December 27, 2024

QuickTime 7.3.1 Security Update

Posted December 14, 2007 at 9:01am by iClarified · 3935 views
Apple has released a Quicktime update for Leopard, Tiger, Panther, and Windows. The update fixes a dangerous security flaw in the program.

QuickTime 7.3.1

QuickTime
● CVE-ID: CVE-2007-6166
● Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista, XP SP2
● Impact: Viewing a maliciously crafted RTSP movie may lead to an unexpected application termination or arbitrary code execution
● Description: A buffer overflow exists in QuickTime's handling of Real Time Streaming Protocol (RTSP) headers. By enticing a user to view a maliciously crafted RTSP movie, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue by ensuring that the destination buffer is sized to contain the data.

QuickTime
● CVE-ID: CVE-2007-4706
● Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista, XP SP2
● Impact: Viewing a maliciously crafted QTL file may lead to an unexpected application termination or arbitrary code execution
● Description: A heap buffer overflow exists in QuickTime's handling of QTL files. By enticing a user to view a maliciously crafted QTL file, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking.

QuickTime
● CVE-ID: CVE-2007-4707
● Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista, XP SP2
● Impact: Multiple vulnerabilities in QuickTime's Flash media handler
● Description: Multiple vulnerabilities exist in QuickTime's Flash media handler, the most serious of which may lead to arbitrary code execution. With this update, the Flash media handler in QuickTime is disabled except for a limited number of existing QuickTime movies that are known to be safe. Credit to Tom Ferris of Adobe Secure Software Engineering Team (ASSET), Mike Price of McAfee Avert Labs, and security researchers Lionel d'Hauenens & Brian Mariani of Syseclabs for reporting this issue.