Wednesday, December 8, 2010

QuickTime v7.6.9 Update
For 10.5.8 & Windows

~~
On December 7, 2010 Apple released QuickTime version 7.6.9 for Mac OS X 10.5.8 and Windows XP, Vista and 7ista. No update is required for Mac OS X 10.6.8 users. It contains 15 security patches, some for both Windows and Mac OS X, a couple are Windows only. As usual, most of these vulnerabilities are due to memory overflow programming errors. You can read about the security patchs at:

About the security content of QuickTime 7.6.9

I'm a bit concerned at the moment that Apple have this update listed as being for only Windows. This is INCORRECT. Hopefully Apple will correct their error today. Most likely they will add a separate listing for the Mac OS X 10.5.8 version.

According to Apple:

QuickTime is incorporated into Mac OS X v10.6 and later.
QuickTime 7.6.9 is not presented to systems running
Mac OS X v10.6 or later.
I double-checked and verified that all of these CVE issues have already been patched in 10.6.8. Therefore, be certain that your installation of Snow Leopard is up-to-date.

If you've read my previous posts you know that Apple's QuickTime is the very least secure of Apple's software. A great deal of the problem has to do with JavaScript/ECMAScript Hell, as I call it. As usual, I consider JavaScript to be the bane of the Internet and wish it would be entirely scrapped and replaced with a secure scripting language. Read back in my posts if you're interested in my rants about why JavaScript is a catastrophe.

Below is a quick summary of the security holes patched in QuickTime v7. Click on the CVE numbers for further details.

Common Vulnerabilities and Exposures IDs Patched:

CVE-2010-3787 - Heap-based buffer overflow in QuickTime in Apple Mac OS X 10.6.x before 10.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted JP2 image.

CVE-2010-3788 - QuickTime in Apple Mac OS X 10.6.x before 10.6.5 accesses uninitialized memory locations during processing of JP2 image data, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted JP2 file.

CVE-2010-3789 - QuickTime in Apple Mac OS X 10.6.x before 10.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted AVI file.

CVE-2010-3790 - QuickTime in Apple Mac OS X 10.6.x before 10.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted movie file.

CVE-2010-3791 - Buffer overflow in QuickTime in Apple Mac OS X 10.6.x before 10.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted MPEG movie file.

CVE-2010-3792 - Integer signedness error in QuickTime in Apple Mac OS X 10.6.x before 10.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted MPEG movie file.

CVE-2010-3793 - QuickTime in Apple Mac OS X 10.6.x before 10.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted Sorenson movie file.

CVE-2010-3794 - QuickTime in Apple Mac OS X 10.6.x before 10.6.5 accesses uninitialized memory locations during processing of FlashPix image data, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted FlashPix file.

CVE-2010-3795 - QuickTime in Apple Mac OS X 10.6.x before 10.6.5 accesses uninitialized memory locations during processing of GIF image data, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted GIF file.

CVE-2010-3800 - Viewing a maliciously crafted PICT file may lead to an unexpected application termination or arbitrary code execution.

CVE-2010-3801 - Viewing a maliciously crafted FlashPix image may lead to an unexpected application termination or arbitrary code execution.

CVE-2010-3802 - Viewing a maliciously crafted QTVR movie file may lead to an unexpected application termination or arbitrary code execution.

CVE-2010-1508 - Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. Windows only.

CVE-2010-0530 - A local user may have access to sensitive information. Windows only.

CVE-2010-4009 - Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution.

Note: Not all of the CVE numbers have been listed at the National Vulnerability Database. Therefore, I instead provided links to their references at the Common Vulnerabilities and Exposures site. Check back at the CVE site as these CVEs progress beyond 'candidate' status.

Share and Enjoy!

:-D
~~