Quicktime 7.3 patches serious security bugs

Published: 2007-11-06
Last Updated: 2007-11-06 19:20:59 UTC
by Maarten Van Horenbeeck (Version: 1)
5 comment(s)

Apple has released Quicktime 7.3 which contains fixes for a number of serious vulnerabilities:

  • A memory corruption bug which can be triggered by a maliciously crafted movie. It could potentially result in arbitrary code execution (CVE-2007-2395).
  • A heap overflow in the use of Sample Table Sample Descriptor atoms, which can be triggered through maliciously crafted movie files. It could potentially result in arbitrary code execution (CVE-2007-3750).
  • Vulnerabilities in Quicktime for Java which could allow untrusted applets to obtain elevated privileges (CVE-2007-3751).
  • Two bugs in PICT file processing, potentially resulting in arbitrary code execution (CVE-2007-4672).
  • A bug in QTVR movie file parsing which could result in arbitrary code execution (CVE-2007-4675).
  • A bug in the parsing of color table atoms which could result in arbitrary code execution (CVE-2007-4677).

The impact of each bug varies based on the platform, but all of Mac OS X, Vista and XP SP2 are affected. Get more information at Apple.

Keywords:
5 comment(s)

Comments

I tried to update an existing version 7.2 but the updater said that I had the latest version (7.2). I had to manually download the 7.3 installer and run it to get to version 7.3
Quicktime "update existing software" offered me a security fix for version 7.2, but not a version 7.3. I haven't rebooted yet; maybe it will start identifying as 7.3
Looks like it's up now. The same thing happened with the RealPlayer Security Update - it was available via their website hours before the internal update checker saw it. Standard procedure?
This is the second Quicktime security update since Apple dropped support for Windows 2000. (The last Win2k-compatible Quicktime was 7.1.3, released May 1st 2007 and patched with a security update May 29th 2007.) It's impossible to tell from the details given, but it seems increasingly likely that at least one of these remote-execute bugs would probably exist in the patched 7.1.3. Time to stop using Quicktime on Windows 2000.
typo, that should be 7.1.6, not 7.1.3, as the last version of Quicktime available for Win2k.

Diary Archives