SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Multimedia)  >   Apple QuickTime Vendors:   Apple
QuickTime Buffer Overflows in Processing Multiple Media Formats Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1022314
SecurityTracker URL:  http://securitytracker.com/id/1022314
CVE Reference:   CVE-2009-0185, CVE-2009-0188, CVE-2009-0951, CVE-2009-0952, CVE-2009-0953, CVE-2009-0954, CVE-2009-0955, CVE-2009-0956, CVE-2009-0957   (Links to External Site)
Date:  Jun 2 2009
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 7.6.2
Description:   Multiple vulnerabilities were reported in QuickTime. A remote user can cause arbitrary code to be executed on the target user's system.

A remote user can create a specially crafted media file that, when loaded by the target user, will execute arbitrary code on the target system. The code will run with the privileges of the target user.

A movie file with specially crafted MS ADPCM-encoded audio data can trigger a heap overflow [CVE-2009-0185]. Alin Rad Pop of Secunia Research reported this vulnerability.

A specially crafted Sorenson 3 video file can trigger a memory corruption bug [CVE-2009-0188]. Carsten Eiram of Secunia Research reported this vulnerability.

A specially crafted FLC compression file can trigger a heap overflow [CVE-2009-0951]. An anonymous researcher reported this vulnerability via TippingPoint.

A specially crafted compressed PSD image can trigger a buffer overflow [CVE-2009-0952]. Damian Put reported this vulnerability via TippingPoint.

A specially crafted PICT image can trigger a heap overflow [CVE-2009-0953]. Sebastian Apelt reported this vulnerability via TippingPoint.

A movie file with specially crafted Clipping Region (CRGN) atom types can trigger a heap overflow [CVE-2009-0954]. An anonymous researcher reported this vulnerability via TippingPoint.

A movie file with specially crafted image description atoms can trigger a sign extension bug [CVE-2009-0955]. Roee Hay of IBM Rational Application Security Research Group reported this vulnerability.

A movie file with a specially crafted user data atom can trigger code execution [CVE-2009-0956]. Lurene Grenier of Sourcefire, Inc. (VRT) reported this vulnerability.

A specially crafted JP2 image can trigger a heap overflow [CVE-2009-0957]. Charlie Miller of Independent Security Evaluators and Damian Put (via TippingPoint) reported this vulnerability.

Impact:   A remote user can create a file that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution:   The vendor has issued a fix (7.6.2), available from the Software Update application, or from the QuickTime Downloads site at:

http://www.apple.com/quicktime/download/

For Mac OS X v10.5.7
The download file is named: "QuickTime762_Leopard.dmg"
Its SHA-1 digest is: 9484ba3e41638935625b7eb338f0b31298f1f973

For Mac OS X v10.4.11
The download file is named: "QuickTime762_Tiger.dmg"
Its SHA-1 digest is: 74b1c170907dc402c6855b37cfe1a3432a10a92f

For Windows Vista / XP SP3
The download file is named: "QuickTimeInstaller.exe"
Its SHA-1 digest is: f8ba0b1ef3cf5a0317ea28b31db71e79c63e48b8

QuickTime with iTunes for Windows 32-bit XP or Vista
The download file is named: "iTunesSetup.exe"
Its SHA-1 digest is: 16f5b1e787b36aece842ea5ae80bfc6bf2b32b19

QuickTime with iTunes for Windows 64-bit Vista
The download file is named: "iTunes64Setup.exe"
Its SHA-1 digest is: b8739f847f2b66835f4f4b542b3308de96d418ed

The vendor's advisory is available at:

http://support.apple.com/kb/HT3591

Vendor URL:  support.apple.com/kb/HT3591 (Links to External Site)
Cause:   Boundary error
Underlying OS:  UNIX (macOS/OS X), Windows (Vista), Windows (XP)

Message History:   None.


 Source Message Contents

Subject:  APPLE-SA-2009-06-01-1 QuickTime 7.6.2

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2009-06-01-1 QuickTime 7.6.2

QuickTime 7.6.2 is now available and addresses the following:

QuickTime
CVE-ID:  CVE-2009-0188
Available for:  Mac OS X v10.4.11, Mac OS X v10.5.7,
Windows Vista and XP SP3
Impact:  Opening a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description:  A memory corruption issue exists in QuickTime's
handling of Sorenson 3 video files. This may lead to an unexpected
application termination or arbitrary code execution. This update
addresses the issue by performing additional validation of Sorenson 3
video files. Credit to Carsten Eiram of Secunia Research for
reporting this issue.

QuickTime
CVE-ID:  CVE-2009-0951
Available for:  Mac OS X v10.4.11, Mac OS X v10.5.7,
Windows Vista and XP SP3
Impact:  Opening a maliciously crafted FLC compression file may lead
to an unexpected application termination or arbitrary code execution
Description:  A heap buffer overflow exists in the handling of FLC
compression files. Opening a maliciously crafted FLC compression file
may lead to an unexpected application termination or arbitrary code
execution. This update addresses the issue through improved bounds
checking. Credit to an anonymous researcher working with
TippingPoint's Zero Day Initiative for reporting this issue.

QuickTime
CVE-ID:  CVE-2009-0952
Available for:  Mac OS X v10.4.11, Mac OS X v10.5.7,
Windows Vista and XP SP3
Impact:  Viewing a maliciously crafted PSD image may lead to an
unexpected application termination or arbitrary code execution
Description:  A buffer overflow may occur while processing a
compressed PSD image. Opening a maliciously crafted compressed PSD
file may lead to an unexpected application termination or arbitrary
code execution. This update addresses the issue through improved
bounds checking. Credit to Damian Put working with TippingPoint's
Zero Day Initiative for reporting this issue.

QuickTime
CVE-ID:  CVE-2009-0010
Available for:  Windows Vista and XP SP3
Impact:  Opening a maliciously crafted PICT image may lead to an
unexpected application termination or arbitrary code execution
Description:  An integer underflow in QuickTime's handling of PICT
images may result in a heap buffer overflow. Opening a maliciously
crafted PICT file may lead to an unexpected application termination
or arbitrary code execution. This update addresses the issue by
performing additional validation of PICT images. Credit to Sebastian
Apelt working with TippingPoint's Zero Day Initiative, and Chris Ries
of Carnegie Mellon University Computing Services for reporting this
issue.

QuickTime
CVE-ID:  CVE-2009-0953
Available for:  Mac OS X v10.4.11, Mac OS X v10.5.7,
Windows Vista and XP SP3
Impact:  Opening a maliciously crafted PICT image may lead to an
unexpected application termination or arbitrary code execution
Description:  A heap buffer overflow exists in QuickTime's handling
of PICT images. Opening a maliciously crafted PICT file may lead to
an unexpected application termination or arbitrary code execution.
This update addresses the issue by performing additional validation
of PICT images. Credit to Sebastian Apelt working with TippingPoint's
Zero Day Initiative for reporting this issue.

QuickTime
CVE-ID:  CVE-2009-0954
Available for:  Windows Vista and XP SP3
Impact:  Opening a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description:  A heap buffer overflow exists in QuickTime's handling
of Clipping Region (CRGN) atom types in a movie file. Opening a
maliciously crafted movie file may lead to an unexpected application
termination or arbitrary code execution. This update addresses the
issue through improved bounds checking. This issue does not affect
Mac OS X systems. Credit to an anonymous researcher working with
TippingPoint's Zero Day Initiative for reporting this issue.

QuickTime
CVE-ID:  CVE-2009-0185
Available for:  Mac OS X v10.4.11, Mac OS X v10.5.7,
Windows Vista and XP SP3
Impact:  Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description:  A heap buffer overflow exists in the handling of MS
ADPCM encoded audio data. Viewing a maliciously crafted movie file
may lead to an unexpected application termination or arbitrary code
execution. This update addresses the issue through improved bounds
checking. Credit to Alin Rad Pop of Secunia Research for reporting
this issue.

QuickTime
CVE-ID:  CVE-2009-0955
Available for:  Mac OS X v10.4.11, Mac OS X v10.5.7,
Windows Vista and XP SP3
Impact:  Opening a maliciously crafted video file may lead to an
unexpected application termination or arbitrary code execution
Description:  A sign extension issue exists in QuickTime's handling
of image description atoms. Opening a maliciously crafted Apple video
file may lead to an unexpected application termination or arbitrary
code execution. This update addresses the issue through improved
validation of description atoms. Credit to Roee Hay of IBM Rational
Application Security Research Group for reporting this issue.

QuickTime
CVE-ID:  CVE-2009-0956
Available for:  Mac OS X v10.4.11, Mac OS X v10.5.7,
Windows Vista and XP SP3
Impact:  Viewing a movie file with a maliciously crafted user data
atom may lead to an unexpected application termination or arbitrary
code execution
Description:  An uninitialized memory access issue exists in
QuickTime's handling of movie files. Viewing a movie file with a zero
user data atom size may lead to an unexpected application termination
or arbitrary code execution. This update addresses the issue by
performing additional validation of movie files, and presenting a
warning dialog to the user. Credit to Lurene Grenier of Sourcefire,
Inc. (VRT) for reporting this issue.

QuickTime
CVE-ID:  CVE-2009-0957
Available for:  Mac OS X v10.4.11, Mac OS X v10.5.7,
Windows Vista and XP SP3
Impact:  Viewing a maliciously crafted JP2 image may lead to an
unexpected application termination or arbitrary code execution
Description:  A heap buffer overflow exists in QuickTime's handling
of JP2 images. Viewing a maliciously crafted JP2 image may lead to an
unexpected application termination or arbitrary code execution. This
update addresses the issue through improved bounds checking. Credit
to Charlie Miller of Independent Security Evaluators, and Damian Put
working with TippingPoint's Zero Day Initiative for reporting this
issue.


QuickTime 7.6.2 may be obtained from the Software Update
application, or from the QuickTime Downloads site:
http://www.apple.com/quicktime/download/

For Mac OS X v10.5.7
The download file is named: "QuickTime762_Leopard.dmg"
Its SHA-1 digest is: 9484ba3e41638935625b7eb338f0b31298f1f973

For Mac OS X v10.4.11
The download file is named: "QuickTime762_Tiger.dmg"
Its SHA-1 digest is: 74b1c170907dc402c6855b37cfe1a3432a10a92f

For Windows Vista / XP SP3
The download file is named: "QuickTimeInstaller.exe"
Its SHA-1 digest is: f8ba0b1ef3cf5a0317ea28b31db71e79c63e48b8

QuickTime with iTunes for Windows 32-bit XP or Vista
The download file is named: "iTunesSetup.exe"
Its SHA-1 digest is: 16f5b1e787b36aece842ea5ae80bfc6bf2b32b19

QuickTime with iTunes for Windows 64-bit Vista
The download file is named: "iTunes64Setup.exe"
Its SHA-1 digest is: b8739f847f2b66835f4f4b542b3308de96d418ed

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (Darwin)

iQEcBAEBAgAGBQJKJBK4AAoJEHkodeiKZIkBvUAH+wXt2nJzO7zaxUjV8hySZrrD
7aDnVpjjq+JTTC9BiKp2ywPtar9P6tQGqwJZDciKM4Erde0YcuqF57PHdAK9iVO7
LzV8Wy++uc7FT59jgY+wBMmBoaTQ12yykJLZCBOJJrS6C64XJUOPX4DMimaR7yu0
wVYsptCV79c5MQtcLGMmCyhtUTqhGdaZYDgeSkBJZq2rtkbGoIyzoCp7IteYrV3A
t7FTWB8Rm5fyNsa97U15eMWgXfxTxUdKEnoe8gAdirUF8I3cNaKANsjKf13eb1AF
JVbgJIhNIuL5cv6QtgJJ/b39zVQqEf3hxCFDmU5Ky7Q+C/yzDdCCbN5ncAz7uSs=
=Ybpz
-----END PGP SIGNATURE-----
 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list      (Security-announce@lists.apple.com)
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC