X
Business
Home Business Companies Apple

Apple plugs gaping QuickTime security holes

Apple today released QuickTime 7.6.2 with fixes for a variety of security vulnerabilities, some of which could lead to arbitrary code execution attacks.
Written by Ryan Naraine, Contributor

Apple today released QuickTime 7.6.2 with fixes for a variety of security vulnerabilities, some of which could lead to arbitrary code execution attacks.

The update, available for Mac OS X, Windows XP and Windows Vista, covers a total of 10 documented vulnerabilities that could be exploited via booby-trapped movie, video, image and audio files.

Here are the details

followmeontwitter.png

  • CVE-2009-0188: A memory corruption issue exists in QuickTime's handling of Sorenson 3 video files. This may lead to an unexpected application termination or arbitrary code execution.
  • CVE-2009-0951: A heap buffer overflow exists in the handling of FLC compression files. Opening a maliciously crafted FLC compression file may lead to an unexpected application termination or arbitrary code execution.
  • CVE-2009-0952: A buffer overflow may occur while processing a compressed PSD image. Opening a maliciously crafted compressed PSD file may lead to an unexpected application termination or arbitrary code execution.
  • CVE-2009-0010: An integer underflow in QuickTime's handling of PICT may result in a heap buffer overflow. Opening a maliciously crafted PICT file may lead to an unexpected application termination or arbitrary code execution.
  • CVE-2009-0953: A heap buffer overflow exists in QuickTime's handling of PICT images. Opening a maliciously crafted PICT file may lead to an unexpected application termination or arbitrary code execution.
  • CVE-2009-0954: A heap buffer overflow exists in QuickTime's handling of Clipping Region (CRGN) atom types in a movie file. Opening a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution.
  • CVE-2009-0185: A heap buffer overflow exists in the handling of MS ADPCM encoded audio data. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution.
  • CVE-2009-0955: A sign extension issue exists in QuickTime's handling of image description atoms. Opening a maliciously crafted Apple video file may lead to an unexpected application termination or arbitrary code execution.
  • CVE-2009-0956: An uninitialized memory access issue exists in QuickTime's handling of movie files. Viewing a movie file with a zero user data atom size may lead to an unexpected application termination or arbitrary code execution.
  • CVE-2009-0957: A heap buffer overflow exists in QuickTime's handling of JP2 images. Viewing a maliciously crafted JP2 image may lead to an unexpected application termination or arbitrary code execution.

The update is available via the Software Update utility (Mac OS X) and Apple's Windows Automatic Software Update tool (Windows). Alternatively, QuickTime 7.6.2 may be obtained from the QuickTime Downloads site.

Editorial standards
Show Comments

Related

logi-ai-prompt-builder-mx-setup

Logitech mouse and keyboard users are getting a free AI upgrade

Linus Torvalds and Dirk Hohndel, Open Source Summit North America 2024

Linus Torvalds takes on evil developers, hardware errors and 'hilarious' AI hype

Placeholder product image alt text

The best AI image generators to try right now