Apple shipped fixes for nine vulnerabilities in its QuickTime multimedia platform. The QuickTime 7.7.3 update resolves bugs for Windows 7, Vista, and XP service pack 2 and later.
The first two patches, discovered by IBM X-Force’s Mark Yason and Microsoft’s Jeremy brown respectively, resolve a buffer overflow in the handling of PICT files and REGION records, and a memory corruption issue in the handling of PICT files. Both vulnerabilities could be exploited if a user views a specially crafted PICT file, which in both cases could cause an application to crash or allow for arbitrary code execution.
The update also resolves three bugs that could cause unexpected application termination or enable the execution of arbitrary code if a user visits a maliciously crafted website. Two of the bugs were uncovered by chkr_d591, working with iDefense VCP. One was a use after free problem in the way the QuickTime plugin handled ‘_qtactivex_’ parameters within a HTML object element and the other was a use after free flaw in Quicktime ActiveX control’s handling of the Clear() method. The latter was discovered by TELUS Security Labs’ Pavel Polischouk and addressed a buffer overflow in the QuickTime plugin’s handling of MIME types.
There were also buffer overflows in the handling of the transform attribute in text3GTrack elements and style elements in QuickTime TeXML files. The overflows were discovered by ZDI’s Alexander Gavrun and TELUS Security Labs’ Arezou Hosseinzad-Amirkhizi, and could be exploited if users view a maliciously crafted QuickTime TeXML file.
Apple resolved a buffer overflow in Targa image files discovered by someone using the handle Senator of Pirates. Attackers could exploit this flaw by compelling a user to view a maliciously crafted Targa file, which could lead to the termination of applications or the execution of arbitrary code.
The last patch fixes a buffer overflow in the way ‘rnet’ boxes in MP4 files are handled. It was reported by Kevin Szkudlapski of QuarksLab and could allow for unexpected application termination or arbitrary code execution if users view a maliciously crafted movie file.