Published: 2008-04-14T11:20+00:00    Last Updated: 2008-04-14T11:20+00:00

TRTA08-094A
Apple Updates for Multiple Vulnerabilities

Overview

Apple QuickTime contains multiple vulnerabilities as described in the Apple Knowledgebase article HT1241. Exploitation of these vulnerabilities could allow a remote attacker to execute arbitrary code or cause a denial-of-service condition.

Event Information

Date (UTC)Description
2008-04-04 00:54 US-CERT
Apple Releases QuickTime 7.4.5
US-CERT Current Activity
Apple has released QuickTime 7.4.5 to address multiple vulnerabilities. These vulnerabilities may allow a remote attacker to execute arbitrary code or obtain sensitive information.
2008-04-03 19:54 US-CERT
TA08-094A: Apple Updates for Multiple Vulnerabilities
Via US-CERT Mailing List
2008-04-03 12:14 SANS Internet Storm Center
A bag of vulnerabilities (and fixes) in QuickTime
Apple released QuickTime version 7.4.5 which addresses 11 vulnerabilities. Vulnerabilities range from denial of service attacks, information leaks to (of course) remote code execution.
2008-04-03 Apple
Apple knowledgebase article HT1241: About the security content of QuickTime 7.4.5
This document describes the security content of QuickTime 7.4.5.
2008-02-07 Zero Day Initiative (ZDI)
ZDI-08-017: Apple QuickTime Kodak Encoding Heap Overflow Vulnerability
Kodak Encoding Heap Overflow Vulnerability (CVE-2008-1020)
Vulnerability Reported
The specific flaw exists within the quicktime.qts library responsible for parsing Kodak encoded images. A lack of proper error checking can result in a heap based buffer overflow leading to arbitrary code execution under the context of the currently logged in user.
2008-02-07 Zero Day Initiative (ZDI)
ZDI-08-016: Apple QuickTime MP4A Atom Parsing Heap Corruption Vulnerability
MP4A Atom Parsing Heap Overflow Vulnerability (CVE-2008-1018)
Vulnerability Reported
The specific flaw exists in the parsing of the QuickTime Channel Compositor atom. When the movie file contains a malformed 'chan' atom, a heap corruption occurs resulting in the execution of arbitrary code.
2008-02-07 Zero Day Initiative (ZDI)
ZDI-08-015: Apple QuickTime Clipping Region Heap Overflow Vulnerability
Clipping Region Heap Overflow Vulnerability (CVE-2008-1017)
Vulnerability Reported
The specific flaw exists within the quicktime.qts library. The vulnerability resides in the component's parsing of 'crgn' atoms. A lack of proper sanity checks on the region size field can result in a heap based buffer overflow leading to arbitrary code execution under the context of the currently logged in user.
2008-02-07 Zero Day Initiative (ZDI)
ZDI-08-014: Apple Quicktime Multiple Opcode Memory Corruption Vulnerabilities
Opcode Memory Corruption Vulnerabilities (CVE-2008-1019)
Vulnerability Reported
The specific flaw exists in the quickTime.qts while parsing corrupted .pict files. The module contains a vulnerable memory copy loop which searches for a terminator value. When this value is changed or omitted, a heap corruption occurs allowing the execution of arbitrary code.
2008-02-07 Zero Day Initiative (ZDI)
ZDI-08-019: Apple QuickTime Malformed VR obji Atom Parsing Memory Corruption Vulnerability
obji Atom Parsing Memory Corruption Vulnerability (CVE-2008-1022)
Vulnerability Reported
The specific flaw exists in the parsing of the QuickTime VR 'obji' atom. When the size of the atom is set to 0, a stack overflow condition occurs resulting in the execution of arbitrary code.
2008-02-07 Zero Day Initiative (ZDI)
ZDI-08-018: Apple QuickTime Run Length Encoding Heap Overflow Vulnerability
Run Length Encoding Heap Overflow Vulnerability (CVE-2008-1021)
Vulnerability Reported
The specific flaw exists within the parsing of QuickTime files that utilize the Animation codec. A lack of proper length checks can result in a heap based buffer overflow leading to arbitrary code execution under the context of the currently logged in user.