SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Multimedia)  >   Apple QuickTime Vendors:   Apple
Apple QuickTime Stack Overflow in Error Logging Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1024336
SecurityTracker URL:  http://securitytracker.com/id/1024336
CVE Reference:   CVE-2010-1799   (Links to External Site)
Date:  Aug 13 2010
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 7.6.7
Description:   A vulnerability was reported in Apple QuickTime on Windows. A remote user can cause arbitrary code to be executed on the target user's system.

A remote user can create a specially crafted movie file that, when loaded by the target user, will trigger a stack overflow in QuickTime's error logging and execute arbitrary code on the target system. The code will run with the privileges of the target user.

Mac OS X systems are not affected.

Impact:   A remote user can create a movie file that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution:   The vendor has issued a fix (7.6.7), available at:

http://www.apple.com/quicktime/download/

The vendor's advisory is available at:

http://support.apple.com/kb/HT4290

Vendor URL:  support.apple.com/kb/HT4290 (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  APPLE-SA-2010-08-12-1 QuickTime 7.6.7

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2010-08-12-1 QuickTime 7.6.7

QuickTime 7.6.7 is now available and addresses the following:

QuickTime
CVE-ID:  CVE-2010-1799
Available for:  Windows 7, Vista, XP SP2 or later
Impact:  Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description:  A stack buffer overflow exists in QuickTime's error
logging. Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution. This
issue is addressed by disabling debug logging. This issue does not
affect Mac OS X systems.


QuickTime 7.6.7 may be obtained from the Software Update
application, or from the QuickTime Downloads site:
http://www.apple.com/quicktime/download/

For Windows 7 / Vista / XP SP2 or later
The download file is named: "QuickTimeInstaller.exe"
Its SHA-1 digest is: 38a132fe1969e617f33c00ebae3ce34a7695113f

QuickTime 7.6.7 is not presented to Mac OS X systems.

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (Darwin)

iQEcBAEBAgAGBQJMZFzJAAoJEGnF2JsdZQeeF60H/2/72LHKWPc4x6i8Zf5HDarY
JuD7E+DGRnzPgm62zWOpdN4e6I7ldVjQdap3yW84GmVYClzhkHBZeUqwB/PHYRyQ
FXXTr15GBfOZgYFRc3YSXQhax0BPtPuJeh4oWLcpnyGAs6FvfF1buzG8JGRCZ0wZ
j5ZiVutpKApu/K/OCVdB+IbRJXOYk9uUOt+fT7kQLQK1Tv5g2UBaIuRkuBciBPXT
lwHOvsfpVfh7lVqcaJpjObyb5HQoJpT0HvLSroIB1vVfRcD62x7LnYAlMJUju4P3
1QuwzhIeXahq1MpoAXQ6k6j15KZ0edpMcNxtOOCPvHZnAD8FgZHVjWtAVY5qG+k=
=A2mc
-----END PGP SIGNATURE-----
 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list      (Security-announce@lists.apple.com)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/security-announce/gst%40securitytracker.com

This email sent to gst@securitytracker.com
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC