Apple QuickTime Stack Overflow in Error Logging Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID: 1024336|
SecurityTracker URL: http://securitytracker.com/id/1024336
(Links to External Site)
Date: Aug 13 2010
Execution of arbitrary code via network, User access via network|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): prior to 7.6.7|
A vulnerability was reported in Apple QuickTime on Windows. A remote user can cause arbitrary code to be executed on the target user's system.|
A remote user can create a specially crafted movie file that, when loaded by the target user, will trigger a stack overflow in QuickTime's error logging and execute arbitrary code on the target system. The code will run with the privileges of the target user.
Mac OS X systems are not affected.
A remote user can create a movie file that, when loaded by the target user, will execute arbitrary code on the target user's system.|
The vendor has issued a fix (7.6.7), available at:|
The vendor's advisory is available at:
Vendor URL: support.apple.com/kb/HT4290 (Links to External Site)
|Underlying OS: Windows (Any)|
Source Message Contents
Subject: APPLE-SA-2010-08-12-1 QuickTime 7.6.7|
-----BEGIN PGP SIGNED MESSAGE-----
APPLE-SA-2010-08-12-1 QuickTime 7.6.7
QuickTime 7.6.7 is now available and addresses the following:
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A stack buffer overflow exists in QuickTime's error
logging. Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution. This
issue is addressed by disabling debug logging. This issue does not
affect Mac OS X systems.
QuickTime 7.6.7 may be obtained from the Software Update
application, or from the QuickTime Downloads site:
For Windows 7 / Vista / XP SP2 or later
The download file is named: "QuickTimeInstaller.exe"
Its SHA-1 digest is: 38a132fe1969e617f33c00ebae3ce34a7695113f
QuickTime 7.6.7 is not presented to Mac OS X systems.
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (Darwin)
-----END PGP SIGNATURE-----
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list (Securityfirstname.lastname@example.org)
Help/Unsubscribe/Update your Subscription:
This email sent to email@example.com