You are here

T-684: Apple QuickTime Buffer Overflows Let Remote Users Execute Arbitrary Code

August 4, 2011 - 3:33pm

Addthis

PROBLEM:

Multiple vulnerabilities were reported in QuickTime. A remote user can cause arbitrary code to be executed on the target user's system.

PLATFORM:

Apple Quick Time prior to 7.7

ABSTRACT:

Apple QuickTime Buffer Overflows Let Remote Users Execute Arbitrary Code.

reference LINKS:

Apple security updates
SecurityTracker Alert ID: 1025884
Mac OS X: Updating your software
Support Downloads
QuickTime 7.7

IMPACT ASSESSMENT:

High

Discussion:

A specially crafted PICT file can trigger a buffer overflow [CVE-2011-0245]. Mac OS X version 10.7 is not affected.
A specially crafted GIF image can trigger a heap overflow [CVE-2011-0246]. Mac OS X systems are not affected.
A specially crafted H.264 movie file can trigger a stack overflow [CVE-2011-0247]. Mac OS X systems are not affected.
Specially crafted QTL files can trigger a stack overflow in the QuickTime ActiveX control [CVE-2011-0248]. Mac OS X systems are not affected.
A QuickTime movie with specially crafted STSC atoms can trigger a heap overflow [CVE-2011-0249]. Mac OS X verson 10.7 systems are not affected.
A QuickTime movie with specially crafted STSS atoms can trigger a heap overflow [CVE-2011-0250]. Mac OS X verson 10.7 systems are not affected.
A QuickTime movie with specially crafted STSZ atoms can trigger a heap overflow [CVE-2011-0251]. Mac OS X verson 10.7 systems are not affected.
A QuickTime movie with specially crafted STTS atoms can trigger a heap overflow [CVE-2011-0252]. Mac OS X verson 10.7 systems are not affected.

Impact:

A remote user can create a file that, when loaded by the target user, will execute arbitrary code on the target user's system.

Solution:

For Mac OS X v10.5.8
The download file is named: "QuickTime77Leopard.dmg"
Its SHA-1 digest is: 0deb99cc44015af7c396750d2c9dd4cbd59fb355

For Windows 7 / Vista / XP SP3
The download file is named: "QuickTimeInstaller.exe"
Its SHA-1 digest is: a99f61d67be6a6b42e11d17b0b4f25cd88b74dc9

QuickTime is incorporated into Mac OS X v10.6 and later. QuickTime 7.7 is not presented to systems running Mac OS X v10.6 or later.
The vendor has issued a fix (7.7), available from the Software Update application, or from the QuickTime Downloads site at:
Quick Time Download

Addthis