Threat Level: green Handler on Duty: Tom Webb

SANS ISC: Quicktime 7.3 patches serious security bugs - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Quicktime 7.3 patches serious security bugs

Apple has released Quicktime 7.3 which contains fixes for a number of serious vulnerabilities:

  • A memory corruption bug which can be triggered by a maliciously crafted movie. It could potentially result in arbitrary code execution (CVE-2007-2395).
  • A heap overflow in the use of Sample Table Sample Descriptor atoms, which can be triggered through maliciously crafted movie files. It could potentially result in arbitrary code execution (CVE-2007-3750).
  • Vulnerabilities in Quicktime for Java which could allow untrusted applets to obtain elevated privileges (CVE-2007-3751).
  • Two bugs in PICT file processing, potentially resulting in arbitrary code execution (CVE-2007-4672).
  • A bug in QTVR movie file parsing which could result in arbitrary code execution (CVE-2007-4675).
  • A bug in the parsing of color table atoms which could result in arbitrary code execution (CVE-2007-4677).

The impact of each bug varies based on the platform, but all of Mac OS X, Vista and XP SP2 are affected. Get more information at Apple.

Maarten

158 Posts
I tried to update an existing version 7.2 but the updater said that I had the latest version (7.2). I had to manually download the 7.3 installer and run it to get to version 7.3
Jerry

12 Posts
Quicktime "update existing software" offered me a security fix for version 7.2, but not a version 7.3. I haven't rebooted yet; maybe it will start identifying as 7.3
Dick Rawson

17 Posts
Looks like it's up now. The same thing happened with the RealPlayer Security Update - it was available via their website hours before the internal update checker saw it. Standard procedure?
Anonymous
This is the second Quicktime security update since Apple dropped support for Windows 2000. (The last Win2k-compatible Quicktime was 7.1.3, released May 1st 2007 and patched with a security update May 29th 2007.) It's impossible to tell from the details given, but it seems increasingly likely that at least one of these remote-execute bugs would probably exist in the patched 7.1.3. Time to stop using Quicktime on Windows 2000.
Anonymous
typo, that should be 7.1.6, not 7.1.3, as the last version of Quicktime available for Win2k.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!