[Macpartners] Fwd: APPLE-SA-2007-11-05 QuickTime 7.3

Patrick McNeal mcneal at MIT.EDU
Mon Nov 5 16:38:19 EST 2007 

Looks like there's been a number of updates to QuickTime.  Users on  
10.3.9, 10.4.9 or later, or 10.5 can get the new version via Software  
Update.

Begin forwarded message:

> From: Apple Product Security <product-security- 
> noreply at lists.apple.com>
> Date: November 5, 2007 3:46:05 PM EST
> To: security-announce at lists.apple.com
> Subject: APPLE-SA-2007-11-05 QuickTime 7.3
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> APPLE-SA-2007-11-05 QuickTime 7.3
>
> QuickTime 7.3 is now available and addresses the following issues:
>
> QuickTime
> CVE-ID:  CVE-2007-2395
> Available for:  Mac OS X v10.3.9, Mac OS X v10.4.9 or later,
> Mac OS X v10.5, Windows Vista, XP SP2
> Impact:  Viewing a maliciously crafted movie file may lead to an
> unexpected application termination or arbitrary code execution
> Description:  A memory corruption issue exists in QuickTime's
> handling of image description atoms. By enticing a user to open a
> maliciously crafted movie file, an attacker may cause an unexpected
> application termination or arbitrary code execution. This update
> addresses the issue by performing additional validation of QuickTime
> image descriptions. Credit to Dylan Ashe of Adobe Systems
> Incorporated for reporting this issue.
>
> QuickTime
> CVE-ID:  CVE-2007-3750
> Available for:  Mac OS X v10.3.9, Mac OS X v10.4.9 or later,
> Mac OS X v10.5, Windows Vista, XP SP2
> Impact:  Viewing a maliciously crafted movie file may lead to an
> unexpected application termination or arbitrary code execution
> Description:  A heap buffer overflow exists in QuickTime Player's
> handling of Sample Table Sample Descriptor (STSD) atoms. By enticing
> a user to open a maliciously crafted movie file, an attacker may
> cause an unexpected application termination or arbitrary code
> execution. This update addresses the issue by performing additional
> validation of STSD atoms. Credit to Tobias Klein of www.trapkit.de
> for reporting this issue.
>
> QuickTime
> CVE-ID:  CVE-2007-3751
> Available for:  Mac OS X v10.3.9, Mac OS X v10.4.9 or later,
> Mac OS X v10.5, Windows Vista, XP SP2
> Impact:  Untrusted Java applets may obtain elevated privileges
> Description:  Multiple vulnerabilities exist in QuickTime for Java,
> which may allow untrusted Java applets to obtain elevated privileges.
> By enticing a user to visit a web page containing a maliciously
> crafted Java applet, an attacker may cause the disclosure of
> sensitive information and arbitrary code execution with elevated
> privileges. This update addresses the issues by making QuickTime for
> Java no longer accessible to untrusted Java applets. Credit to Adam
> Gowdiak for reporting this issue.
>
> QuickTime
> CVE-ID:  CVE-2007-4672
> Available for:  Mac OS X v10.3.9, Mac OS X v10.4.9 or later,
> Mac OS X v10.5, Windows Vista, XP SP2
> Impact:  Opening a maliciously crafted PICT image may lead to an
> unexpected application termination or arbitrary code execution
> Description:  A stack buffer overflow exists in PICT image
> processing. By enticing a user to open a maliciously crafted image,
> an attacker may cause an unexpected application termination or
> arbitrary code execution. This update addresses the issue by
> performing additional validation of PICT files. Credit to Ruben
> Santamarta of reversemode.com working with TippingPoint and the Zero
> Day Initiative for reporting this issue.
>
> QuickTime
> CVE-ID:  CVE-2007-4676
> Available for:  Mac OS X v10.3.9, Mac OS X v10.4.9 or later,
> Mac OS X v10.5, Windows Vista, XP SP2
> Impact:  Opening a maliciously crafted PICT image may lead to an
> unexpected application termination or arbitrary code execution
> Description:  A heap buffer overflow exists in PICT image processing.
> By enticing a user to open a maliciously crafted image, an attacker
> may cause an unexpected application termination or arbitrary code
> execution. This update addresses the issue by performing additional
> validation of PICT files. Credit to Ruben Santamarta of
> reversemode.com working with TippingPoint and the Zero Day Initiative
> for reporting this issue.
>
> QuickTime
> CVE-ID:  CVE-2007-4675
> Available for:  Mac OS X v10.3.9, Mac OS X v10.4.9 or later,
> Mac OS X v10.5, Windows Vista, XP SP2
> Impact:  Viewing a maliciously crafted QTVR movie file may lead to an
> unexpected application termination or arbitrary code execution
> Description:  A heap buffer overflow exists in QuickTime's handling
> of panorama sample atoms in QTVR (QuickTime Virtual Reality) movie
> files. By enticing a user to view a maliciously crafted QTVR file, an
> attacker may cause an unexpected application termination or arbitrary
> code execution. This update addresses the issue by performing bounds
> checking on panorama sample atoms. Credit to Mario Ballano from
> 48bits.com working with the VeriSign iDefense VCP for reporting this
> issue.
>
> QuickTime
> CVE-ID:  CVE-2007-4677
> Available for:  Mac OS X v10.3.9, Mac OS X v10.4.9 or later,
> Mac OS X v10.5, Windows Vista, XP SP2
> Impact:  Viewing a maliciously crafted movie file may lead to an
> unexpected application termination or arbitrary code execution
> Description:  A heap buffer overflow exists in the parsing of the
> color table atom when opening a movie file. By enticing a user to
> open a maliciously crafted movie file, an attacker may cause an
> unexpected application termination or arbitrary code execution. This
> update addresses the issue by performing additional validation of
> color table atoms. Credit to Ruben Santamarta of reversemode.com and
> Mario Ballano of 48bits.com working with TippingPoint and the Zero
> Day Initiative for reporting this issue.
>
> QuickTime 7.3 may be obtained from the Software Update
> application, or from the Apple Downloads site:
> http://www.apple.com/support/downloads/
>
> For Mac OS X v10.5
> The download file is named:  "QuickTime730_Leopard.dmg"
> Its SHA-1 digest is:  581a470ce7b98b3c7e515fd8d610502a94214933
>
> For Mac OS X v10.4.9 or later
> The download file is named:  "QuickTime730_Tiger.dmg"
> Its SHA-1 digest is:  191e9789a9207921424185db1dc37792c7ec78e
>
> For Mac OS X v10.3.9
> The download file is named:  "QuickTime730_Panther.dmg"
> Its SHA-1 digest is:  969324ae94afe82173f155d7db31dbce8c02dd0
>
> QuickTime 7.3 for Windows Vista, XP SP2
> The download file is named:  "QuickTimeInstaller.exe"
> Its SHA-1 digest is:  14788da58ad4e1cc219d4a92b833ca49b9d99e59
>
> QuickTime 7.3 with iTunes for Windows Vista, XP SP2
> The download file is named:  "iTunes75Setup.exe"
> Its SHA-1 digest is:  b38005b53e608dcd2b4fe18b44cc419fefbc9411
>
> Information will also be posted to the Apple Product Security
> web site:  http://docs.info.apple.com/article.html?artnum=61798
>
> This message is signed with Apple's Product Security PGP key,
> and details are available at:
> http://www.apple.com/support/security/pgp/
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Desktop 9.0.3 (Build 2932)
>
> iQEVAwUBRy+AA8gAoqu4Rp5tAQiMpggAkcS1K1tPbqHw+KvdP7e3ck2jMIAUXN83
> /ghr8z5yL54pONas3GE96vsp1qyYVAzKuGoG4iRpMe+7fMYk+TOfLR7TWhaC+Usw
> m+NVPESANt8sKamKNdbtLyHhHEvXSi4dC8/WdIbifW115IvfAH/E/L2IDSlB6Nih
> jpQ83jWDluI+T/jit04A7p0aAfry8PJEjal7sQ8ZLnBHthRsel78a729Nk036dl7
> +Pfh/SZedNq0v4aLH22gDTt7rImcyJ1oY4hBOLh9KGZGe1ppmCB/UtG5woAqgbFz
> G98/8MEQT0/bwBjsoTJ8G6eSUeMvmmUuBACSrW+EwxoUExres5zHGw==
> =u231
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Security-announce mailing list      (Security- 
> announce at lists.apple.com)
> Help/Unsubscribe/Update your Subscription:
> http://lists.apple.com/mailman/options/security-announce/mcneal%40mit.edu
>
> This email sent to mcneal at mit.edu

More information about the Macpartners mailing list