November 6, 2007 10:24 AM PST

Apple fixes seven Quicktime flaws

Posted by Robert Vamosi

Apple on Monday released QuickTime version 7.3, addressing seven security vulnerablities for QuickTime 7.2 and earlier. Some of the flaws are serious and can be exploited by luring a victim to a Web site that contains a malicious crafted image or movie. The patches include both Mac OS X and Windows. A month ago, Apple patched another serious flaw within QuickTime for Windows. The latest version is available through the built-in software update feature of QuickTime or from the Apple Downloads site.

QuickTime (image description)
This patch affects users of QuickTime 7.2 on Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5, Windows Vista, and Windows XP SP2, and addresses the vulnerability in CVE-2007-2395. According to Apple, "a memory corruption issue exists in QuickTime's handling of image description atoms. By enticing a user to open a maliciously crafted movie file, an attacker may cause an unexpected application termination or arbitrary code execution." Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution." Apple credits Dylan Ashe of Adobe Systems for reporting this vulnerability.

QuickTime (Sample Table Sample Descriptor (STSD) )
This patch affects users of QuickTime 7.2 on Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5, Windows Vista, and Windows XP SP2, and addresses the vulnerability in CVE-2007-3750. Apple says "a heap buffer overflow exists in QuickTime Player's handling of Sample Table Sample Descriptor (STSD) atoms. By enticing a user to open a maliciously crafted movie file, an attacker may cause an unexpected application termination or arbitrary code execution." Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. Apple credits Tobias Klein of www.trapkit.de for reporting this vulnerability.

QuickTime (Java)
This patch affects users of QuickTime 7.2 on Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5, Windows Vista, and Windows XP SP2, and addresses the vulnerability in CVE-2007-3751. According to Apple, "multiple vulnerabilities exist in QuickTime for Java, which may allow untrusted Java applets to obtain elevated privileges. By enticing a user to visit a Web page containing a maliciously crafted Java applet, an attacker may cause the disclosure of sensitive information and arbitrary code execution with elevated privileges." Untrusted Java applets may obtain elevated privileges. Apple credits Adam Gowdiak for reporting this issue.

QuickTime (PICT image processing I)
This patch affects users of QuickTime 7.2 on Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5, Windows Vista, and Windows XP SP2, and addresses the vulnerability in CVE-2007-4672. Apple says "a stack buffer overflow exists in PICT image processing. By enticing a user to open a maliciously crafted image, an attacker may cause an unexpected application termination or arbitrary code execution." A user opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution. Apple credits Ruben Santamarta of ReverseMode.com working with TippingPoint and the Zero Day Initiative for reporting this issue.

QuickTime (PICT image processing II)
This patch affects users of QuickTime 7.2 on Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5, Windows Vista, and Windows XP SP2, and addresses the vulnerability in CVE-2007-4676. According to Apple "a heap buffer overflow exists in PICT image processing. By enticing a user to open a maliciously crafted image, an attacker may cause an unexpected application termination or arbitrary code execution." A user opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution. Apple credits Ruben Santamarta of ReverseMode.com working with TippingPoint and the Zero Day Initiative for reporting this issue.

QuickTime (QTVR)
This patch affects users of QuickTime 7.2 on Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5, Windows Vista, and Windows XP SP2, and addresses the vulnerability in CVE-2007-4675. Apple says "a heap buffer overflow exists in QuickTime's handling of panorama sample atoms in QTVR (QuickTime Virtual Reality) movie files. By enticing a user to view a maliciously crafted QTVR file, an attacker may cause an unexpected application termination or arbitrary code execution." Viewing a maliciously crafted QTVR movie file may lead to an unexpected application termination or arbitrary code execution. Apple credits Mario Ballano from 48Bits.com working with the VeriSign iDefense VCP for reporting this issue.

QuickTime (color table)
This patch affects users of QuickTime 7.2 on Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5, Windows Vista, and Windows XP SP2, and addresses the vulnerability in CVE-2007-4677. According to Apple, "a heap buffer overflow exists in the parsing of the color table atom when opening a movie file. By enticing a user to open a maliciously crafted movie file, an attacker may cause an unexpected application termination or arbitrary code execution." Apple credits Ruben Santamarta of ReverseMode.com and Mario Ballano of 48Bits.com working with TippingPoint and the Zero Day Initiative for reporting this issue.

Topics:

Security

Tags:

security,

Apple,

Quicktime,

Mac OS X,

Windows

Bookmark:
Digg
Del.icio.us
Reddit
Recent posts from News Blog
Sprint HTC Touch Diamond outed early
Woman to virtual ex: 'I won't be ignored!'
Swiss secret sauce to power green choppers
iLink to deliver answers to military online communities
Vonage names new CEO
Add a Comment (Log in or register) 1 comment
God forgive if it was Windows Media!!!
by FutureGuy November 6, 2007 12:50 PM PST
The discussion treads would have stretched for pages.
Reply to this comment
Powered by Jive Software
advertisement

Latest tech news headlines

Resource center from News.com sponsors
Aligning CIO & CEO visions
What CIOs need to know

It's a simple truth. The closer you and your CEO see things, the greater your chance for success. Our exclusive report can help you get there—and help your business grow. To get the report, featuring the views of 765 CEOs on innovation. click here

Click Here!
What CEOs think: Innovation Insights for CIOs

Learn How CIOs can deliver strategic success for their enterprises

The New CIO: Beyond Technology

Learn how CIOs become heroes

Podcast: Chris Gorog of Napster

Learn about the impact of technology in strategy execution

The future of the Enterprise

Read more about tomorrow's organization

About News Blog

Recent posts on technology, trends, and more.

Add this feed to your online news reader

News Blog topics

Featured blogs

advertisement

Inside CNET News

Scroll Left Scroll Right

  • News - Business Tech

    Chrome's JavaScript challenge to Silverlight

    The advent of Google's Chrome browser, software pros say, should spur a big speedup for JavaScript, which would raise its standing against Microsoft's Silverlight technology.

  • Gallery

    Photos: Top 10 reviews of the week

    Here are CNET Reviews' 10 favorite items from the past week, including the TiVo HD XL, Sony Cyber-shot DSC-H50, and the Dish Network's newest digital TV converter box.

  • News - Apple

    Apple watchers spot 'iPod Nano' pix, iTunes hints

    The rumor mill has long been predicting a longer, leaner new version of the iPod Nano, and now it's conjuring up some pictures.

  • Outside the Lines

    EIC Squared: Chrome, iPods, and a Dell-Salesforce union

    On this week's EIC Squared podcast CNET's Dan Farber and ZDNet's Larry Dignan discuss Google's latest rocket launch--the Chrome browser--as well as Apple's iPod event next week and a Dell-Salesforce.com union.

  • Video

    Katie Couric reflects on first Webcast

    The political conventions are over and so are CBS Evening News anchor Katie Couric's first series of Webcasts. CNET's Kara Tsuboi sat down with Couric on the final night of the Republican National Convention to discuss what she liked about Webcasting, some of her most memorable guests, and whether TV news will still be around by the next round of conventions.

  • News - Digital Media

    At 10 years old, whither Google?

    Daniel Sieberg of CBS News looks at how the company grew exponentially from start-up to superstar and part of our culture, but what's ahead?

  • Video

    YouTube plays party politics

    During the presidential campaigning four years ago, YouTube didn't even exist. Now it's a tool candidates must master to get their message across. CNET's Kara Tsuboi stops by the YouTube upload booths at the Democratic and Republican conventions to find out why Google's video site has such a big presence in Denver and St. Paul, Minn.

  • News - Gaming and Culture

    Are Demo and TechCrunch50 fragmenting their audiences?

    With both events scheduled to start Monday, many press, as well as venture capitalists and others are having to choose which one to attend.

  • News - Cutting Edge

    Execs predict next Google-like tech

    On eve of company's 10-year anniversary, researchers and business pundits speculate about what technologies might someday have as much impact as Google.

  • Gallery

    Images: The art of 'Spore' prototypes

    Will Wright and his Maxis team worked on dozens of prototypes to test the elements of their soon-to-be-released evolution game. Here's a sampling.

  • Webware

    Mozilla releases second Firefox 3.1 alpha

    Added features include support for a new video tag element introduced with the HTML 5 standard, along with some speed enhancements.

  • Green Tech

    Duke Energy to invest in mini solar power plants

    Can hundreds of rooftop solar panels collectively operate like a central power plant? Duke Energy launches $100 million distributed solar program to find out.

News
Latest news
Business tech
Green tech
Wireless
Security
Media
Popular topics
Apple iPhone
Apple iPod
Dell
PlayStation 3
Wii
Windows Vista
CNET sites
CNET TV
Downloads
Forums
News
Reviews
Site map
More information
Newsletters
Corrections
Customer Help Center
RSS
What's new
About CNET