Published: 2008-04-14T11:20+00:00
Last Updated: 2008-04-14T11:20+00:00
TRTA08-094A
Apple Updates for Multiple Vulnerabilities
Overview
Apple QuickTime contains multiple vulnerabilities as described in the Apple Knowledgebase article HT1241. Exploitation of these vulnerabilities could allow a remote attacker to execute arbitrary code or cause a denial-of-service condition.
Event Information
| Date (UTC) | Description |
| 2008-04-04 00:54 |
US-CERT Apple Releases QuickTime 7.4.5 US-CERT Current Activity Apple has released QuickTime 7.4.5 to address multiple vulnerabilities. These vulnerabilities may allow a remote attacker to execute arbitrary code or obtain sensitive information. |
| 2008-04-03 19:54 |
US-CERT TA08-094A: Apple Updates for Multiple Vulnerabilities Via US-CERT Mailing List |
| 2008-04-03 12:14 |
SANS Internet Storm Center A bag of vulnerabilities (and fixes) in QuickTime Apple released QuickTime version 7.4.5 which addresses 11 vulnerabilities. Vulnerabilities range from denial of service attacks, information leaks to (of course) remote code execution. |
| 2008-04-03 |
Apple Apple knowledgebase article HT1241: About the security content of QuickTime 7.4.5 This document describes the security content of QuickTime 7.4.5. |
| 2008-02-07 |
Zero Day Initiative (ZDI) ZDI-08-017: Apple QuickTime Kodak Encoding Heap Overflow Vulnerability Kodak Encoding Heap Overflow Vulnerability (CVE-2008-1020) Vulnerability Reported The specific flaw exists within the quicktime.qts library responsible for parsing Kodak encoded images. A lack of proper error checking can result in a heap based buffer overflow leading to arbitrary code execution under the context of the currently logged in user. |
| 2008-02-07 |
Zero Day Initiative (ZDI) ZDI-08-016: Apple QuickTime MP4A Atom Parsing Heap Corruption Vulnerability MP4A Atom Parsing Heap Overflow Vulnerability (CVE-2008-1018) Vulnerability Reported The specific flaw exists in the parsing of the QuickTime Channel Compositor atom. When the movie file contains a malformed 'chan' atom, a heap corruption occurs resulting in the execution of arbitrary code. |
| 2008-02-07 |
Zero Day Initiative (ZDI) ZDI-08-015: Apple QuickTime Clipping Region Heap Overflow Vulnerability Clipping Region Heap Overflow Vulnerability (CVE-2008-1017) Vulnerability Reported The specific flaw exists within the quicktime.qts library. The vulnerability resides in the component's parsing of 'crgn' atoms. A lack of proper sanity checks on the region size field can result in a heap based buffer overflow leading to arbitrary code execution under the context of the currently logged in user. |
| 2008-02-07 |
Zero Day Initiative (ZDI) ZDI-08-014: Apple Quicktime Multiple Opcode Memory Corruption Vulnerabilities Opcode Memory Corruption Vulnerabilities (CVE-2008-1019) Vulnerability Reported The specific flaw exists in the quickTime.qts while parsing corrupted .pict files. The module contains a vulnerable memory copy loop which searches for a terminator value. When this value is changed or omitted, a heap corruption occurs allowing the execution of arbitrary code. |
| 2008-02-07 |
Zero Day Initiative (ZDI) ZDI-08-019: Apple QuickTime Malformed VR obji Atom Parsing Memory Corruption Vulnerability obji Atom Parsing Memory Corruption Vulnerability (CVE-2008-1022) Vulnerability Reported The specific flaw exists in the parsing of the QuickTime VR 'obji' atom. When the size of the atom is set to 0, a stack overflow condition occurs resulting in the execution of arbitrary code. |
| 2008-02-07 |
Zero Day Initiative (ZDI) ZDI-08-018: Apple QuickTime Run Length Encoding Heap Overflow Vulnerability Run Length Encoding Heap Overflow Vulnerability (CVE-2008-1021) Vulnerability Reported The specific flaw exists within the parsing of QuickTime files that utilize the Animation codec. A lack of proper length checks can result in a heap based buffer overflow leading to arbitrary code execution under the context of the currently logged in user. |