE-2010-0060
Available for: Mac OS X v10.5.8, Windows 7, Vista, XP SP2 or later
Impact: playing maliciously crafted audio content may lead to an unexpected application termination or arbitrary code execution
Description: a memory corruption issue exists in the handling of QDMC encoded audio content. Playing maliciously crafted audio content may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.3. Credit to an anonymous researcher working with TippingPoint’s Zero Day Initiative for reporting this issue.
QuickTime
CVE-ID: CVE-2010-0062
Available for: Mac OS X v10.5.8, Windows 7, Vista, XP SP2 or later
Impact: viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: a heap buffer overflow exists in the handling of H.263 encoded movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This issue is addressed by performing additional validation of H.263 encoded movie files. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.3. Credit to Damian Put and an anonymous researcher working with TippingPoint’s Zero Day Initiative for reporting this issue.
QuickTime
CVE-ID: CVE-2010-0514
Available for: Mac OS X v10.5.8, Windows 7, Vista, XP SP2 or later
Impact: viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: a heap buffer overflow exists in the handling of H.261 encoded movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This issue is addressed by performing additional validation of H.261 encoded movie files. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.3. Credit to Will Dormann of the CERT/CC for reporting this issue.
QuickTime
CVE-ID: CVE-2010-0515
Available for: Mac OS X v10.5.8, Windows 7, Vista, XP SP2 or later
Impact: viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: a memory corruption in the handling of H.264 encoded movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This issue is addressed by performing additional validation of H.264 encoded movie files. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.3. Credit to an anonymous researcher working with TippingPoint’s Zero Day Initiative for reporting this issue.
QuickTime
CVE-ID: CVE-2010-0516
Available for: Mac OS X v10.5.8, Windows 7, Vista, XP SP2 or later
Impact: viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: a heap buffer overflow in the handling of RLE encoded movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This issue is addressed by performing additional validation of RLE encoded movie files. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.3. Credit to an anonymous researcher working with TippingPoint’s Zero Day Initiative for reporting this issue.
QuickTime
CVE-ID: CVE-2010-0517
Available for: Mac OS X v10.5.8, Windows 7, Vista, XP SP2 or later
Description: A heap buffer overflow in the handling of M-JPEG encoded movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This issue is addressed by performing additional validation of M-JPEG encoded movie files. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.3. Credit to Damian Put and an anonymous researcher working with TippingPoint’s Zero Day Initiative for reporting this issue.
QuickTime
CVE-ID: CVE-2010-0518
Available for: Mac OS X v10.5.8, Windows 7, Vista, XP SP2 or later
Impact: viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: a memory corruption issue exists in the handling of Sorenson encoded movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This issue is addressed by performing additional validation of Sorenson encoded movie files. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.3. Credit to Will Dormann of the CERT/CC for reporting this issue.
QuickTime
CVE-ID: CVE-2010-0519
Available for: Mac OS X v10.5.8, Windows 7, Vista, XP SP2 or later
Impact: viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: an integer overflow exists in the handling of FlashPix encoded movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.3. Credit to an anonymous researcher working with TippingPoint’s Zero Day Initiative for reporting this issue.
QuickTime
CVE-ID: CVE-2010-0520
Available for: Mac OS X v10.5.8, Windows 7, Vista, XP SP2 or later
Impact: viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: a heap buffer overflow exists in the handling of FLC encoded movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This issue is addressed by performing additional validation of FLC encoded movie files. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.3. Credit to Moritz Jodeit of n.runs AG, working with TippingPoint’s Zero Day Initiative, and Nicolas Joly of VUPEN Security for reporting this issue.
QuickTime
CVE-ID: CVE-2010-0526
Available for: Mac OS X v10.5.8, Windows 7, Vista, XP SP2 or later
Impact: viewing a maliciously crafted MPEG file may lead to an unexpected application termination or arbitrary code execution
Description: a heap buffer overflow exists in the handling of MPEG encoded movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This issue is addressed by performing additional validation of MPEG encoded movie files. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.3. Credit to an anonymous researcher working with TippingPoint’s Zero Day Initiative for reporting this issue.
QuickTime
CVE-ID: CVE-2010-0527
Available for: Windows 7, Vista, XP SP2
Impact: opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution
Description: an integer overflow exists in the handling of PICT images. Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of PICT images. This issue does not affect Mac OS X systems. Credit to Nicolas Joly of VUPEN Vulnerability Research Team for reporting this issue.
QuickTime
CVE-ID: CVE-2010-0528
Available for: Windows 7, Vista, XP SP2 or later
Impact: viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: a memory corruption exists in the handling of colour tables in movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This issue is addressed by performing additional validation of colour tables. This issue does not affect Mac OS X systems. Credit to an anonymous researcher working with TippingPoint's Zero Day Initiative for reporting this issue.
QuickTime
CVE-ID: CVE-2010-0529
Available for: Windows 7, Vista, XP SP2 or later
Impact: opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution
Description: a heap buffer overflow exists in the handling of PICT images. Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of PICT images. This issue does not affect Mac OS X systems. Credit to Damian Put working with TippingPoint’s Zero Day Initiative for reporting this issue.
QuickTime
CVE-ID: CVE-2010-0536
Available for: Windows 7, Vista, XP SP2 or later
Impact: opening a maliciously crafted BMP image may lead to an unexpected application termination or arbitrary code execution
Description: a memory corruption issue exists in the handling of BMP images. Opening a maliciously crafted BMP image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of BMP images. This issue does not affect Mac OS X systems. Credit to SkyLined of Google, Inc. for reporting this issue.
Important: Information about products not manufactured by Apple is provided for information purposes only and does not constitute Apple’s recommendation or endorsement. Please contact the vendor for additional information.