X
Business

Apple releases QuickTime 7.7.2 for Windows, fixes 17 flaws

Apple QuickTime version 7.7.2 is out, fixing 17 security vulnerabilities in the multimedia framework. This is a security update, meaning no new features have been added. You should still update.
Written by Emil Protalinski, Contributor

Apple today released QuickTime 7.7.2 for Windows XP SP2, Windows Vista, Windows 7, and later. The new version fixes 17 security vulnerabilities in the multimedia framework. You can download the new version directly from here: QuickTimeInstaller.

Here are the 17 security vulnerabilities fixed in this release:

  • Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution - Description: Multiple stack overflows existed in QuickTime's handling of TeXML files. These issues do not affect OS X systems. - CVE-2012-0663 : Alexander Gavrun working with HP's Zero Day Initiative
  • Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution - Description: A heap overflow existed in QuickTime's handling of text tracks. This issue does not affect OS X systems. - CVE-2012-0664 : Alexander Gavrun working with HP's Zero Day Initiative
  • Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution - Description: A heap buffer overflow existed in the handling of H.264 encoded movie files. - CVE-2012-0665 : Luigi Auriemma working with HP's Zero Day Initiative
  • Impact: Opening a maliciously crafted MP4 encoded file may lead to an unexpected application termination or arbitrary code execution - Description: An uninitialized memory access issue existed in the handling of MP4 encoded files. For OS X Lion systems, this issue is addressed in OS X Lion v10.7.3. For Mac OS X v10.6 systems, this issue is addressed in Security Update 2012-001. - CVE-2011-3458 : Luigi Auriemma and pa_kt both working with HP's Zero Day Initiative
  • Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution - Description: An off by one buffer overflow existed in the handling of rdrf atoms in QuickTime movie files. For OS X Lion systems, this issue is addressed in OS X Lion v10.7.3. For Mac OS X v10.6 systems, this issue is addressed in Security Update 2012-001. - CVE-2011-3459 : Luigi Auriemma working with HP's Zero Day Initiative
  • Impact: Viewing a maliciously crafted movie file during progressive download may lead to an unexpected application termination or arbitrary code execution - Description: A buffer overflow existed in the handling of audio sample tables. For OS X Lion systems, this issue is addressed in OS X Lion v10.7.4. For Mac OS X v10.6 systems, this issue is addressed in Security Update 2012-002. - CVE-2012-0658 : Luigi Auriemma working with HP's Zero Day Initiative
  • Impact: Viewing a maliciously crafted MPEG file may lead to an unexpected application termination or arbitrary code execution - Description: An integer overflow existed in the handling of MPEG files. For OS X Lion systems, this issue is addressed in OS X Lion v10.7.4. For Mac OS X v10.6 systems, this issue is addressed in Security Update 2012-002. - CVE-2012-0659 : An anonymous researcher working with HP's Zero Day Initiative
  • Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution - Description: A stack buffer overflow existed in the QuickTime plugin's handling of QTMovie objects. This issue does not affect OS X systems. - CVE-2012-0666 : CHkr_D591 working with HP's Zero Day Initiative
  • Impact: Processing a maliciously crafted PNG image may lead to an unexpected application termination or arbitrary code execution - Description: A buffer overflow existed in the handling of PNG files. For OS X Lion systems, this issue is addressed in OS X Lion v10.7.3. For Mac OS X v10.6 systems, this issue is addressed in Security Update 2012-001. - CVE-2011-3460 : Luigi Auriemma working with HP's Zero Day Initiative
  • Impact: Viewing a maliciously crafted QTVR movie file may lead to an unexpected application termination or arbitrary code execution - Description: A signedness issue existed in the handling of QTVR movie files. This issue does not affect OS X systems. - CVE-2012-0667 : Alin Rad Pop working with HP's Zero Day Initiative
  • Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution - Description: A use after free issue existed in the handling of JPEG2000 encoded movie files. This issue does not affect systems prior to OS X Lion. For OS X Lion systems, this issue is addressed in OS X Lion v10.7.4. - CVE-2012-0661 : Damian Put working with HP's Zero Day Initiative
  • Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution - Description: A buffer overflow existed in the handling of RLE encoded movie files. - CVE-2012-0668 : Luigi Auriemma working with HP's Zero Day Initiative
  • Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution - Description: A buffer overflow existed in QuickTime's handling of Sorenson encoded movie files. This issue does not affect OS X systems. - CVE-2012-0669 : Damian Put working with HP's Zero Day Initiative
  • Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution - Description: An integer overflow existed in QuickTime's handling of sean atoms. - CVE-2012-0670 : Tom Gallagher (Microsoft) and Paul Bates (Microsoft) working with HP's Zero Day Initiative
  • Impact: Viewing a maliciously crafted .pict file may lead to an unexpected application termination or arbitrary code execution - Description: A memory corruption issue existed in the handling of .pict files. - CVE-2012-0671 : Rodrigo Rubira Branco (twitter.com/bsdaemon) from the Qualys Vulnerability & Malware Research Labs (VMRL)
  • Impact: Opening a file in a maliciously crafted path may lead to an unexpected application termination or arbitrary code execution - Description: A stack buffer overflow existed in QuickTime's handling of file paths. This issue does not affect OS X systems. - CVE-2012-0265 : Tielei Wang of Georgia Tech Information Security Center via Secunia SVCRP
  • Impact: Viewing a maliciously crafted MPEG file may lead to an unexpected application termination or arbitrary code execution - Description: An integer underflow existed in QuickTime's handling of audio streams in MPEG files. - CVE-2012-0660: Justin Kim at Microsoft and Microsoft Vulnerability Research (MSVR)

As you can see, a whopping 14 of the 17 vulnerabilities were discovered by researchers working with HP's Zero Day Initiative. All of them are caused by the way that Quicktime handles certain files that could be exploited if a user opens a maliciously one directly, or tries viewing one on a website.

See also:

Editorial standards