Critical Flaws Patched By Apple In QuickTime 7.5 Update

June 10th, 2008

Critical Flaws Patched By Apple in QuickTime 7.5 Update

Apple released earlier QuickTime 7.5, which fixes a number of security bugs. The update is highly critical and it patches at least five code execution vulnerabilities in Windows XP, Windows Vista and Mac OS X. It fixes multiple buffer overflows, memory corruption issues and URI handling flaws that could allow malicious hackers to launch exploits with QuickTime movie or image files.

Apple’s security improvements include fixes for:

CVE-2008-1581 (for Windows Vista and Windows XP SP2): An issue in QuickTime’s handling of PixData structures when processing a PICT image may result in a heap buffer overflow. Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution. This issue does not affect systems running Mac OS X.

CVE-2008-1582 (for Mac OS X v10.3.9, Mac OS X v10.4.9 – v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2): A memory corruption issue exists in QuickTime’s handling of AAC-encoded media content. Opening a maliciously crafted media file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of media files.

CVE-2008-1583 (for Mac OS X v10.3.9, Mac OS X v10.4.9 – v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2): A heap buffer overflow exists in QuickTime’s handling of PICT images. Opening a maliciously crafted PICT image file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking.

CVE-2008-1584 (for Mac OS X v10.3.9, Mac OS X v10.4.9 – v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2): An issue in QuickTime’s handling of Indeo video codec content may result in a stack buffer overflow. Viewing a maliciously crafted movie file with Indeo video codec content may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by not rendering Indeo video codec content.

CVE-2008-1585 (for Mac OS X v10.3.9, Mac OS X v10.4.9 – v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2): A URL handling issue exists in QuickTime’s handling of file: URLs. This may allow arbitrary applications and files to be launched when a user plays maliciously crafted QuickTime content in QuickTime Player. This update addresses the issue by revealing files in Finder or Windows Explorer rather than launching them.

Share this item with others:

More on CyberInsecure:

Apple QuickTime Multiple Remote Vulnerabilities

Code Execution Flaws Patched In Apple QuickTime 7.6

QuickTime Crashing Zero-day Attack Code Published, Malicious Code Execution Possible

Apple Patches Serious Security Flaws In QuickTime 7.5.5

Apple Patches Security Vulnerabilities In QuickTime 7.6.2

Posted in Apple, Software, Vista, Vulnerabilities |

Print This Post

This entry was posted on Tuesday, June 10th, 2008 at 3:19 pm and is filed under Apple, Software, Vista, Vulnerabilities. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

If you found this information useful, consider linking to it from your own website.
Just copy and paste the code below into your website (Ctrl+C to copy)
It will look like this: Critical Flaws Patched By Apple in QuickTime 7.5 Update

One Response to “Critical Flaws Patched By Apple in QuickTime 7.5 Update”

ac3 Says:
August 1st, 2008 at 5:57 am

I have read about QuickTime Alternative and Real Player Alternative – imho smaller size and faster work unlike QuickTime. What your opinion?

Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.