You are here

V-164: Apple QuickTime Multiple Flaws Let Remote Users Execute Arbitrary Code

May 27, 2013 - 12:23am

Addthis

PROBLEM:

Apple QuickTime Multiple Flaws Let Remote Users Execute Arbitrary Code

PLATFORM:

Apple QuickTime prior to 7.7.4.

ABSTRACT:

Apple QuickTime Multiple Vulnerabilities

REFERENCE LINKS:

Apple Article: HT5770
SecurityTracker Alert ID:  1028589
Secunia Advisory  SA53520
CVE-2013-0986, CVE-2013-0987, CVE-2013-0988
CVE-2013-0989, CVE-2013-1015, CVE-2013-1016
CVE-2013-1017, CVE-2013-1018, CVE-2013-1019
CVE-2013-1020, CVE-2013-1021, CVE-2013-1022 

IMPACT ASSESSMENT:

High

DISCUSSION:

Multiple vulnerabilities have been reported in Apple QuickTime, which can be exploited by malicious people to compromise a user's system.

1) An unspecified error when handling TeXML files can be exploited to cause memory corruption.

2) A boundary error when handling H.263 encoded movie files can be exploited to cause a buffer overflow.

3) A boundary error when handling 'dref' atoms can be exploited to cause a buffer overflow.

4) A boundary error when handling H.264 encoded movie files can be exploited to cause a buffer overflow.

5) A boundary error when handling MP3 files can be exploited to cause a buffer overflow.

6) A boundary error when handling Sorenson encoded movie files can be exploited to cause a buffer overflow.

7) An error when handling JPEG encoded data can be exploited to cause memory corruption.

8) An error when handling QTIF files can be exploited to cause memory corruption.

9) A boundary error when handling JPEG encoded data can be exploited to cause a buffer overflow.

10) A boundary error when handling 'enof' atoms can be exploited to cause a buffer overflow.

11) A boundary error when handling FPX files can be exploited to cause a buffer overflow.

12) A boundary error when handling 'mvhd' atoms can be exploited to cause a buffer overflow.

The vulnerabilities are reported in versions prior to 7.7.4.

IMPACT:

A remote user can create a file that, when loaded by the target user, will execute arbitrary code on the target user's system.

SOLUTION:

The vendor has issued a fix (7.7.4).

Addthis