Related information

Apple QuickTime multiple security vulnerabilities

ZDI-09-006: Apple QuickTime AVI Header nBlockAlign Heap Corruption Vulnerability

ZDI-09-008: Apple QuickTime STSD JPEG Atom Heap Corruption Vulnerability

ZDI-09-005: Apple QuickTime VR Track Header Atom Heap Corruption Vulnerability

ZDI-09-007: Apple QuickTime Cinepak Codec MDAT Heap Corruption Vulnerability

From:	CERT <cert_(at)_cert.gov>
Date:	23.01.2009
Subject:	US-CERT Technical Cyber Security Alert TA09-022A -- Apple QuickTime Updates for Multiple Vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                   National Cyber Alert System

             Technical Cyber Security Alert TA09-022A


Apple QuickTime Updates for Multiple Vulnerabilities

  Original release date: January 22, 2009
  Last revised: --
  Source: US-CERT


Systems Affected

    * Apple QuickTime 7.5 for Windows and Mac OS X


Overview

  Apple has released QuickTime 7.6 to correct multiple
  vulnerabilities affecting QuickTime for Mac OS X and Windows.
  Attackers may be able to exploit these vulnerabilities to execute
  arbitrary code or cause a denial of service.


I. Description

  Apple QuickTime 7.6 addresses a number of vulnerabilities affecting
  QuickTime. An attacker could exploit these vulnerabilities by
  convincing a user to access a specially crafted media or movie
  file. This file could be hosted on a web page or sent via email.


II. Impact

  The impacts of these vulnerabilities vary. Potential consequences
  include arbitrary code execution and denial of service.


III. Solution

  Upgrade to QuickTime 7.6. This and other updates are available via
  Software Update or via Apple Downloads.


IV. References

* About the security content of QuickTime 7.6 -
  <http://support.apple.com/kb/HT3403>

* Apple Support Downloads - <http://support.apple.com/downloads/>

* Mac OS X - updating your software -
  <http://support.apple.com/kb/HT1338?viewlocale=en_US>

* Securing Your Web Browser -
  <https://www.us-cert.gov/reading_room/securing_browser/>

____________________________________________________________________

  The most recent version of this document can be found at:

    <http://www.us-cert.gov/cas/techalerts/TA09-022A.html>
____________________________________________________________________

  Feedback can be directed to US-CERT Technical Staff. Please send
  email to <cert@cert.org> with "TA09-022A Feedback VU#703068" in
  the subject.
____________________________________________________________________

  For instructions on subscribing to or unsubscribing from this
  mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________

  Produced 2009 by US-CERT, a government organization.

  Terms of use:

    <http://www.us-cert.gov/legal.html>
____________________________________________________________________

Revision History
 
 January 22, 2009: Initial release


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQEVAwUBSXj25HIHljM+H4irAQKNIgf+LSBKBzHWdjxmJgYw3vYmAXtwpUxAVThs
Ma4vIB1vSjv8Us83S2XrKIGcKrdPgQgeS7Vji9WRMmlzEv/AYlFJseqq17ufGely
5YosATUh+C0SjY6OAYeJNYMws7fgGcGJagtfQp0gJTRLruknEoB/iqlASBQ7MtNg
7viHKIR8r2BxCNB1A4ir1kzPELIHFF/pmmuaD+E2PnxH1XtYLM9b9t6xbkjie2PG
vEwv7JCGH/RrJtst480ZMIHOghsZ0ONoMkTjZB7o5S0ww3guktGOMB+/QiZI8eFB
KbU6nB6JGscZ8Fb1E4K3yOU9MvpzEfurIvYmyMcAdxFCiq5CSUjOug==
=B5D3
-----END PGP SIGNATURE-----