X
Tech

Apple QuickTime bitten by code execution flaws

Apple today released QuickTime 7.6 to fix at least seven serious security flaws that expose Mac OS X and Windows users to remote code execution attacks.
Written by Ryan Naraine, Contributor

Apple today released QuickTime 7.6 to fix at least seven serious security flaws that expose Mac OS X and Windows users to remote code execution attacks.

The latest upgrade, available for Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista and Windows XP SP2 and SP3, covers vulnerabilities that could be exploited via malicious URLs or booby-trapped movie or audio files.

Here's the skinny:

  • CVE-2009-0001 -- A heap buffer overflow exists in QuickTime's handling of RTSP URLs. Accessing a maliciously crafted RTSP URL may lead to an unexpected application termination or arbitrary code execution.
  • CVE-2009-0002 -- A heap buffer overflow exists in QuickTime's handling of THKD atoms in QTVR (QuickTime Virtual Reality) movie files. Viewing a maliciously crafted QTVR file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking.
  • CVE-2009-0003 -- A heap buffer overflow may occur while processing an AVI movie file. Opening a maliciously crafted AVI movie file may lead to an unexpected application termination or arbitrary code execution.
  • CVE-2009-0004 -- A buffer overflow exists in the handling of MPEG-2 video files with MP3 audio content. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution.
  • CVE-2009-0005 -- A memory corruption exists in QuickTime's handling of H.263 encoded movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution.
  • CVE-2009-0006 -- A signedness issue exists in QuickTime's handling of Cinepak encoded movie files, which may result in a heap buffer overflow. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution.
  • CVE-2009-0007 -- A heap buffer overflow exists in QuickTime's handling of jpeg atoms in QuickTime movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution.

The patch is available via the software update utility on Mac OS X and the automatic-updating tool for Windows XP and Vista.  Additionally, QuickTime 7.6 may be obtained from QuickTime Downloads site.

UPDATE:  Apple issued a separate advisory for an input validation issue  in the QuickTime MPEG-2 Playback Component for Windows:

  • CVE-2009-0008 (available for Windows Vista, XP SP2 and SP3):  Accessing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of MPEG-2 files. This issue does not affect systems running Mac OS X.

Editorial standards