-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Multiple Vulnerabilities in Apple QuickTime
http://www.cert-in.org.in/advisory/ciad-2009-42.htm
Original Issue Date: September 14, 2009
Severity Rating:High
Software Affected
Apple QuickTime versions prior to 7.6.4
System Affected
Mac OS X v10.4.11
Mac OS X v10.5.8
Windows 7
Windows Vista and XP SP3
Overview
Multiple vulnerabilities have been reported in Apple QuickTime, which could
allow a remote attacker to execute arbitrary code, causes denial of service
condition and potentially compromise a vulnerable system.
Description
1. Memory Corruption Vulnerability (CVE-2009-2202)
A Memory corruption vulnerability has been reported due to an error in the
parsing of H.264 movie files in Apple QuickTime. A remote attacker could
exploit this vulnerability via a specially crafted H.264 media file to
trigger a memory corruption error.
2. Buffer Overflow Vulnerability (CVE-2009-2203)
A Buffer overflow vulnerability has been reported due to an error in the
parsing of MPEG-4 video files in Apple QuickTime. A remote attacker could
exploit this vulnerability via a specially crafted MPEG-4 video file to
trigger a buffer overflow error.
3. FlashPix Sector Size Overflow Vulnerability (CVE-2009-2798)
A Heap Buffer overflow vulnerability has been reported due to an integer
overflow error when processing the "SectorShift" and "cSectFat" fields of a
FlashPix file header in Apple QuickTime. A remote attacker could exploit
this vulnerability via a specially crafted FlashPix(".fpx") file to trigger
a Heap based buffer overflow error.
4. H.264 codec Heap Overflow Vulnerability (CVE-2009-2799)
A Heap Buffer overflow vulnerability has been reported due to a boundary
checking error when processing samples from a H.264 encoded MOV file in
Apple QuickTime. A remote attacker could exploit this vulnerability via a
specially crafted H.264 MOV file to trigger a Heap based buffer overflow
error.
Successful exploitation of these vulnerabilities could allow a remote
attacker to execute an arbitrary code with the privileges of the logged in
user or causes denial of service condition.
Solution
Upgrade to Apple QuickTime version 7.6.4
http://www.apple.com/support/downloads/
Vendor Information
Apple
http://support.apple.com/kb/HT3859
http://www.apple.com/quicktime/
References
Secunia
http://secunia.com/advisories/36627/
SecurityFocus
http://www.securityfocus.com/bid/36328
SecurityTracker
http://www.securitytracker.com/alerts/2009/Sep/1022865.html
VUPEN
http://www.vupen.com/english/advisories/2009/2584
CVE-Name
CVE-2009-2202
CVE-2009-2203
CVE-2009-2798
CVE-2009-2799
CWE Name
CWE-119
Disclaimer
The information provided herein is on "as is" basis, without warranty of
any kind.
Contact Information
Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
Note: Please do not reply to this e-mail. For further queries contact
CERT-In Information Desk. Email: info@cert-in.org.in
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8
wsBVAwUBSq404XWXeYNsoT30AQpfmggAnJ2uMlhNvFTgGeygzsV4LQWgrJgpA9Eu
Wvtu4BdbDZp2Pz7Y3O1mMVi2RJ1WX8a8CVVkw9YgZN2sqNe+YHb4MOJeVsYdfaip
4I27EZ77jRoneQh3u6yFgLTQ79quzatcrhSSHcPlgh6nQ9CTwE4uRXe/bp9vOl8O
3V+VILsAVy0rIWDGi3n43jjuW2JyhseE/rwcXXF6P2Xum2dmcOYRMBhXgTb3fNu+
RPQPjYl3XDrv6HCaIrC66BWtbLgFaA9Ip4evRXrat9BNgbbZG2qw8ZhfYn/wDZWF
e9lsLWkWNo/9ZN76nvnOfSIrBan7pFJ5Cl1xDPn/xz9/WK2I6POYKA==
=oalZ
-----END PGP SIGNATURE-----
For More Security Related Stuff visit http://wiki.secureit.in.A Wiki Website dedicated to Information Security.
No comments:
Post a Comment