Published: 2009-01-25T12:12+00:00    Last Updated: 2009-01-25T12:12+00:00

JVNTR-2009-04
Apple QuickTime Updates for Multiple Vulnerabilities (TA09-022A)

Overview

Apple has released QuickTime 7.6 to correct multiple vulnerabilities affecting QuickTime for Mac OS X and Windows. Attackers may be able to exploit these vulnerabilities to execute arbitrary code or cause a denial of service.

Event Information


Date (UTC)Description
2009-06-21 19:12 US-CERT
Apple Releases QuickTime 7.6
US-CERT Current Activity
Apple has released QuickTime 7.6, for both Windows and Mac OS X systems, to address multiple vulnerabilities. These vulnerabilities may allow a remote attacker to execute arbitrary code or cause a denial-of-service condition.
2009-01-22 22:47 US-CERT
TA09-022A: Apple QuickTime Updates for Multiple Vulnerabilities
Via US-CERT Mailing List
2009-01-21 Apple
Apple knowledgebase article HT3403: About the security content of QuickTime 7.6
This document describes the security content of QuickTime 7.6.
2008-10-15 Zero Day Initiative (ZDI)
ZDI-09-006: Apple QuickTime AVI Header nBlockAlign Heap Corruption Vulnerability
Vulnerability Reported (CVE-2009-0003)
The specific flaw exists within the parsing of AVI files. When the AVI header contains a malformed nBlockAlign value in the _WAVEFORMATEX structure, a heap overflow may occur which can be leveraged to execute arbitrary code under the context of the current user.
2008-09-16 Zero Day Initiative (ZDI)
ZDI-09-005: Apple QuickTime VR Track Header Atom Heap Corruption Vulnerability
Vulnerability Reported (CVE-2009-0002)
The specific flaw exists within the parsing of 'tkhd' atoms found inside QuickTimeVR files. Improper validation of the transform matrix data results in a heap chunk header overwrite leading to arbitrary code execution under the context of the currently logged in user.
2008-06-25 Zero Day Initiative (ZDI)
ZDI-09-008: Apple QuickTime STSD JPEG Atom Heap Corruption Vulnerability
Vulnerability Reported (CVE-2009-0007)
The specific flaw exists in the handling of JPEG atoms embedded in STSD atoms within the function JPEG_DComponentDispatch(). When the image width data in this atom is modified, a heap corruption occurs which can be further leveraged to execute arbitrary code under the context of the current user.
2008-06-23 Zero Day Initiative (ZDI)
ZDI-09-007: Apple QuickTime Cinepak Codec MDAT Heap Corruption Vulnerability
Vulnerability Reported (CVE-2009-0006)
The specific flaw exists in the handling of movie data encoded using the Cinepak Video Codec. When parsing the data in the MDAT atom, there exists a signedness error which leads to a heap overflow. When this occurs it can be further leveraged to execute arbitrary code under the context of the current user.