CyberInsecure.com

Daily cyber threats and internet security news: network security, online safety and latest security alerts
September 9th, 2008

Apple Patches Serious Security Flaws In QuickTime 7.5.5

Apple released a major update to its iTunes and QuickTime software products, fixing at least 11 documented security vulnerabilities that could lead to Mac and PC takeover attacks.

QuickTime 7.5.5, which should be considered an extremely critical update, according to Apple, address nine different vulnerabilities that could cause some serious damage if a Windows or Mac OS X user is tricked into viewing a specially crafted movie file. The iTunes 8 update addresses two separate bugs that could put users at risk of information disclosure.

QuickTime 7.5.5 details on vulnerabilities and patches:

CVE-2008-3615: An uninitialized memory access issue exists in the third-party Indeo v5 codec for QuickTime, which does not ship with QuickTime. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. Affects Windows Vista, XP SP2 and SP3.

CVE-2008-3635: A stack buffer overflow exists in the third-party Indeo v3.2 codec for QuickTime. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. Affects Windows Vista, XP SP2 and SP3.

CVE-2008-3624: A heap buffer overflow exists in QuickTime’s handling of panorama atoms in QTVR (QuickTime Virtual Reality) movie files. Viewing a maliciously crafted QTVR file may lead to an unexpected application termination or arbitrary code execution. Affects Mac OS X v10.4.9 – v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2 and SP3.

CVE-2008-3625: A stack buffer overflow exists in QuickTime’s handling of panorama atoms in QTVR (QuickTime Virtual Reality) movie files. Viewing a maliciously crafted QTVR file may lead to an unexpected application termination or arbitrary code execution. Available for Mac OS X v10.4.9 – v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2 and SP3.

CVE-2008-3614: An integer overflow exists in QuickTime’s handling of PICT images. Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution. Affects Windows Vista, XP SP2 and SP3.

CVE-2008-3626: A memory corruption issue exists in QuickTime’s handling of STSZ atoms in movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. Available for Mac OS X v10.4.9 – v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2 and SP3.

CVE-2008-3627: Multiple memory corruption exist in QuickTime’s handling of H.264 encoded movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. Available for Mac OS X v10.4.9 – v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2 and SP3.

CVE-2008-3628: An invalid pointer issue exists in QuickTime’s handling of PICT images. Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution. Available for Windows Vista, XP SP2 and SP3.

CVE-2008-3629: An out-of-bounds read issue exists in QuickTime’s handling of PICT images. Opening a maliciously crafted PICT image may lead to an unexpected application termination. Affects Mac OS X v10.4.9 – v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2 and SP3.

iTunes 8 details on vulnerabilities and patches:

CVE-2008-3634: When the firewall is configured to block iTunes Music Sharing and the user enables iTunes Music Sharing in iTunes, a warning dialog is displayed which incorrectly informs the user that unblocking iTunes Music Sharing doesn’t affect the firewall’s security. Allowing iTunes Music Sharing or any other service through the firewall inherently affects security by exposing the service to remote entities. This update addresses the issue by refining the text in the warning dialog. Available for Mac OS X v10.4.11, Mac OS X Server v10.4.11.

CVE-2008-3636: A third-party driver provided with iTunes may trigger an integer overflow, and could allow a local user to obtain system privileges. Available for: Windows XP or Vista.

Share this item with others:

More on CyberInsecure:
  • Apple QuickTime Multiple Remote Vulnerabilities
  • Critical Flaws Patched By Apple in QuickTime 7.5 Update
  • QuickTime Crashing Zero-day Attack Code Published, Malicious Code Execution Possible
  • Code Execution Flaws Patched In Apple QuickTime 7.6
  • Apple Patches Security Vulnerabilities In QuickTime 7.6.2

    • Posted in Apple, Software, Vista, Vulnerabilities | Print This Post Print This Post

    This entry was posted on Tuesday, September 9th, 2008 at 8:26 pm and is filed under Apple, Software, Vista, Vulnerabilities. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

    If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Apple Patches Serious Security Flaws In QuickTime 7.5.5

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    *
    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.

    « «
    » »