Apple plugs gaping QuickTime security holes
Summary: Apple today released QuickTime 7.6.2 with fixes for a variety of security vulnerabilities, some of which could lead to arbitrary code execution attacks.
Apple today released QuickTime 7.6.2 with fixes for a variety of security vulnerabilities, some of which could lead to arbitrary code execution attacks.
The update, available for Mac OS X, Windows XP and Windows Vista, covers a total of 10 documented vulnerabilities that could be exploited via booby-trapped movie, video, image and audio files.
Here are the details
- CVE-2009-0188: A memory corruption issue exists in QuickTime's handling of Sorenson 3 video files. This may lead to an unexpected application termination or arbitrary code execution.
- CVE-2009-0951: A heap buffer overflow exists in the handling of FLC compression files. Opening a maliciously crafted FLC compression file may lead to an unexpected application termination or arbitrary code execution.
- CVE-2009-0952: A buffer overflow may occur while processing a compressed PSD image. Opening a maliciously crafted compressed PSD file may lead to an unexpected application termination or arbitrary code execution.
- CVE-2009-0010: An integer underflow in QuickTime's handling of PICT may result in a heap buffer overflow. Opening a maliciously crafted PICT file may lead to an unexpected application termination or arbitrary code execution.
- CVE-2009-0953: A heap buffer overflow exists in QuickTime's handling of PICT images. Opening a maliciously crafted PICT file may lead to an unexpected application termination or arbitrary code execution.
- CVE-2009-0954: A heap buffer overflow exists in QuickTime's handling of Clipping Region (CRGN) atom types in a movie file. Opening a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution.
- CVE-2009-0185: A heap buffer overflow exists in the handling of MS ADPCM encoded audio data. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution.
- CVE-2009-0955: A sign extension issue exists in QuickTime's handling of image description atoms. Opening a maliciously crafted Apple video file may lead to an unexpected application termination or arbitrary code execution.
- CVE-2009-0956: An uninitialized memory access issue exists in QuickTime's handling of movie files. Viewing a movie file with a zero user data atom size may lead to an unexpected application termination or arbitrary code execution.
- CVE-2009-0957: A heap buffer overflow exists in QuickTime's handling of JP2 images. Viewing a maliciously crafted JP2 image may lead to an unexpected application termination or arbitrary code execution.
The update is available via the Software Update utility (Mac OS X) and Apple's Windows Automatic Software Update tool (Windows). Alternatively, QuickTime 7.6.2 may be obtained from the QuickTime Downloads site.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
This is clearly Microsofts problem
I wonder..
I also wonder how drug companies get popped for advertising thier pills have no side effects, but Apple gets away with running smear ads that imply that Apple is perfect and only Windows can have flaws?
The EU pops Intel for selling processors for lest then cost, and Apple gets away with selling the same lower cost processors for more then other OEM's and yet this is all in the consumers best interest. Obviously lower prices would only hurt people in a bad economy? lol.
This whole world has become laughable. Anyone else see that stupid movie Idiocracy, and think many it wasn't so far off?
I fully agree.....
What I find most interesting...
Also, for those that claim some of these political nit-wits come from ivy league universities, Georgia has two public universities that ranked among the top 10 ivy league. How smart do you think they are now?
Problem is....
In this day and age, I am considered evil for thinking that way and I should have empathy that outweighs any of my other thoughts on the matter. Kind of makes me sick when I think about how people used to look inside themselves and do whats best for themselves and these days everyone looks to Uncle Sam to save their sorry asses. No personal responsibility, thats an evil word too. Failure is one of the greatest things to teach a lesson and no one is allowed to fail these days. They all get to suck on the government teat while I work my a$$ off every day.
flawd logic
for the "me too" programs to disappear, so
would the people asking for them. Their votes
are just as powerful as yours.
And their logic is....
Its almost to the point that I would have taken a depression just to show people that you can't take things for granted. Was I ever given anything in my life to get where I am? Nope not at all, all I had was a mother and father that cared, but had very little money. No college money, nothing and I couldn't get any help from the government because of my ethnic background. We need to stop the race and class warfare and place the responsibility soley in the hands of the individual, just like I had to do. And guess what I have succeeded, so logic says, so can they.
Pride blind the foolish
I hereby ban the word "empathy"
Both sides are bad about this kind of propoganda rhetoric, and it's beginning to resemble the speaches given by Stalin, and Hitler.
People have opinions, but just because you feel strongly about your opinion doesn't mean you and only you can be right. These people know that the longer they get away with convincing the masses that common sense is something only the government possesses, the harder it will be to gain back control.
Personally, I wish the states and all citizens would refuse to pay anymore taxes to this overbearing, tyranistic, and unconstitutional government, and force them back in their places.
It confuses me how repersentitives can legally vote for their own pay raises. Imagine if everyone was allowed to do this?
Amendment 10 of the constitution clearly states that any power not specificly given to the federal government by the constitution is left to the individual states and people. The statement is very clear, and from a legal stand point means that the many "Czars" and various agencies created by the federal government and the president are purely unconstitutional and invalid. In reality, they hold no legal power, and the judges that misinterpet the law to allow it are in fact in violation of defrauding the American people.
Beyond all that, the organization that is responsible for fraudulent voter registration is not only being protected by the president they helped elect, but is now being considered to run the population census. Surely there is no wrong doing there.
I feel bad for the minorities that felt they had voted in the United States first minority president, but I'm afraid at this rate, they will wish it hadn't been Obama. They may not see it yet, though I'm not sure how, but unless he makes major changes in his path, he will only embaress the minorities with his outright illegal, and unethical antics.
Can anyone count how many people he has appointed that have not been, or are not currently under investigation for some wrong doing? Prime example, the secretary of treasury. Sure... why not have a guy that doesn't even pay his taxes over the IRS.
It's beyond madness. It all makes so little sense that even Rush Limbaugh seems more normal. And that is scary. Its sad... it really is.
Maybe...
Save your 2 cents worth of political effluent for someplace else.
In case you and your cohorts hadn't noticed, buster, this is an IS/IT blog site.
For cryin' out loud!
@thx
...it's just me, but WTF has any of your rant got to do with the security flaws in QT???"
Nothing, but I posted in response to a comment, not the original story. If you need to know where it came from, go back one step in the thread. If you don't like people responding to posts, then maybe you should find a new past time.
"Save your 2 cents worth of political effluent for someplace else."
Funny how you attack my political view, yet haven't said anything about the others before me. I'm allowed free speech, at least so far, and you can tell me to save it if you want, but you can never take it away from me. That must make you feel very sad to have so little power over other people.
"In case you and your cohorts hadn't noticed, buster, this is an IS/IT blog site."
Cohorts? Nah, I doubt many people consider themselves cohorts of mine. I have noticed this site is somewhat biased towards IS/IT, but I always just thought that was just a few tech fanatics here and there. I much more enjoy the political debates. ;P
On a more serious note, politics influences technology, and vice versa, so removing either completely from the other is virtually imposible. Politics is deeply embedded into daily life. Good luck avoiding it.
"For cryin' out loud!"
There you go... just let it all out. You'll feel much better.
@ShadowGIATL
If you think you're going to get off lightly with your weak comeback, then i'm afraid you picked the wrong person to step out.
But i'm not surprised: like all people with political agendas, you have this 'natural penchant' for staying uncannily off subject.
I'll say it clearly since you're obviously slow on the uptake: if you've got any relevant enquiries, information or assistance to offer in regards the subject matter of this ZDNet article, by all means enlighten us. Otherwise, you and anyone else with a political agenda ought to take a hint and move on.
By the way wiseguy, I never once questioned your right to speak out on whatever you please. But since you're too slow to take a clue, "there's a time and a place for everything". Last time i looked, ZDNet wasn't a Political News Forum. You seem deluded in thinking otherwise.
Again, if you have anything valuable to contribute on QT flaws and how it impacts end-users; if you can offer help with mitigation(s), questions or enquiries about the same, feel free to contribute. As it stands, you've given complete bupkiss.
Look, i've got some constructive advice for you: try using your hot air for balloons and float on outta here ...
But if you're a glutton for punishment, by all means, go on and knock yourself dead.
@thx
I answered the question. Not happy with the answer, or the fact that sometimes things don't go the way you want it, I think you'll find yourself very unhappy in life.
"If you think you're going to get off lightly with your weak comeback, then i'm afraid you picked the wrong person to step out."
Bring it buddy. I answered the question, and your response is that it is weak? It was not a comeback, but rather an explanation. Your the one insistent on a fight.
"But i'm not surprised: like all people with political agendas, you have this 'natural penchant' for staying uncannily off subject."
Political agenda? I make a response to one political post in this article, and suddenly I have an agenda? Everyone has political opinions, and to suggest that anone that shares them has some hidden agenda seems pretty petty. You are a petty little person.
"I'll say it clearly since you're obviously slow on the uptake: if you've got any relevant enquiries, information or assistance to offer in regards the subject matter of this ZDNet article, by all means enlighten us."
Check my other posts you narrowminded, forum troll. I offered my thoughts on the QT flaws in several spots, and yet the only one your trolling is the one where I responded to a political outburst. It's obvious what your doing on here is LOOKING for the political posts so you can look like some kinda of post savier. Save it, as no one else seemed offended. Once again, if it offends you, you're free to move on and not read it.
"Otherwise, you and anyone else with a political agenda ought to take a hint and move on."
Your the only one giving the hint. Majority rules.
"By the way wiseguy, I never once questioned your right to speak out on whatever you please."
I reference this: "Otherwise, you and anyone else with a political agenda ought to take a hint and move on."
Yep... in no way are you saying people don't have a right to say what they feel... hmmmm. Maybe you should think more before you speak. At least I admit I make mistakes from time to time, but you're fully convinced you're the only right voice on here. Get a life.
"But since you're too slow to take a clue, "there's a time and a place for everything". Last time i looked, ZDNet wasn't a Political News Forum. You seem deluded in thinking otherwise."
Again, by generalizing that from this one post that all I do is post political opinions on ZDNet suggests your narrowminded, and lacking in the ability to search further in this forum and other articles. I have even writen an article for ZDNet, and you'll be suprised to know it wasn't on politics.
"Again, if you have anything valuable to contribute on QT flaws and how it impacts end-users; if you can offer help with mitigation(s), questions or enquiries about the same, feel free to contribute. As it stands, you've given complete bupkiss."
And again, check the other post from me on this issue. Really want my opinion? QT IS a flaw. It has never really contributed anything important to the industry outside of providing job security for computer techs and IT pros following it around with a fix-it bag. By the way, this forum isn't actually meant to be a place where only qualified IS&T come to help Apple fix their crappy software. Nor do I think they surf these post looking for such input on a regular basis. On that note, I have noticed Google does monitor this site for feedback, and I have given them such feedback in the past.
"Look, i've got some constructive advice for you: try using your hot air for balloons and float on outta here ..."
One could say the same for you, but I was being nice and merely suggested that if you are uncomfartable with reading a post on here, you should just skip it.
"But if you're a glutton for punishment, by all means, go on and knock yourself dead."
I am a glutton for punishment, but I'm to hard headed to knock myself dead. Could you do the honors?
The Shadow
Knowledge is Power
Anymore questions?
Not always the case
country, but it is not as black and white as you
imply. Not all who drop out of school suck the
govs teat, in fact corporations cost us far more
then our poor. Educated people will think your
evil for thinking that way
Ivy Leagues
I THINK You just made that up, as there are only 8 Ivy League Universities.
And I also think that there aren't NEARLY enough Ivy League graduates in government - but why would there be? With their brains, they are making 2-20x more working for the private sector. Only those that actually believe in something aggree to take the pay cut - people have problems because these few usually hold opinions contrary to popular opinion. In these cases, public opinion is flawed at best since the public is an easily swayed mob with no real logic or reason behind it.
I mean, lock at the Swine Flu scare and compare that to the amount of news coverage of heart disease resulting from fast food, alchohol and tobacco use. The later is FAR more dangerous to you every day, and yet the US is how far down on the healthy country list?
"The views expressed here are mine and do not reflect the official opinion of my employer or the organization through which the Internet was accessed."
Well...
And yes, most ivy leaguers would rather work in the private sector, which only strengthens the point that people in government are smarter then then everyone in the public world as they want everyone to believe.
I rest my case.
Bailed Out?
As Johnny Five Angels Would Say, Yeah, Sure, Why Not
didn't have to do it, so, perhaps there is another element to your
definition of bail-out that I'm not seeing.
As to why, I think Microsoft saw the DOJ at full-speed on anti-trust
and wanted Apple to stay in business. Plus, Microsoft made money
when they sold Office for Mac. As I understand it, after Apple turned
the corner, Microsoft sold the stock at a profit. Regarding the ip
issues, Apple was not very successful at the cases that made it to
court. After its struggles in the mid-90s, Apple made a pragmatic
decision to resolve all those things because the Apple ship was going
down and if Microsoft pulled Office, it was over. So Microsoft got
Apple's cooperation with regards to java and Netscape, cross-
licensing deals were signed, and Apple got the investment.
Not
Ah, well, no. Even at that point, Apple was making over a billion bucks a year.
Even though I admit the Performa line of Macs was somewhat... lackluster.
So to put it in perspective, you're making $100 a day and I offer you another
$15.
Pays for lunch.
"Microsoft
didn't have to do it"
Well, they could have just let the court case drag on for years.
And cost them more money. At a time when the DOJ was breathing down their
neck.
And of course, they were guilty. Caught red-handed.
Apple hired an outside agency to port Quicktime code to INTEL... it ended up in
Video For Windows.
There's just nothing a lawyer can really do with that.
You could argue M$ didn't know Canyon had already sold that code to Apple,
but
what Judge would fall for that?
Time to cut your losses. M$ paid $150 Million in fines, agreed to continue
Office
for Mac for five years, there was a cross-licensing agreement, and then... the
stock deal.
You know, I'd always thought M$ made some money off that. Apple stock
certainly
went up.
But Apple Confidential II says M$ actually sold short on that stock. Which, since
it
went up, means they lost money. Too bad.
" Apple made a pragmatic
decision to resolve all those things"
Yes, obviously.
The case was costing them money the longer it dragged out.
They get what amounts to an admission of guilt from M$, which is what they
wanted anyway.
And clearly it was a good strategic decision.
Are you reffering to the GUI dispute?
No, sorry
No. The original trial against Microsoft ended because of a
technicality.
Apple had contracted with Microsoft to provide software: Microsoft
insisted
that to build Mac software they needed a look under the hood.
So Apple rather naively granted M$ a license to the MacOS.
It was nuts.
There's no way M$ needed a MacOS license to write Mac software.
This is the most embarrassing mistake Apple ever made in business.
Because after M$ literally used MacOS code in the first Windows beta,
Apple
took them to court for IP theft.
And lost, because of that license.
The settlement you refer to happened during the second trial.
Apple again found their code in a Microsoft product, Video For
Windows.
Apple had hired an outside developer to port the Quicktime code to
INTEL.
Decompiling VFW proved the QT code was there, no question.
If you're in the software business, you can't let that pass. It's your
bread and
butter.
Imagine if Adobe found the code for Photoshop in a competitors'
product.
Think they wouldn't do anything about it? Think again.
"In which case, MS and Apple had been in partnership, and then Apple
backed
out of their contract, which resulted in MS aquiring stock from Apple."
Somehow you've got this completely backwards.
I don't know how... it just makes no sense. I think you've got details
of the
two Apple/Microsoft cases confused.
Microsoft was caught stealing. They fought the charge, realized it
was
unbeatable, and finally settled.
Part of the settlement was paying a large fine, part was an agreement
to
extend Office for Mac, and part was the five-year stock deal.
It cleared the decks for both companies to go back to work and avoid
the
drain of the lawsuits.
And it also helped Microsoft, at a time when they really couldn't afford
having
any more heat from the anti-trust investigation.