CVE-2010-0530, CVE-2010-1508, CVE-2010-3787, CVE-2010-3788, CVE-2010-3789, CVE-2010-3790, CVE-2010-3791, CVE-2010-3792, CVE-2010-3793, CVE-2010-3794, CVE-2010-3795, CVE-2010-3800, CVE-2010-3801, CVE-2010-3802, CVE-2010-4009
11 Nov 2010
21 Sep 2011
Apple QuickTime 7.x
This covers vulnerabilities where malicious people are able to gain system access and execute arbitrary code with the privileges of a local user.
Exposure of sensitive information
Vulnerabilities where documents or credentials are leaked or can be revealed either locally or from remote.
Manipulation of data
This includes vulnerabilities where a user or a remote attacker can manipulate local data on a system, but not necessarily be able to gain escalated privileges or system access.
The most frequent type of vulnerabilities with this impact are SQL-injection vulnerabilities, where a malicious user or person can manipulate SQL queries.
Multiple vulnerabilities have been reported in QuickTime, which can be exploited by malicious, local users to disclose potentially sensitive information or manipulate certain data, and by malicious people to compromise a user's system.
1) An array-indexing error when parsing the extra data bits in Sorenson Video 3 content can be exploited to cause a value outside an array of pointers to erroneously be used as a write pointer during decompression.
The vulnerability is confirmed in versions 7.6.6 and 7.6.8. Other versions may also be affected.
2) An error when parsing "rec" chunks within AVI files can be exploited to corrupt memory.
3) An uninitialised pointer error in the support for Huffman tables within FlashPix files can be exploited to use an invalid value as a destination pointer when copying data.
4) An input validation error in the support for a component within the "SIZ" marker in a JPEG 2000 image can be exploited to use uninitialised data as an object during decompression.
5) An input validation error in the LZW decompression of GIF images can be exploited to cause a heap-based buffer overflow.
6) An input validation error in QuickTimeMPEG.qtx when parsing the media rate field of an "ELST" atom's edit list table data can be exploited to corrupt memory.
7) A signedness error in quicktime.qtx when parsing a certain offset in a "m1s" atom can be exploited to corrupt memory.
8) An type confusion error in QuickTime within the processing of JP2 codestreams can be exploited to cause a heap-based buffer overflow, which may allow execution of arbitrary code when a specially crafted JP2 image is being viewed.
9) An error in QuickTime when performing transformations may allow execution of arbitrary code.
For more information see vulnerability #43 in:
10) Input validation errors in the Quicktime PictureViewer when processing a PICT file can be exploited to e.g. cause a buffer overflow.
11) An input validation error in the processing of length properties in FlashPix images can be exploited to corrupt memory.
12) An signedness error in the handling of panorama atoms in QTVR (QuickTime Virtual Reality) movie files can be exploited to trigger the usage of an invalid pointer and corrupt memory.
13) A security issue is caused due to the application creating the "%UserProfile%\Local Settings\Application Data\Apple Computer\" directory with insecure default permissions. This can be exploited by unprivileged users to write or read from potentially sensitive files placed inside the affected directory by e.g. Safari.
14) An integer overflow error the handling of movie files can be exploited to corrupt memory.
15) A boundary error when copying track content based on the track's dimensions can be exploited to cause a heap-based buffer overflow.
Successful exploitation of the vulnerabilities may allow execution of arbitrary code.
Update to version 7.6.9.
Note: When updating from a previous version, manually check and adjust the permissions of the "%UserProfile%\Local Settings\Application Data\Apple Computer\" directory.
1) Carsten Eiram, Secunia Research.
10) Hossein Lotfi (s0lute), reported via iDefense.
Rodrigo Rubira Branco: