Knowledge base

About the security content of QuickTime 7.7

Posted in Apple Mac OS

Summary

This document describes the security content of QuickTime 7.7.

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key."

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To learn about other Security Updates, see "Apple Security Updates."

Products Affected

QuickTime 7 (Windows), QuickTime 7 (OS X), Mac OS X 10.6, Mac OS X 10.5, Product Security

QuickTime 7.7

  • QuickTime

    Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Windows 7, Vista, XP SP2 or later

    Impact: Viewing a maliciously crafted pict file may lead to an unexpected application termination or arbitrary code execution

    Description: A buffer overflow existed in QuickTime's handling of pict files. Viewing a maliciously crafted pict file may lead to an unexpected application termination or arbitrary code execution. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8. This issue does not affect OS X Lion systems.

    CVE-ID

    CVE-2011-0245 : Subreption LLC working with TippingPoint's Zero Day Initiative

  • QuickTime

    Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Windows 7, Vista, XP SP2 or later

    Impact: Viewing a maliciously crafted JPEG2000 image with QuickTime may lead to an unexpected application termination or arbitrary code execution

    Description: Multiple memory corruption issues existed in QuickTime's handling of JPEG2000 images. Viewing a maliciously crafted JPEG2000 image with QuickTime may lead to an unexpected application termination or arbitrary code execution. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.7. This issue does not affect OS X Lion systems.

    CVE-ID

    CVE-2011-0186 : Will Dormann of the CERT/CC

  • QuickTime

    Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Windows 7, Vista, XP SP2 or later

    Impact: Visiting a maliciously crafted website may lead to the disclosure of video data from another site

    Description: A cross-origin issue existed in QuickTime plug-in's handling of cross-site redirects. Visiting a maliciously crafted website may lead to the disclosure of video data from another site. This issue is addressed by preventing QuickTime from following cross-site redirects. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.7. This issue does not affect OS X Lion systems.

    CVE-ID

    CVE-2011-0187 : Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR)

  • QuickTime

    Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Windows 7, Vista, XP SP2 or later

    Impact: Playing a maliciously crafted WAV file may lead to an unexpected application termination or arbitrary code execution

    Description: An integer overflow existed in QuickTime's handling of RIFF WAV files. Playing a maliciously crafted WAV file may lead to an unexpected application termination or arbitrary code execution. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8. This issue does not affect OS X Lion systems.

    CVE-ID

    CVE-2011-0209 : Luigi Auriemma working with TippingPoint's Zero Day Initiative

  • QuickTime

    Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Windows 7, Vista, XP SP2 or later

    Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution

    Description: A memory corruption issue existed in QuickTime's handling of sample tables in QuickTime movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8. This issue does not affect OS X Lion systems.

    CVE-ID

    CVE-2011-0210 : Honggang Ren of Fortinet's FortiGuard Labs

  • QuickTime

    Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Windows 7, Vista, XP SP2 or later

    Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution

    Description: An integer overflow existed in QuickTime's handling of audio channels in movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8. This issue does not affect OS X Lion systems.

    CVE-ID

    CVE-2011-0211 : Luigi Auriemma working with TippingPoint's Zero Day Initiative

  • QuickTime

    Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Windows 7, Vista, XP SP2 or later

    Impact: Viewing a maliciously crafted JPEG file may lead to an unexpected application termination or arbitrary code execution

    Description: A buffer overflow existed in QuickTime's handling of JPEG files. Viewing a maliciously crafted JPEG file may lead to an unexpected application termination or arbitrary code execution. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8. This issue does not affect OS X Lion systems.

    CVE-ID

    CVE-2011-0213 : Luigi Auriemma working with iDefense VCP

  • QuickTime

    Available for: Windows 7, Vista, XP SP2 or later

    Impact: Viewing a maliciously crafted GIF image may lead to an unexpected application termination or arbitrary code execution

    Description: A heap buffer overflow existed in QuickTime's handling of GIF images. Viewing a maliciously crafted GIF image may lead to an unexpected application termination or arbitrary code execution. This issue does not affect Mac OS X systems.

    CVE-ID

    CVE-2011-0246 : an anonymous contributor working with Beyond Security's SecuriTeam Secure Disclosure program

  • QuickTime

    Available for: Windows 7, Vista, XP SP2 or later

    Impact: Viewing a maliciously crafted H.264 movie file may lead to an unexpected application termination or arbitrary code execution

    Description: Multiple stack buffer overflows existed in the handling of H.264 encoded movie files. Viewing a maliciously crafted H.264 movie file may lead to an unexpected application termination or arbitrary code execution. These issues do not affect Mac OS X systems.

    CVE-ID

    CVE-2011-0247 : Roi Mallo and Sherab Giovannini working with TippingPoint's Zero Day Initiative

  • QuickTime

    Available for: Windows 7, Vista, XP SP2 or later

    Impact: Visiting a maliciously crafted website using Internet Explorer may lead to an unexpected application termination or arbitrary code execution

    Description: A stack buffer overflow existed in the QuickTime ActiveX control's handling of QTL files. Visiting a maliciously crafted website using Internet Explorer may lead to an unexpected application termination or arbitrary code execution. This issue does not affect Mac OS X systems.

    CVE-ID

    CVE-2011-0248 : Chkr_d591 working with TippingPoint's Zero Day Initiative

  • QuickTime

    Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Windows 7, Vista, XP SP2 or later

    Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution

    Description: A heap buffer overflow existed in the handling of STSC atoms in QuickTime movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This issue does not affect OS X Lion systems.

    CVE-ID

    CVE-2011-0249 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero Day Initiative

  • QuickTime

    Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Windows 7, Vista, XP SP2 or later

    Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution

    Description: A heap buffer overflow existed in the handling of STSS atoms in QuickTime movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This issue does not affect OS X Lion systems.

    CVE-ID

    CVE-2011-0250 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero Day Initiative

  • QuickTime

    Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Windows 7, Vista, XP SP2 or later

    Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution

    Description: A heap buffer overflow existed in the handling of STSZ atoms in QuickTime movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This issue does not affect OS X Lion systems.

    CVE-ID

    CVE-2011-0251 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero Day Initiative

  • QuickTime

    Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Windows 7, Vista, XP SP2 or later

    Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution

    Description: A heap buffer overflow existed in the handling of STTS atoms in QuickTime movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This issue does not affect OS X Lion systems.

    CVE-ID

    CVE-2011-0252 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero Day Initiative

Important: Mention of third-party websites and products is for informational purposes only and constitutes neither an endorsement nor a recommendation. Apple assumes no responsibility with regard to the selection, performance or use of information or products found at third-party websites. Apple provides this only as a convenience to our users. Apple has not tested the information found on these sites and makes no representations regarding its accuracy or reliability. There are risks inherent in the use of any information or products found on the Internet, and Apple assumes no responsibility in this regard. Please understand that a third-party site is independent from Apple and that Apple has no control over the content on that website. Please contact the vendor for additional information.

One Moment Please

Thanks for rating this article

Read more http://support.apple.com/kb/HT4826