Apple plugs eight more QuickTime holes
The skinny, according to this Cupertino alert:
CVE-2007-2295 -- A memory corruption issue exists in QuickTime's handling of H.264 movies. By enticing a user to access a maliciously crafted H.264 movie, an attacker can trigger the issue which may lead to an unexpected application termination or arbitrary code execution. (Available for Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Windows Vista, XP SP2).
CVE-2007-2392 -- A memory corruption issue exists in QuickTime's handling of movie files. By enticing a user to access a maliciously crafted movie file, an attacker can trigger the issue which may lead to an unexpected application termination or arbitrary code execution. (Available for Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Windows Vista, XP SP2).
CVE-2007-2296 -- An integer overflow vulnerability exists in QuickTime's handling of .m4v files. By enticing a user to access a maliciously crafted .m4v file, an attacker can trigger the issue which may lead to an unexpected application termination or arbitrary code execution. (Available for Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Windows Vista, XP SP2).
CVE-2007-2394 -- An integer overflow vulnerability exists in QuickTime's handling of SMIL files. By enticing a user to access a maliciously crafted SMIL file, an attacker can trigger the issue which may lead to an unexpected application termination or arbitrary code execution. (Available for Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Windows Vista, XP SP2)
[ SEE: Safari on Windows could be big target for malware ]
CVE-2007-2397 -- A design issue exists in QuickTime for Java, which may allow security checks to be disabled. By enticing a user to visit a web page containing a maliciously crafted Java applet, an attacker can trigger the issue which may lead to arbitrary code execution. (Available for Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Windows Vista, XP SP2).
CVE-2007-2393 -- A design issue exists in QuickTime for Java. This may allow Java applets to bypass security checks in order to read and write process memory. By enticing a user to visit a web page containing a maliciously crafted Java applet, an attacker can trigger the issue which may lead to arbitrary code execution. (Available for Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Windows Vista, XP SP2).
[ SEE: Securing Safari: How to run Apple's Web browser securely ]
CVE-2007-2396 -- A design issue exists in QuickTime for Java. JDirect exposes interfaces that may allow loading arbitrary libraries and freeing arbitrary memory. By enticing a user to visit a web page containing a maliciously crafted Java applet, an attacker can trigger the issue which may lead to arbitrary code execution. (Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Windows Vista, XP SP2).
CVE-2007-2402 -- A design issue exists in QuickTime for Java, which may allow a malicious website to capture a client's screen content. By enticing a user to visit a web page containing a maliciously crafted Java applet, an attacker can trigger the issue which may lead to the disclosure of sensitive information. (Available for Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Windows Vista, XP SP2).