Alert

Apple QuickTime Vulnerabilities

Last Revised
Alert Code
TA06-011A

Systems Affected

Apple QuickTime on systems running

  • Apple Mac OS X
  • Microsoft Windows XP
  • Microsoft Windows 2000

Overview

Apple has released QuickTime 7.0.4 to correct multiple vulnerabilities. Exploitation of these vulnerabilities could allow a remote attacker to execute arbitrary code or cause a denial-of-service condition.

Description

Apple QuickTime 7.0.4 resolves vulnerabilities in how image and media files are handled. Details are available in the following Vulnerability Notes:

VU#629845 - Apple QuickTime image handling buffer overflow

Apple QuickTime contains a heap overflow vulnerability that may allow an attacker to execute arbitrary code or cause a denial-of-service condition.


(CVE-2005-2340)

VU#921193 - Apple QuickTime fails to properly handle corrupt media files

Apple QuickTime contains a heap overflow vulnerability in the handling of media files. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code or cause a denial of service on a vulnerable system.


(CVE-2005-4092)

VU#115729 - Apple QuickTime fails to properly handle corrupt TGA images

A flaw in the way Apple QuickTime handles Targa (TGA) image format files could allow a remote attacker to execute arbitrary code on a vulnerable system.


(CVE-2005-3707)

VU#150753 - Apple QuickTime fails to properly handle corrupt TIFF images

Apple QuickTime contains an integer overflow vulnerability in the handling of TIFF images. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code or cause a denial of service on a vulnerable system.


(CVE-2005-3710)

VU#913449 - Apple QuickTime fails to properly handle corrupt GIF images

A flaw in the way Apple QuickTime handles Graphics Interchange Format (GIF) files could allow a remote attacker to execute arbitrary code on a vulnerable system.


(CVE-2005-3713)

Impact

The impacts of these vulnerabilities vary. For more information, please see the Vulnerability Notes. Potential consequences include remote execution of arbitrary code or commands, and denial of service.

Solution

Upgrade

Upgrade to QuickTime 7.0.4.

Appendix A. References


Feedback can be directed to the US-CERT Technical Staff

Revision History

  • January 11, 2006: Initial release

    January 12, 2006: Added link to standalone QuickTime Player

    January 12, 2006: Changed CAN entries to CVE entries

    May 12, 2006: Corrected production statement

    Last updated

This product is provided subject to this Notification and this Privacy & Use policy.