US-CERT Technical Cyber Security Alert TA06-011A -- Apple QuickTime Vulnerabilities

12/01/06, US-CERT Technical Cyber Security Alert TA06-011A -- Apple QuickTime Vulnerabilities
From: CERT Advisory <cert-advisory@cert.org>

Generated by MHonArc

CSIM Logo WelcomeCourses
Faculty, Student, Staff
Projects and reports
Conferences, workshop and seminars
Laboratories and reasearch facilities
Information related to CSIM
Information non-related to CSIM
Address, map, phone, etc.
Search

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


To: cert-advisory@cert.org
Subject: US-CERT Technical Cyber Security Alert TA06-011A -- Apple QuickTime Vulnerabilities
From: CERT Advisory <cert-advisory@cert.org>
Date: Wed, 11 Jan 2006 17:11:40 -0500
List-archive: <http://www.cert.org/>
List-help: <http://www.cert.org/>, <mailto:Majordomo@cert.org?body=help>
List-owner: <mailto:cert-advisory-owner@cert.org>
List-post: NO (posting not allowed on this list)
List-unsubscribe: <mailto:Majordomo@cert.org?body=unsubscribe%20cert-advisory>
Organization: CERT(R) Coordination Center - +1 412-268-7090

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

   
                        National Cyber Alert System

                 Technical Cyber Security Alert TA06-011A


Apple QuickTime Vulnerabilities

   Original release date: January 11, 2006
   Last revised: January 11, 2006
   Source: US-CERT

Systems Affected

   Apple QuickTime on systems running

     * Apple Mac OS X
     * Microsoft Windows XP
     * Microsoft Windows 2000


Overview

   Apple has released QuickTime 7.0.4 to correct multiple
   vulnerabilities. The impacts of these vulnerabilities include
   execution of arbitrary code and denial of service.


I. Description

   Apple QuickTime 7.0.4 resolves a number of image and media file
   handling vulnerabilities. Further details are available in the
   following Vulnerability Notes:

   VU#629845 - Apple QuickTime image handling buffer overflow

   Apple QuickTime contains a heap overflow vulnerability that may allow
   an attacker to execute arbitrary code or cause a denial-of-service
   condition.
   (CAN-2005-2340)

   VU#921193 - Apple QuickTime fails to properly handle corrupt media
   files

   Apple QuickTime contains a heap overflow vulnerability in the handling
   of media files. This vulnerability may allow a remote, unauthenticated
   attacker to execute arbitrary code or cause a denial of service on a
   vulnerable system.
   (CAN-2005-4092)

   VU#115729 - Apple QuickTime fails to properly handle corrupt TGA
   images

   A flaw in the way Apple QuickTime handles Targa (TGA) image format
   files could allow a remote attacker to execute arbitrary code on a
   vulnerable system.
   (CAN-2005-3707)

   VU#150753 - Apple QuickTime fails to properly handle corrupt TIFF
   images

   Apple QuickTime contains an integer overflow vulnerability in the
   handling of TIFF images. This vulnerability may allow a remote,
   unauthenticated attacker to execute arbitrary code or cause a denial
   of service on a vulnerable system.
   (CAN-2005-3710)

   VU#913449 - Apple QuickTime fails to properly handle corrupt GIF
   images

   A flaw in the way Apple QuickTime handles Graphics Interchange Format
   (GIF) files could allow a remote attacker to execute arbitrary code on
   a vulnerable system.
   (CAN-2005-3713)


II. Impact

   The impacts of these vulnerabilities vary. For information about
   specific impacts, please see the Vulnerability Notes. Potential
   consequences include remote execution of arbitrary code or commands
   and denial of service.


III. Solution

Upgrade

   Upgrade to QuickTime 7.0.4.


Appendix A. References

     * US-CERT Vulnerability Note VU#629845 -
       <http://www.kb.cert.org/vuls/id/629845>

     * US-CERT Vulnerability Note VU#921193 -
       <http://www.kb.cert.org/vuls/id/921193>

     * US-CERT Vulnerability Note VU#115729 -
       <http://www.kb.cert.org/vuls/id/115729>

     * US-CERT Vulnerability Note VU#150753 -
       <http://www.kb.cert.org/vuls/id/150753>

     * US-CERT Vulnerability Note VU#913449 -
       <http://www.kb.cert.org/vuls/id/913449>

     * CVE-2005-2340 -
       <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2340>

     * CVE-2005-4092 -
       <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4092>

     * CVE-2005-3707 -
       <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3707>

     * CVE-2005-3710 -
       <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3710>

     * CVE-2005-3713 -
       <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3713>

     * Security Content for QuickTime 7.0.4 -
       <http://docs.info.apple.com/article.html?artnum=303101>

     * QuickTime 7.0.4 -
       <http://www.apple.com/support/downloads/quicktime704.html>

     * About the Mac OS X 10.4.4 Update (Delta) -
       <http://docs.info.apple.com/article.html?artnum=302810>


 ____________________________________________________________________

   The most recent version of this document can be found at:

     <http://www.us-cert.gov/cas/techalerts/TA06-011A.html>
 ____________________________________________________________________

   Feedback can be directed to US-CERT Technical Staff. Please send
   email to <cert@cert.org> with "TA06-011A Feedback VU#913449" in the
   subject.
 ____________________________________________________________________

   For instructions on subscribing to or unsubscribing from this
   mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
 ____________________________________________________________________

   Produced 2006 by US-CERT, a government organization.

   Terms of use:

     <http://www.us-cert.gov/legal.html>
 ____________________________________________________________________



Revision History

   January 11, 2006: Initial release


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBQ8V8iX0pj593lg50AQJ85wf+OuHVseQVzZ0uI8h8TnmtAJmjzV6tp3Cj
34jwpSLlvo5S8svIHChcX/BYOwKVL/uQZswsjk/mbEu+TrPcVKPd7VPCetxIXVey
AdC5hsAH1Wm0MnvY1LgvONo8IQ9RlT6Rj6fY7k7QhPUWsYxj/rDCWDAY9kgsHXc/
HpXWL/Cy5va35z8aYHrLVlxmofKrOWtX0PVa6lSKV8lIsY+TDihA5tYIb5wRDVxL
osieJ+MHSXGchXpjX2c0o6Ja6vhJNR61LEwelk9FMLT1JRTkp+wz9/AoVUSyZ/hy
0WBP0M8cwl8koWgijNcLXA18YX8QtDftAVRwpwHKMrbNCYdrWblYVw==
=5Kiq
-----END PGP SIGNATURE-----

Previous message sorted by date: US-CERT Technical Cyber Security Alert TA06-010A -- Microsoft Windows, Outlook, and Exchange Vulnerabilities
Next message sorted by date: US-CERT Technical Cyber Security Alert TA06-018A -- Oracle Products Contain Multiple Vulnerabilities
Previous message sorted by thread: US-CERT Technical Cyber Security Alert TA06-010A -- Microsoft Windows, Outlook, and Exchange Vulnerabilities
Next message by thread: US-CERT Technical Cyber Security Alert TA06-018A -- Oracle Products Contain Multiple Vulnerabilities
Main Index
Thread Index

CSIM home pageWMailAccount managementCSIM LibraryNetwork test toolsSearch CSIM directories
Contact us: Olivier Nicole CSIM    SET    AIT Last update: Jan 2006