Apple Fixes Highly Critical QuickTime Security Vulnerabilities

In its third security update of 2008, Apple patched 11 security vulnerabilities in the latest QuickTime 7.4.5. release. Some of the flaws were critical enough to allow a hacker to gain remote access of someone’s computer.

QuickTime 7.4.5 update is available for Mac OS X 10.3, 10.4 , and 10.5,  as well as Windows XP and Vista.

Most of the highly critical vulnerabilities can be exploited to cause buffer overflows when unsuspecting end-users are tricked into viewing a maliciously crafted video file. Eight reported flaws can be exploited through maliciously crafted PITC, Animation or VR content, and/or movie files. Other addressed flaws include privilege escalation by untrusted Java applets, memory corruption caused by malformed movie files, and  mishandling of external URLs in movie files.

“For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available,” said Apple in its update summary. Here is a short description of the security content pertaining to the QuickTime 7.4.5 (All of the 11 vulnerabilities affect unpatched Windows Vista machines, while 9 impact systems running Mac OS X.):

1. CVE-2008-1013 - Untrusted Java applets may obtain elevated privileges. This update addresses the issue by disabling the ability of untrusted Java applets to deserialize QTJava objects.

2. CVE-2008-1014 - Downloading a movie file may lead to information disclosure. This update addresses the issue through improved handling of external URLs embedded in movie files.

3. CVE-2008-1015 - Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of data reference atoms.

4. CVE-2008-1016 - Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses A memory corruption issue that may lead to an unexpected application termination or arbitrary code execution.

5. CVE-2008-1017 - Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue in QuickTime’s parsing of ‘crgn’ atoms which may result in a heap buffer overflow and lead to an unexpected application termination or arbitrary code execution.

6. CVE-2008-1018 - Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue in QuickTime’s parsing of ‘chan’ atoms which may result in a heap buffer overflow and lead to an unexpected application termination or arbitrary code execution.

7. CVE-2008-1019 - Opening a maliciously crafted PICT image file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking.

8. CVE-2008-1020 - Opening a maliciously crafted PICT image file may lead to an unexpected application termination or arbitrary code execution.  This update addresses the issue through improved bounds checking. This issue does not affect Mac OS X systems.

9. CVE-2008-1021 - Viewing a maliciously crafted movie file with Animation codec content may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking.

10. CVE-2008-1022 - Viewing a maliciously crafted QuickTime VR movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue in QuickTime’s parsing of ‘obji’ atoms which result in a stack buffer overflow and lead to an unexpected application termination or arbitrary code execution.

11. CVE-2008-1023 - Opening a maliciously crafted PICT image file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue in QuickTime’s parsing of the Clip opcode which may result in a heap buffer overflow and lead to an unexpected application termination or arbitrary code execution.  This issue does not affect Mac OS X systems.

Download the QuickTime update at the Apple Downloads web site or via Apple’s Software Update utility.