Zero Day

Ryan Naraine and Dancho Danchev

Apple plugs gaping QuickTime security holes

By Ryan Naraine | June 1, 2009, 1:37pm PDT

Summary

Apple today released QuickTime 7.6.2 with fixes for a variety of security vulnerabilities, some of which could lead to arbitrary code execution attacks.
The update, available for Mac OS X, Windows XP and Windows Vista, covers a total of 10 documented vulnerabilities that could be exploited via booby-trapped movie, video, image and audio files.
Here are the [...]

Topics

Security, Apple QuickTime, Movie, Apple Inc., Arbitrary Code Execution, Buffer-overflow, Application Termination, Digital Music, Digital Media, Personal Technology, Consumer Electronics, Ryan Naraine

Blogger Info

Dancho Danchev

Bio
Contact

Vendor HotSpot

Here to help you with your Document Management Needs

Read the DocuMentor blog now

Learn More »

Apple today released QuickTime 7.6.2 with fixes for a variety of security vulnerabilities, some of which could lead to arbitrary code execution attacks.

The update, available for Mac OS X, Windows XP and Windows Vista, covers a total of 10 documented vulnerabilities that could be exploited via booby-trapped movie, video, image and audio files.

Here are the details

CVE-2009-0188: A memory corruption issue exists in QuickTime’s handling of Sorenson 3 video files. This may lead to an unexpected application termination or arbitrary code execution.
CVE-2009-0951: A heap buffer overflow exists in the handling of FLC compression files. Opening a maliciously crafted FLC compression file may lead to an unexpected application termination or arbitrary code execution.
CVE-2009-0952: A buffer overflow may occur while processing a compressed PSD image. Opening a maliciously crafted compressed PSD file may lead to an unexpected application termination or arbitrary code execution.
CVE-2009-0010: An integer underflow in QuickTime’s handling of PICT may result in a heap buffer overflow. Opening a maliciously crafted PICT file may lead to an unexpected application termination
or arbitrary code execution.
CVE-2009-0953: A heap buffer overflow exists in QuickTime’s handling of PICT images. Opening a maliciously crafted PICT file may lead to an unexpected application termination or arbitrary code execution.
CVE-2009-0954: A heap buffer overflow exists in QuickTime’s handling of Clipping Region (CRGN) atom types in a movie file. Opening a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution.
CVE-2009-0185: A heap buffer overflow exists in the handling of MS ADPCM encoded audio data. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution.
CVE-2009-0955: A sign extension issue exists in QuickTime’s handling of image description atoms. Opening a maliciously crafted Apple video file may lead to an unexpected application termination or arbitrary code execution.
CVE-2009-0956: An uninitialized memory access issue exists in QuickTime’s handling of movie files. Viewing a movie file with a zero user data atom size may lead to an unexpected application termination or arbitrary code execution.
CVE-2009-0957: A heap buffer overflow exists in QuickTime’s handling of JP2 images. Viewing a maliciously crafted JP2 image may lead to an unexpected application termination or arbitrary code execution.

The update is available via the Software Update utility (Mac OS X) and Apple’s Windows Automatic Software Update tool (Windows). Alternatively, QuickTime 7.6.2 may be obtained from the QuickTime Downloads site.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Full Bio
Disclosure
Contact

More from “Zero Day”

20,000 sites hit with drive-by attack code

Email service provider: 'Hack into our CEO's email, win $10k'

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?

ASP.net VB dropdown list

Ask a Question Start a Discussion

Talkback Most Recent of 78 Talkback(s)

Follow via:: RSS; Email Alert

This is clearly Microsofts problem

They should never have bailed out Apple.
Col Mustard

06/01/2009 04:50 PM
- Reply to
- Flag
I wonder..

if Gates still has that Apple stock he bought way back when they were business partners?

I also wonder how drug companies get popped for advertising thier pills have no side effects, but Apple gets away with running smear ads that imply that Apple is perfect and only Windows can have flaws?

The EU pops Intel for selling processors for lest then cost, and Apple gets away with selling the same lower cost processors for more then other OEM's and yet this is all in the consumers best interest. Obviously lower prices would only hurt people in a bad economy? lol.

This whole world has become laughable. Anyone else see that stupid movie Idiocracy, and think many it wasn't so far off?
ShadowGIATL

06/01/2009 06:14 PM
- Reply to
- Flag
I fully agree.....

I have never seen the movie, but this world is more or less cracked out. Its become a bad thing to think in common sense and keeping things simple and most important the truth. I forgot its all about control, control, control. They know better than you, you are just a dumb little person with a pea sized brain. They will look out for your best interest, I mean when have politicians ever failed the people?
OhTheHumanity

06/01/2009 07:03 PM
- Flag
What I find most interesting...

most polititians come from mediocre colleges and universities with average grades, and they think they are smarter then 90% of the population because they became a pupet for the government. A government mind you that has unconstitutionally expanded its power without proper consent from the people that in which it supposed to serve. As Americans,we need to stop acting like our government controls us, and start controlling our government. It won't be hard as long as we can all join and do it together.

Also, for those that claim some of these political nit-wits come from ivy league universities, Georgia has two public universities that ranked among the top 10 ivy league. How smart do you think they are now?
ShadowGIATL

06/02/2009 06:17 AM
- Flag
Problem is....

We now live in a me too society where people think they deserve something for nothing and big government gives them this oppurtunity. For example I heard that in my city we recieved $700,000 for employement of high school drop outs and drop outs only. Our society should discourage anyone from wasting their good education that is easily acheivable in most places if you pay some freakin attention in class. We should make those that choose the route of failuer to pay a price.

In this day and age, I am considered evil for thinking that way and I should have empathy that outweighs any of my other thoughts on the matter. Kind of makes me sick when I think about how people used to look inside themselves and do whats best for themselves and these days everyone looks to Uncle Sam to save their sorry asses. No personal responsibility, thats an evil word too. Failure is one of the greatest things to teach a lesson and no one is allowed to fail these days. They all get to suck on the government teat while I work my a$$ off every day.
OhTheHumanity

06/02/2009 07:58 AM
- Flag
flawd logic

The problem with your argument is that in order
for the "me too" programs to disappear, so
would the people asking for them. Their votes
are just as powerful as yours.
odcchaz

06/02/2009 01:08 PM
- Flag
And their logic is....

cut off the hand that feeds them. I fully support voting as you see fit, but its sad to see that so many don't realize what has created this massive overbarring government, the private sector and the people. If we go with the "me too" thinking then they will cut off the hand that feeds thems. Just pointing out the obvious. Its a sign of our education system, work ethic, and family values.

Its almost to the point that I would have taken a depression just to show people that you can't take things for granted. Was I ever given anything in my life to get where I am? Nope not at all, all I had was a mother and father that cared, but had very little money. No college money, nothing and I couldn't get any help from the government because of my ethnic background. We need to stop the race and class warfare and place the responsibility soley in the hands of the individual, just like I had to do. And guess what I have succeeded, so logic says, so can they.

Pride blind the foolish
OhTheHumanity

06/02/2009 05:20 PM
- Flag
I hereby ban the word "empathy"

The far left use it as a word that repersents the only right way of thinking when it's really just an opnion.

Both sides are bad about this kind of propoganda rhetoric, and it's beginning to resemble the speaches given by Stalin, and Hitler.

People have opinions, but just because you feel strongly about your opinion doesn't mean you and only you can be right. These people know that the longer they get away with convincing the masses that common sense is something only the government possesses, the harder it will be to gain back control.

Personally, I wish the states and all citizens would refuse to pay anymore taxes to this overbearing, tyranistic, and unconstitutional government, and force them back in their places.

It confuses me how repersentitives can legally vote for their own pay raises. Imagine if everyone was allowed to do this?

Amendment 10 of the constitution clearly states that any power not specificly given to the federal government by the constitution is left to the individual states and people. The statement is very clear, and from a legal stand point means that the many "Czars" and various agencies created by the federal government and the president are purely unconstitutional and invalid. In reality, they hold no legal power, and the judges that misinterpet the law to allow it are in fact in violation of defrauding the American people.

Beyond all that, the organization that is responsible for fraudulent voter registration is not only being protected by the president they helped elect, but is now being considered to run the population census. Surely there is no wrong doing there.

I feel bad for the minorities that felt they had voted in the United States first minority president, but I'm afraid at this rate, they will wish it hadn't been Obama. They may not see it yet, though I'm not sure how, but unless he makes major changes in his path, he will only embaress the minorities with his outright illegal, and unethical antics.

Can anyone count how many people he has appointed that have not been, or are not currently under investigation for some wrong doing? Prime example, the secretary of treasury. Sure... why not have a guy that doesn't even pay his taxes over the IRS.

It's beyond madness. It all makes so little sense that even Rush Limbaugh seems more normal. And that is scary. Its sad... it really is.
ShadowGIATL

06/02/2009 01:16 PM
- Flag
Maybe...

...it's just me, but WTF has any of your rant got to do with the security flaws in QT???

Save your 2 cents worth of political effluent for someplace else.

In case you and your cohorts hadn't noticed, buster, this is an IS/IT blog site.

For cryin' out loud!
thx-1138_@...

06/02/2009 11:34 PM
- Flag
@thx

"Maybe...
...it's just me, but WTF has any of your rant got to do with the security flaws in QT???"

Nothing, but I posted in response to a comment, not the original story. If you need to know where it came from, go back one step in the thread. If you don't like people responding to posts, then maybe you should find a new past time.

"Save your 2 cents worth of political effluent for someplace else."

Funny how you attack my political view, yet haven't said anything about the others before me. I'm allowed free speech, at least so far, and you can tell me to save it if you want, but you can never take it away from me. That must make you feel very sad to have so little power over other people.

"In case you and your cohorts hadn't noticed, buster, this is an IS/IT blog site."

Cohorts? Nah, I doubt many people consider themselves cohorts of mine. I have noticed this site is somewhat biased towards IS/IT, but I always just thought that was just a few tech fanatics here and there. I much more enjoy the political debates. ;P

On a more serious note, politics influences technology, and vice versa, so removing either completely from the other is virtually imposible. Politics is deeply embedded into daily life. Good luck avoiding it.

"For cryin' out loud!"

There you go... just let it all out. You'll feel much better.
ShadowGIATL

06/03/2009 08:27 PM
- Flag
@ShadowGIATL

The question stands: what has any of what you - or for that matter what those before you spoke of (in regards politics) - have to do with the QT flaw and the subject matter of this article????

If you think you're going to get off lightly with your weak comeback, then i'm afraid you picked the wrong person to step out.

But i'm not surprised: like all people with political agendas, you have this 'natural penchant' for staying uncannily off subject.

I'll say it clearly since you're obviously slow on the uptake: if you've got any relevant enquiries, information or assistance to offer in regards the subject matter of this ZDNet article, by all means enlighten us. Otherwise, you and anyone else with a political agenda ought to take a hint and move on.

By the way wiseguy, I never once questioned your right to speak out on whatever you please. But since you're too slow to take a clue, "there's a time and a place for everything". Last time i looked, ZDNet wasn't a Political News Forum. You seem deluded in thinking otherwise.

Again, if you have anything valuable to contribute on QT flaws and how it impacts end-users; if you can offer help with mitigation(s), questions or enquiries about the same, feel free to contribute. As it stands, you've given complete bupkiss.

Look, i've got some constructive advice for you: try using your hot air for balloons and float on outta here ...

But if you're a glutton for punishment, by all means, go on and knock yourself dead.
thx-1138_@...

(Edited: 06/04/2009 12:20 AM)
- Flag
@thx

"The question stands: what has any of what you - or for that matter what those before you spoke of (in regards politics) - have to do with the QT flaw and the subject matter of this article????"

I answered the question. Not happy with the answer, or the fact that sometimes things don't go the way you want it, I think you'll find yourself very unhappy in life.

"If you think you're going to get off lightly with your weak comeback, then i'm afraid you picked the wrong person to step out."

Bring it buddy. I answered the question, and your response is that it is weak? It was not a comeback, but rather an explanation. Your the one insistent on a fight.

"But i'm not surprised: like all people with political agendas, you have this 'natural penchant' for staying uncannily off subject."

Political agenda? I make a response to one political post in this article, and suddenly I have an agenda? Everyone has political opinions, and to suggest that anone that shares them has some hidden agenda seems pretty petty. You are a petty little person.

"I'll say it clearly since you're obviously slow on the uptake: if you've got any relevant enquiries, information or assistance to offer in regards the subject matter of this ZDNet article, by all means enlighten us."

Check my other posts you narrowminded, forum troll. I offered my thoughts on the QT flaws in several spots, and yet the only one your trolling is the one where I responded to a political outburst. It's obvious what your doing on here is LOOKING for the political posts so you can look like some kinda of post savier. Save it, as no one else seemed offended. Once again, if it offends you, you're free to move on and not read it.

"Otherwise, you and anyone else with a political agenda ought to take a hint and move on."

Your the only one giving the hint. Majority rules.

"By the way wiseguy, I never once questioned your right to speak out on whatever you please."

I reference this: "Otherwise, you and anyone else with a political agenda ought to take a hint and move on."
Yep... in no way are you saying people don't have a right to say what they feel... hmmmm. Maybe you should think more before you speak. At least I admit I make mistakes from time to time, but you're fully convinced you're the only right voice on here. Get a life.

"But since you're too slow to take a clue, "there's a time and a place for everything". Last time i looked, ZDNet wasn't a Political News Forum. You seem deluded in thinking otherwise."

Again, by generalizing that from this one post that all I do is post political opinions on ZDNet suggests your narrowminded, and lacking in the ability to search further in this forum and other articles. I have even writen an article for ZDNet, and you'll be suprised to know it wasn't on politics.

"Again, if you have anything valuable to contribute on QT flaws and how it impacts end-users; if you can offer help with mitigation(s), questions or enquiries about the same, feel free to contribute. As it stands, you've given complete bupkiss."

And again, check the other post from me on this issue. Really want my opinion? QT IS a flaw. It has never really contributed anything important to the industry outside of providing job security for computer techs and IT pros following it around with a fix-it bag. By the way, this forum isn't actually meant to be a place where only qualified IS&T come to help Apple fix their crappy software. Nor do I think they surf these post looking for such input on a regular basis. On that note, I have noticed Google does monitor this site for feedback, and I have given them such feedback in the past.

"Look, i've got some constructive advice for you: try using your hot air for balloons and float on outta here ..."

One could say the same for you, but I was being nice and merely suggested that if you are uncomfartable with reading a post on here, you should just skip it.

"But if you're a glutton for punishment, by all means, go on and knock yourself dead."

I am a glutton for punishment, but I'm to hard headed to knock myself dead. Could you do the honors?

The Shadow
Knowledge is Power
Anymore questions?
ShadowGIATL

06/04/2009 02:39 PM
- Flag
Not always the case

I know that we want to demonize the poor in this
country, but it is not as black and white as you
imply. Not all who drop out of school suck the
govs teat, in fact corporations cost us far more
then our poor. Educated people will think your
evil for thinking that way
davidhite

06/03/2009 03:57 PM
- Flag
Ivy Leagues

"Also, for those that claim some of these political nit-wits come from ivy league universities, Georgia has two public universities that ranked among the top 10 ivy league. How smart do you think they are now? "

I THINK You just made that up, as there are only 8 Ivy League Universities.

And I also think that there aren't NEARLY enough Ivy League graduates in government - but why would there be? With their brains, they are making 2-20x more working for the private sector. Only those that actually believe in something aggree to take the pay cut - people have problems because these few usually hold opinions contrary to popular opinion. In these cases, public opinion is flawed at best since the public is an easily swayed mob with no real logic or reason behind it.

I mean, lock at the Swine Flu scare and compare that to the amount of news coverage of heart disease resulting from fast food, alchohol and tobacco use. The later is FAR more dangerous to you every day, and yet the US is how far down on the healthy country list?

"The views expressed here are mine and do not reflect the official opinion of my employer or the organization through which the Internet was accessed."
gnesterenko

06/02/2009 08:56 AM
- Flag
Well...

I meant to put top 10 with the ivy leagues... my fast fingers out type my brain. Plus i'm lysdexic. At any rate, UGA and Ga Tech both ranked higher then Brown University.

And yes, most ivy leaguers would rather work in the private sector, which only strengthens the point that people in government are smarter then then everyone in the public world as they want everyone to believe.

I rest my case.
ShadowGIATL

06/02/2009 01:21 PM
- Flag

View More Comments

Talkback - Tell Us What You Think

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Blogs From Our Sponsors

Vendor Showcase

Topline - A Dashboard for IT Leaders Sponsored by Oracle

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources

The Lincoln Property Company Finds a Home with Google AppsJoin our TechRepublic Webcast to hear strategies on how to successfully migrate to Google Apps. (Google) Download Now
CIO Essentials for Cloud Computing 3.0Cloud computing is changing everything we ever believed about ... (ZDNet) Download Now
Showdown in New Mexico: Google Apps vs. Microsoft ExchangeHear first-hand why one New Mexico government official picked Google Apps over Microsoft Exchange to support his growing organization. (Google) Download Now

ZDNet is available in the following editions:

Special Reports

Hot Topics

Apple plugs gaping QuickTime security holes

Summary

Topics

Blogger Info

Ryan Naraine

Biography

Ryan Naraine

Dancho Danchev

Biography

Dancho Danchev

Vendor HotSpot

Disclosure

Ryan Naraine

Biography

Ryan Naraine

More from “Zero Day”

Related Discussions on TechRepublic

Talkback Most Recent of 78 Talkback(s)

Talkback - Tell Us What You Think

The best of ZDNet, delivered

Blogs From Our Sponsors

Vendor Showcase

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources

Featured Articles

Services