-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2011-08-03-1 QuickTime 7.7

QuickTime 7.7 is now available and addresses the following:

QuickTime
Available for:  Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Windows 7, Vista, XP SP2 or later
Impact:  Viewing a maliciously crafted pict file may lead to an
unexpected application termination or arbitrary code execution
Description:  A buffer overflow existed in QuickTime's handling of
pict files. Viewing a maliciously crafted pict file may lead to an
unexpected application termination or arbitrary code execution. For
Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8.
This issue does not affect Mac OS X v10.7 systems.
CVE-ID
CVE-2011-0245 : Subreption LLC working with TippingPoint's Zero Day
Initiative

QuickTime
Available for:  Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Windows 7, Vista, XP SP2 or later
Impact:  Viewing a maliciously crafted JPEG2000 image with QuickTime
may lead to an unexpected application termination or arbitrary code
execution
Description:  Multiple memory corruption issues existed in
QuickTime's handling of JPEG2000 images. Viewing a maliciously
crafted JPEG2000 image with QuickTime may lead to an unexpected
application termination or arbitrary code execution. For Mac OS X
v10.6 systems, this issue is addressed in Mac OS X v10.6.7. This
issue does not affect Mac OS X v10.7 systems.
CVE-ID
CVE-2011-0186 : Will Dormann of the CERT/CC

QuickTime
Available for:  Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Windows 7, Vista, XP SP2 or later
Impact:  Visiting a maliciously crafted website may lead to the
disclosure of video data from another site
Description:  A cross-origin issue existed in QuickTime plug-in's
handling of cross-site redirects. Visiting a maliciously crafted
website may lead to the disclosure of video data from another site.
This issue is addressed by preventing QuickTime from following cross-
site redirects. For Mac OS X v10.6 systems, this issue is addressed
in Mac OS X v10.6.7. This issue does not affect Mac OS X v10.7
systems.
CVE-ID
CVE-2011-0187 : Nirankush Panchbhai and Microsoft Vulnerability
Research (MSVR)

QuickTime
Available for:  Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Windows 7, Vista, XP SP2 or later
Impact:  Playing a maliciously crafted WAV file may lead to an
unexpected application termination or arbitrary code execution
Description:  An integer overflow existed in QuickTime's handling of
RIFF WAV files. Playing a maliciously crafted WAV file may lead to an
unexpected application termination or arbitrary code execution. For
Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8.
This issue does not affect Mac OS X v10.7 systems.
CVE-ID
CVE-2011-0209 : Luigi Auriemma working with TippingPoint's Zero Day
Initiative

QuickTime
Available for:  Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Windows 7, Vista, XP SP2 or later
Impact:  Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description:  A memory corruption issue existed in QuickTime's
handling of sample tables in QuickTime movie files. Viewing a
maliciously crafted movie file may lead to an unexpected application
termination or arbitrary code execution. For Mac OS X v10.6 systems,
this issue is addressed in Mac OS X v10.6.8. This issue does not
affect Mac OS X v10.7 systems.
CVE-ID
CVE-2011-0210 : Honggang Ren of Fortinet's FortiGuard Labs

QuickTime
Available for:  Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Windows 7, Vista, XP SP2 or later
Impact:  Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description:  An integer overflow existed in QuickTime's handling of
audio channels in movie files. Viewing a maliciously crafted movie
file may lead to an unexpected application termination or arbitrary
code execution. For Mac OS X v10.6 systems, this issue is addressed
in Mac OS X v10.6.8. This issue does not affect Mac OS X v10.7
systems.
CVE-ID
CVE-2011-0211 : Luigi Auriemma working with TippingPoint's Zero Day
Initiative

QuickTime
Available for:  Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Windows 7, Vista, XP SP2 or later
Impact:  Viewing a maliciously crafted JPEG file may lead to an
unexpected application termination or arbitrary code execution
Description:  A buffer overflow existed in QuickTime's handling of
JPEG files. Viewing a maliciously crafted JPEG file may lead to an
unexpected application termination or arbitrary code execution. For
Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8.
This issue does not affect Mac OS X v10.7 systems.
CVE-ID
CVE-2011-0213 : Luigi Auriemma working with iDefense VCP

QuickTime
Available for:  Windows 7, Vista, XP SP2 or later
Impact:  Viewing a maliciously crafted GIF image may lead to an
unexpected application termination or arbitrary code execution
Description:  A heap buffer overflow existed in QuickTime's handling
of GIF images. Viewing a maliciously crafted GIF image may lead to an
unexpected application termination or arbitrary code execution. This
issue does not affect Mac OS X systems.
CVE-ID
CVE-2011-0246 : an anonymous contributor working with Beyond
Security's SecuriTeam Secure Disclosure program

QuickTime
Available for:  Windows 7, Vista, XP SP2 or later
Impact:  Viewing a maliciously crafted H.264 movie file may lead to
an unexpected application termination or arbitrary code execution
Description:  Multiple stack buffer overflows existed in the handling
of H.264 encoded movie files. Viewing a maliciously crafted H.264
movie file may lead to an unexpected application termination or
arbitrary code execution. These issues do not affect Mac OS X
systems.
CVE-ID
CVE-2011-0247 : Roi Mallo and Sherab Giovannini working with
TippingPoint's Zero Day Initiative

QuickTime
Available for:  Windows 7, Vista, XP SP2 or later
Impact:  Visiting a maliciously crafted website using Internet
Explorer may lead to an unexpected application termination or
arbitrary code execution
Description:  A stack buffer overflow existed in the QuickTime
ActiveX control's handling of QTL files. Visiting a maliciously
crafted website using Internet Explorer may lead to an unexpected
application termination or arbitrary code execution. This issue does
not affect Mac OS X systems.
CVE-ID
CVE-2011-0248 : Chkr_d591 working with TippingPoint's Zero Day
Initiative

QuickTime
Available for:  Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Windows 7, Vista, XP SP2 or later
Impact:  Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description:  A heap buffer overflow existed in the handling of STSC
atoms in QuickTime movie files. Viewing a maliciously crafted movie
file may lead to an unexpected application termination or arbitrary
code execution. This issue does not affect Mac OS X v10.7 systems.
CVE-ID
CVE-2011-0249 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero
Day Initiative

QuickTime
Available for:  Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Windows 7, Vista, XP SP2 or later
Impact:  Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description:  A heap buffer overflow existed in the handling of STSS
atoms in QuickTime movie files. Viewing a maliciously crafted movie
file may lead to an unexpected application termination or arbitrary
code execution. This issue does not affect Mac OS X v10.7 systems.
CVE-ID
CVE-2011-0250 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero
Day Initiative

QuickTime
Available for:  Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Windows 7, Vista, XP SP2 or later
Impact:  Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description:  A heap buffer overflow existed in the handling of STSZ
atoms in QuickTime movie files. Viewing a maliciously crafted movie
file may lead to an unexpected application termination or arbitrary
code execution. This issue does not affect Mac OS X v10.7 systems.
CVE-ID
CVE-2011-0251 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero
Day Initiative

QuickTime
Available for:  Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Windows 7, Vista, XP SP2 or later
Impact:  Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description:  A heap buffer overflow existed in the handling of STTS
atoms in QuickTime movie files. Viewing a maliciously crafted movie
file may lead to an unexpected application termination or arbitrary
code execution. This issue does not affect Mac OS X v10.7 systems.
CVE-ID
CVE-2011-0252 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero
Day Initiative


QuickTime 7.7 may be obtained from the Software Update
application, or from the QuickTime Downloads site:
http://www.apple.com/quicktime/download/

For Mac OS X v10.5.8
The download file is named: "QuickTime77Leopard.dmg"
Its SHA-1 digest is: 0deb99cc44015af7c396750d2c9dd4cbd59fb355

For Windows 7 / Vista / XP SP3
The download file is named: "QuickTimeInstaller.exe"
Its SHA-1 digest is: a99f61d67be6a6b42e11d17b0b4f25cd88b74dc9

QuickTime is incorporated into Mac OS X v10.6 and later.
QuickTime 7.7 is not presented to systems running
Mac OS X v10.6 or later.

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (Darwin)

iQEcBAEBAgAGBQJOOZuHAAoJEGnF2JsdZQeeNWIH/A+KRxzYTBC5nCZQ6m/sRdU0
OrauYjVbXIj1LUgMS9+I0wW4Zg7xtGBEjYBnqiuNuajP5W2+Ts8mNe75ZlEFlNto
KFQI7NS/OsTrjCTR1m1sF2zvsyMKDOjviIy90+PDGKejC8c3Zu/Y8GSdZ++I4aEf
J2g7BqhBDW/RFOemPGrcvr/iwu3twdkiAHeLXFCcecNCKjSUfoxXDuPd/Ege/kS7
95wsNkLjypSEuLpcmjATSXp5X58nzbUCsrQ2doPzLy1/8oWiG9XsiZznmcYlLhHg
trYm+KIMdqBOQWI3uhG+3dG6l2xkJxdYNxHRHXFh78QH0NblHg9u3PmhELUBeXU=
=H+iO
-----END PGP SIGNATURE-----