----------------------------------------------------------------------

Did you know that a change in our assessment rating, exploit code
availability, or if an updated patch is released by the vendor, is
not part of this mailing-list?

Click here to learn more:
http://secunia.com/advisories/business_solutions/

----------------------------------------------------------------------

TITLE:
Apple QuickTime Multiple Vulnerabilities

SECUNIA ADVISORY ID:
SA33632

VERIFY ADVISORY:
http://secunia.com/advisories/33632/

CRITICAL:
Highly critical

IMPACT:
System access

WHERE:
>From remote

SOFTWARE:
Apple QuickTime 7.x
http://secunia.com/advisories/product/5090/

DESCRIPTION:
Some vulnerabilities have been reported in Apple QuickTime, which can
be exploited by malicious people to compromise a user's system.

1) A boundary error exists in the processing of RTSP URLs. This can
be exploited to cause a heap-based buffer overflow when a specially
crafted RTSP URL is accessed.

2) An error due to improper validation of transform matrix data
exists when processing Track Header (THKD) atoms in QuickTime Virtual
Reality (QTVR) movie files. This can be exploited to cause a
heap-based buffer overflow via a specially crafted QTVR file.

3) An error in the processing of "nBlockAlign" values in the
"_WAVEFORMATEX" structure of AVI headers can be exploited to cause a
heap-based buffer overflow when a specially crafted AVI file is
accessed.

4) A boundary error exists in the processing of MPEG-2 video files
containing MP3  audio content, which can be exploited to cause a
buffer overflow via a specially crafted movie file.

5) An unspecified error exists in the processing of H.263 encoded
movie files, which can be exploited to cause a memory corruption when
a specially crafted movie file is viewed.

6) A signedness error exists within the processing of the MDAT atom
when handling Cinepak encoded movie files. This can be exploited to
cause a heap-based buffer overflow when a specially crafted movie
file is viewed.

7) An error exists within the function JPEG_DComponentDispatch() when
processing the image width data in JPEG atoms embedded in STSD atoms.
This can be exploited to cause a memory corruption when a specially
crafted movie file is viewed.

Successful exploitation of these vulnerabilities may allow execution
of arbitrary code.

SOLUTION:
Update to version 7.6.

QuickTime 7.6 for Windows:
http://support.apple.com/downloads/QuickTime_7_6_for_Windows

QuickTime 7.6 for Leopard:
http://support.apple.com/downloads/QuickTime_7_6_for_Leopard

QuickTime 7.6 for Tiger:
http://support.apple.com/downloads/QuickTime_7_6_for_Tiger

PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
1) Attila Suszter
4) Chad Dougherty, CERT Coordination Center
5) Dave Soldera, NGS Software

2, 3, 6, 7) An anonymous person, reported via ZDI

ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT3403

ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-09-005/
http://www.zerodayinitiative.com/advisories/ZDI-09-006/
http://www.zerodayinitiative.com/advisories/ZDI-09-007/
http://www.zerodayinitiative.com/advisories/ZDI-09-008/

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/advisories/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/


Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

----------------------------------------------------------------------