-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2012-05-15-1 QuickTime 7.7.2

QuickTime 7.7.2 is now available and addresses the following:

QuickTime
Available for:  Windows 7, Vista, XP SP2 or later
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  Multiple stack overflows existed in QuickTime's
handling of TeXML files. These issues do not affect OS X systems.
CVE-ID
CVE-2012-0663 : Alexander Gavrun working with HP's Zero Day
Initiative

QuickTime
Available for:  Windows 7, Vista, XP SP2 or later
Impact:  Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description:  A heap overflow existed in QuickTime's handling of text
tracks. This issue does not affect OS X systems.
CVE-ID
CVE-2012-0664 : Alexander Gavrun working with HP's Zero Day
Initiative

QuickTime
Available for:  Windows 7, Vista, XP SP2 or later
Impact:  Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description:  A heap buffer overflow existed in the handling of H.264
encoded movie files.
CVE-ID
CVE-2012-0665 : Luigi Auriemma working with HP's Zero Day Initiative

QuickTime
Available for:  Windows 7, Vista, XP SP2 or later
Impact:  Opening a maliciously crafted MP4 encoded file may lead to
an unexpected application termination or arbitrary code execution
Description:  An uninitialized memory access issue existed in the
handling of MP4 encoded files. For OS X Lion systems, this issue is
addressed in OS X Lion v10.7.3. For Mac OS X v10.6 systems, this
issue is addressed in Security Update 2012-001.
CVE-ID
CVE-2011-3458 : Luigi Auriemma and pa_kt both working with HP's Zero
Day Initiative

QuickTime
Available for:  Windows 7, Vista, XP SP2 or later
Impact:  Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description:  An off by one buffer overflow existed in the handling
of rdrf atoms in QuickTime movie files. For OS X Lion systems, this
issue is addressed in OS X Lion v10.7.3. For Mac OS X v10.6 systems,
this issue is addressed in Security Update 2012-001.
CVE-ID
CVE-2011-3459 : Luigi Auriemma working with HP's Zero Day Initiative

QuickTime
Available for:  Windows 7, Vista, XP SP2 or later
Impact:  Viewing a maliciously crafted movie file during progressive
download may lead to an unexpected application termination or
arbitrary code execution
Description:  A buffer overflow existed in the handling of audio
sample tables. For OS X Lion systems, this issue is addressed in OS X
Lion v10.7.4. For Mac OS X v10.6 systems, this issue is addressed in
Security Update 2012-002.
CVE-ID
CVE-2012-0658 : Luigi Auriemma working with HP's Zero Day Initiative

QuickTime
Available for:  Windows 7, Vista, XP SP2 or later
Impact:  Viewing a maliciously crafted MPEG file may lead to an
unexpected application termination or arbitrary code execution
Description:  An integer overflow existed in the handling of MPEG
files. For OS X Lion systems, this issue is addressed in OS X Lion
v10.7.4. For Mac OS X v10.6 systems, this issue is addressed in
Security Update 2012-002.
CVE-ID
CVE-2012-0659 : An anonymous researcher working with HP's Zero Day
Initiative

QuickTime
Available for:  Windows 7, Vista, XP SP2 or later
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  A stack buffer overflow existed in the QuickTime
plugin's handling of QTMovie objects. This issue does not affect OS X
systems.
CVE-ID
CVE-2012-0666 : CHkr_D591 working with HP's Zero Day Initiative

QuickTime
Available for:  Windows 7, Vista, XP SP2 or later
Impact:  Processing a maliciously crafted PNG image may lead to an
unexpected application termination or arbitrary code execution
Description:  A buffer overflow existed in the handling of PNG files.
For OS X Lion systems, this issue is addressed in OS X Lion v10.7.3.
For Mac OS X v10.6 systems, this issue is addressed in Security
Update 2012-001.
CVE-ID
CVE-2011-3460 : Luigi Auriemma working with HP's Zero Day Initiative

QuickTime
Available for:  Windows 7, Vista, XP SP2 or later
Impact:  Viewing a maliciously crafted QTVR movie file may lead to an
unexpected application termination or arbitrary code execution
Description:  A signedness issue existed in the handling of QTVR
movie files. This issue does not affect OS X systems.
CVE-ID
CVE-2012-0667 : Alin Rad Pop working with HP's Zero Day Initiative

QuickTime
Available for:  Windows 7, Vista, XP SP2 or later
Impact:  Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description:  A use after free issue existed in the handling of
JPEG2000 encoded movie files. This issue does not affect systems
prior to OS X Lion. For OS X Lion systems, this issue is addressed in
OS X Lion v10.7.4.
CVE-ID
CVE-2012-0661 : Damian Put working with HP's Zero Day Initiative

QuickTime
Available for:  Windows 7, Vista, XP SP2 or later
Impact:  Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description:  A buffer overflow existed in the handling of RLE
encoded movie files.
CVE-ID
CVE-2012-0668 : Luigi Auriemma working with HP's Zero Day Initiative

QuickTime
Available for:  Windows 7, Vista, XP SP2 or later
Impact:  Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description:  A buffer overflow existed in QuickTime's handling of
Sorenson encoded movie files. This issue does not affect OS X
systems.
CVE-ID
CVE-2012-0669 : Damian Put working with HP's Zero Day Initiative

QuickTime
Available for:  Windows 7, Vista, XP SP2 or later
Impact:  Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description:  An integer overflow existed in QuickTime's handling of
sean atoms.
CVE-ID
CVE-2012-0670 : Tom Gallagher (Microsoft) and Paul Bates (Microsoft)
working with HP's Zero Day Initiative

QuickTime
Available for:  Windows 7, Vista, XP SP2 or later
Impact:  Viewing a maliciously crafted .pict file may lead to an
unexpected application termination or arbitrary code execution
Description:  A memory corruption issue existed in the handling of
.pict files.
CVE-ID
CVE-2012-0671 : Rodrigo Rubira Branco (twitter.com/bsdaemon) from the
Qualys Vulnerability & Malware Research Labs (VMRL)

QuickTime
Available for:  Windows 7, Vista, XP SP2 or later
Impact:  Opening a file in a maliciously crafted path may lead to an
unexpected application termination or arbitrary code execution
Description:  A stack buffer overflow existed in QuickTime's handling
of file paths. This issue does not affect OS X systems.
CVE-ID
CVE-2012-0265 : Tielei Wang of Georgia Tech Information Security
Center via Secunia SVCRP

QuickTime
Available for:  Windows 7, Vista, XP SP2 or later
Impact:  Viewing a maliciously crafted MPEG file may lead to an
unexpected application termination or arbitrary code execution
Description:  An integer underflow existed in QuickTime's handling of
audio streams in MPEG files.
CVE-ID
CVE-2012-0660 : Justin Kim at Microsoft and Microsoft Vulnerability
Research (MSVR)


QuickTime 7.7.2 may be obtained from the QuickTime Downloads site:
http://www.apple.com/quicktime/download/

The download file is named: "QuickTimeInstaller.exe"
Its SHA-1 digest is: ed569d62b3f8c24ac8e9aec7275f17cbb14d2124

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQIcBAEBAgAGBQJPsobhAAoJEPefwLHPlZEwk/sP/0C8iXVhnG481GbA03CMhKXJ
XDooIlCG6YeoeJxGfri/vqlzqcHe3R90K6R89z1dKGU2bWGvtITh95E+WKll++7F
hHYq6YC+r/o1cP1SjBi6A3swhN57m1nQZRIEnnIm+nBSxaiHA6xdRSUaK4ighLSA
jbOVfu/6NPuGSlgWBPKSISDY2FhL0GH0QVLW/piVtMTrxhizlE7dgieipAPoVvRC
SW2W0te7ujo2X167f2GS8EwplUkj/yVeScdr/6HjLkAXIQ1B9RNqTeOdyQZjTxay
32xhZTQ+JfSQzY6VSGoF0bqlK39u5UyzySIKS446OxclYI6xGKSFvTN3nBUwERd+
W+E/4k3Ry4OYEkgZ5yltXO8bJvGZtmpLOkq94Vb4w7EaEgJ452J/YjqCEEbmtAKM
0W9g1jt5av5Hv+vQ7rufR1tJ6CqkIDDr0f3qY+W/F8ZtdA8Bkvm9568d3L1Vlbai
zy89w39Z1RTPMLccZEhtd+80f75P+R3n88X5czjXYignrUJbxhM/S8meqQB5GUB9
nJvZtWB1wlACHJ/EKUTv6miK20XE1OukRyvW0o7WWplqBj5KFWvRcV0tovfybGY9
EKwmao4Hwmq+ovJBFLZj/TV6MMxsJjS9qVea/yOlzZCy+6dwok38yyMAqy+m2dLT
X2aq0dgzK7qjPx0FRyOx
=BPXs
-----END PGP SIGNATURE-----