Alert

Apple QuickTime Vulnerabilities

Last Revised
Alert Code
TA06-011A

Systems Affected

 

Apple QuickTime on systems running

  • Apple Mac OS X
  • Microsoft Windows XP
  • Microsoft Windows 2000

 

 

Overview

 

Apple has released QuickTime 7.0.4 to correct multiple vulnerabilities. Exploitation of these vulnerabilities could allow a remote attacker to execute arbitrary code or cause a denial-of-service condition.

 

Description

 

Apple QuickTime 7.0.4 resolves vulnerabilities in how image and media files are handled. Details are available in the following Vulnerability Notes:

VU#629845 - Apple QuickTime image handling buffer overflow

Apple QuickTime contains a heap overflow vulnerability that may allow an attacker to execute arbitrary code or cause a denial-of-service condition. 
(CVE-2005-2340)

VU#921193 - Apple QuickTime fails to properly handle corrupt media files

Apple QuickTime contains a heap overflow vulnerability in the handling of media files. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code or cause a denial of service on a vulnerable system. 
(CVE-2005-4092)

VU#115729 - Apple QuickTime fails to properly handle corrupt TGA images

A flaw in the way Apple QuickTime handles Targa (TGA) image format files could allow a remote attacker to execute arbitrary code on a vulnerable system. 
(CVE-2005-3707)

VU#150753 - Apple QuickTime fails to properly handle corrupt TIFF images

Apple QuickTime contains an integer overflow vulnerability in the handling of TIFF images. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code or cause a denial of service on a vulnerable system. 
(CVE-2005-3710)

VU#913449 - Apple QuickTime fails to properly handle corrupt GIF images

A flaw in the way Apple QuickTime handles Graphics Interchange Format (GIF) files could allow a remote attacker to execute arbitrary code on a vulnerable system. 
(CVE-2005-3713)

 

Impact

The impacts of these vulnerabilities vary. For more information, please see the Vulnerability Notes. Potential consequences include remote execution of arbitrary code or commands, and denial of service.

Solution

Upgrade

Upgrade to QuickTime 7.0.4.

Appendix A. References

  • US-CERT Vulnerability Note VU#629845 - http://www.kb.cert.org/vuls/id/629845
  • US-CERT Vulnerability Note VU#921193 - http://www.kb.cert.org/vuls/id/921193
  • US-CERT Vulnerability Note VU#115729 - http://www.kb.cert.org/vuls/id/115729
  • US-CERT Vulnerability Note VU#150753 - http://www.kb.cert.org/vuls/id/150753
  • US-CERT Vulnerability Note VU#913449 - http://www.kb.cert.org/vuls/id/913449
  • CVE-2005-2340 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2340
  • CVE-2005-4092 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4092
  • CVE-2005-3707 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3707
  • CVE-2005-3710 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3710
  • CVE-2005-3713 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3713
  • Security Content for QuickTime 7.0.4 - http://docs.info.apple.com/article.html?artnum=303101
  • QuickTime 7.0.4 - http://www.apple.com/support/downloads/quicktime704.html
  • Standalone Apple QuickTime Player - http://www.apple.com/quicktime/download/standalone.html
  • About the Mac OS X 10.4.4 Update (Delta) - http://docs.info.apple.com/article.html?artnum=302810


 

Feedback can be directed to the US-CERT Technical Staff

Revision History

  •  

    January 11, 2006: Initial release
    January 12, 2006: Added link to standalone QuickTime Player
    January 12, 2006: Changed CAN entries to CVE entries
    May 12, 2006: Corrected production statement
     

    Last updated 

This product is provided subject to this Notification and this Privacy & Use policy.

Please share your thoughts

We recently updated our anonymous product survey; we’d welcome your feedback.