Security Advisory
- Apple QuickTime Multiple Vulnerabilities Reported Date: 10-04-10
Rated Level: 
Impact: System Access,Remotely Exploitable
Description: Some vulnerabilities have been reported in Apple QuickTime, which can be exploited by malicious people to compromise a user's system.
1) An error in the processing of QDM2 encoded audio content can be exploited to cause a buffer overflow.
2) An error within QuickTimeAudioSupport.qtx when processing QDMC encoded audio content can be exploited to trigger a memory corruption.
3) An error within quicktime.qts when processing H.263 encoded movie files can be exploited to cause a heap-based buffer overflow.
4) An error in the processing of H.261 encoded movie files can be exploited to cause a heap-based buffer overflow.
5) An error when handling PICT images can be exploited to cause a heap-based buffer overflow.
6) An error in the processing of H.264 encoded movie files can be exploited to trigger a memory corruption.
7) An error in the parsing of samples in RLE encoded movie files can be exploited to cause a heap-based buffer overflow.
8) An error in the processing of M-JPEG encoded movie files can be exploited to cause a heap-based buffer overflow as one value is used for calculating the size of a heap buffer while another value is used when copying data to it.
9) An error in the processing of Sorenson encoded movie files can be exploited to trigger a memory corruption.
10) An integer overflow error in the parsing of the "NumberOfTiles" field in the SubImage Header Stream of FlashPix encoded movie files can be exploited to cause a buffer overflow.
11) An error within QuickTimeAuthoring.qtx when parsing "DELTA_FLI" chunks in FLC encoded movie files can be exploited to cause a heap-based buffer overflow during decompression.
12) An error in the processing of the "genl" atom in MPEG encoded movie files can be exploited to cause a heap-based buffer overflow when decompressing data.
13) An integer overflow error in the processing of PICT images can be exploited to cause a memory corruption.
14) An error when handling color tables included in MediaVideo movie files can be exploited to corrupt memory.
15) An integer overflow error in QuickTime.qts when processing PICT images can be exploited to cause a heap-based buffer overflow via a specially crafted BkPixPat (0x12) opcode.
16) An error in the processing of BMP images can be exploited to trigger a memory corruption.
Successful exploitation of the vulnerabilities may allow execution of arbitrary code.
The vulnerabilities are reported in versions prior to 7.6.6.
1) An error in the processing of QDM2 encoded audio content can be exploited to cause a buffer overflow.
2) An error within QuickTimeAudioSupport.qtx when processing QDMC encoded audio content can be exploited to trigger a memory corruption.
3) An error within quicktime.qts when processing H.263 encoded movie files can be exploited to cause a heap-based buffer overflow.
4) An error in the processing of H.261 encoded movie files can be exploited to cause a heap-based buffer overflow.
5) An error when handling PICT images can be exploited to cause a heap-based buffer overflow.
6) An error in the processing of H.264 encoded movie files can be exploited to trigger a memory corruption.
7) An error in the parsing of samples in RLE encoded movie files can be exploited to cause a heap-based buffer overflow.
8) An error in the processing of M-JPEG encoded movie files can be exploited to cause a heap-based buffer overflow as one value is used for calculating the size of a heap buffer while another value is used when copying data to it.
9) An error in the processing of Sorenson encoded movie files can be exploited to trigger a memory corruption.
10) An integer overflow error in the parsing of the "NumberOfTiles" field in the SubImage Header Stream of FlashPix encoded movie files can be exploited to cause a buffer overflow.
11) An error within QuickTimeAuthoring.qtx when parsing "DELTA_FLI" chunks in FLC encoded movie files can be exploited to cause a heap-based buffer overflow during decompression.
12) An error in the processing of the "genl" atom in MPEG encoded movie files can be exploited to cause a heap-based buffer overflow when decompressing data.
13) An integer overflow error in the processing of PICT images can be exploited to cause a memory corruption.
14) An error when handling color tables included in MediaVideo movie files can be exploited to corrupt memory.
15) An integer overflow error in QuickTime.qts when processing PICT images can be exploited to cause a heap-based buffer overflow via a specially crafted BkPixPat (0x12) opcode.
16) An error in the processing of BMP images can be exploited to trigger a memory corruption.
Successful exploitation of the vulnerabilities may allow execution of arbitrary code.
The vulnerabilities are reported in versions prior to 7.6.6.
Note: 1, 2, 7, 10, 12, 14) An anonymous person via ZDI.
3, 8) Damian Put and an anonymous person, reported via ZDI.
4, 9) The vendor credits Will Dormann of the CERT/CC
5, 13) Nicolas Joly of Vupen
11) Nicolas Joly of Vupen, an anonymous person, and Moritz Jodeit of n.runs AG, reported via ZDI.
15) Damian Put, reported via ZDI.
16) The vendor credits SkyLined of Google
3, 8) Damian Put and an anonymous person, reported via ZDI.
4, 9) The vendor credits Will Dormann of the CERT/CC
5, 13) Nicolas Joly of Vupen
11) Nicolas Joly of Vupen, an anonymous person, and Moritz Jodeit of n.runs AG, reported via ZDI.
15) Damian Put, reported via ZDI.
16) The vendor credits SkyLined of Google
Solution:
Update to version 7.6.6.
Original Advisory: Apple:
http://support.apple.com/kb/HT4104
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-035/
http://www.zerodayinitiative.com/advisories/ZDI-10-036/
http://www.zerodayinitiative.com/advisories/ZDI-10-037/
http://www.zerodayinitiative.com/advisories/ZDI-10-038/
http://www.zerodayinitiative.com/advisories/ZDI-10-040/
http://www.zerodayinitiative.com/advisories/ZDI-10-041/
http://www.zerodayinitiative.com/advisories/ZDI-10-042/
http://www.zerodayinitiative.com/advisories/ZDI-10-043/
http
http://support.apple.com/kb/HT4104
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-035/
http://www.zerodayinitiative.com/advisories/ZDI-10-036/
http://www.zerodayinitiative.com/advisories/ZDI-10-037/
http://www.zerodayinitiative.com/advisories/ZDI-10-038/
http://www.zerodayinitiative.com/advisories/ZDI-10-040/
http://www.zerodayinitiative.com/advisories/ZDI-10-041/
http://www.zerodayinitiative.com/advisories/ZDI-10-042/
http://www.zerodayinitiative.com/advisories/ZDI-10-043/
http
Feedback: If you have additional information or corrections for this security advisory please contact us at advisory(at)triviasecurity.org
- Cpanel v11.25 PHP Restriction Bypass Vulnerability (03/09/10)
- cPanel Customer Portal (index.cgi) Xss Vulnerability (03/09/10)
- TFTP Desktop v2.5 Directory Traversal Vulnerability (03/09/10)
- TFTPDWIN v0.4.2 Directory Traversal Vulnerability (03/09/10)
- Apple QuickTime FlashPix NumberOfTiles Remote Code Execution Vulnerability (03/09/10)
- Novell Netware 6.5 OpenSSH Remote Stack Overflow (03/09/10)
- Microsoft Visio 2010 v14.0.4514.1004 (dwmapi.dll) DLL Hijacking Exploit (27/08/10)
- Microsoft Windows Power Point 2007 DLL Hijacking Exploit (pp4x322.dll) (27/08/10)
- Windows Live Messenger (Build 14.0.8117.416) dll (msgsres.dll) Hijacking exploit (27/08/10)
- Windows Live Messenger (Build 1.0.8117.416) dll (msgsres.dll) Hijacking exploit (27/08/10)
- Copyright © 2003-2010 TriviaSecurity Team