SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Multimedia)  >   Apple QuickTime Vendors:   Apple
QuickTime Buffer Overflow in Processing Data Reference Atoms Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1019759
SecurityTracker URL:  http://securitytracker.com/id/1019759
CVE Reference:   CVE-2008-1015   (Links to External Site)
Date:  Apr 3 2008
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 7.4.5
Description:   A vulnerability was reported in QuickTime in the processing of movie files. A remote user can cause arbitrary code to be executed on the target user's system.

A remote user can create a movie file with specially crafted data reference atoms that, when loaded by the target user, will trigger a buffer overflow and execute arbitrary code on the target system. The code will run with the privileges of the target user.

Chris Ries of Carnegie Mellon University Computing Services reported this vulnerability.

Impact:   A remote user can create a movie file that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution:   The vendor has issued a fixed version (7.4.5), available from the Software Update application, or from the Apple Downloads site at:

http://www.apple.com/support/downloads/

For Mac OS X v10.5 or later
The download file is named: "QuickTime745Leopard.dmg"
Its SHA-1 digest is: 764ec0031f18ef999a95c6b20f417f8d2c05a10f

For Mac OS X v10.4.9 through Mac OS X v10.4.11
The download file is named: "QuickTime745Tiger.dmg"
Its SHA-1 digest is: 60c9b3e205e4995324dc53b2a4500318fc994e6b

For Mac OS X v10.3.9
The download file is named: "QuickTime745Panther.dmg"
Its SHA-1 digest is: 2b3230fbb4dcd1436bf8856b87281915a654f821

For Windows Vista / XP SP2
The download file is named: "QuickTimeInstaller.exe"
Its SHA-1 digest is: 4e507f48610f9a65be18b2c37ceead18da2d4c03

QuickTime with iTunes for Windows XP or Vista
The download file is named: "iTunesSetup.exe"
Its SHA-1 digest is: ff2a3c234d164f30f8b1d05297a49a55f3f4e8c0

The vendor's advisory is available at:

http://support.apple.com/kb/HT1232

Vendor URL:  support.apple.com/kb/HT1232 (Links to External Site)
Cause:   Boundary error
Underlying OS:  UNIX (macOS/OS X), Windows (Vista), Windows (XP)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jul 10 2008 (Apple Issues Fix for Apple TV) QuickTime Buffer Overflow in Processing Data Reference Atoms Lets Remote Users Execute Arbitrary Code
Apple has released a fix for Apple TV.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC