Published: 2008-06-11T10:51+00:00    Last Updated: 2008-06-11T10:51+00:00

TRTA08-162C
Apple Quicktime Updates for Multiple Vulnerabilities

Overview

Apple QuickTime contains multiple vulnerabilities as described in the Apple Knowledgebase article HT1991. Exploitation of these vulnerabilities could allow a remote attacker to execute arbitrary code or cause a denial-of-service condition.

Event Information

Date (UTC)Description
2008-06-10 20:02 US-CERT
TA08-162C: Apple Quicktime Updates for Multiple Vulnerabilities
Via US-CERT Mailing List
2008-06-10 13:11 SANS Internet Storm Center
Upgrade to QuickTime 7.5
Apple released earlier QuickTime 7.5, which a.o. fixes a number of security bugs.
2008-06-10 13:05 US-CERT
Apple Releases QuickTime 7.5
US-CERT Current Activity
Apple has released QuickTime 7.5 to address multiple vulnerabilities.
2008-06-09 Apple
Apple knowledgebase article HT1991: About the security content of QuickTime 7.5
This document describes the security content of QuickTime 7.5.
2008-05-08 Zero Day Initiative (ZDI)
ZDI-08-038: QuickTime SMIL qtnext Redirect File Execution
"file: URL" arbitrary code execution (CVE-2008-1585)
Vulnerability Reported
The specific flaw exists in the handling of SMIL text embedded in video formats. No sanity checking is performed on values of the qt:next attribute. When the URI for this attribute is a file type not recognized by QuickTime, it is passed to url.dll!FileProtocolHandler which will allow explorer.exe handle non-http filetypes. Successful exploitation can result in the execution of arbitrary code.
2008-03-10 Secunia Research
2008-9: Apple QuickTime PICT Image Parsing Buffer Overflow
PICT Image Parsing Buffer Overflow (CVE-2008-1581)
Vulnerability Reported
2008-02-07 Zero Day Initiative (ZDI)
ZDI-08-037: Apple QuickTime Indeo Video Buffer Overflow Vulnerability
Indeo Video Buffer Overflow (CVE-2008-1584)
Vulnerability Reported
The specific flaw exists within the parsing of Quicktime files that utilize the Indeo video codec. A lack of proper bounds checking withing Indeo.qtx can result in a stack based buffer overflow leading to arbitrary code execution under the context of the currently logged in user.