Public Safety Canada
Symbol of the Government of Canada
Skip to content | Skip to institutional links

Common menu bar links

Skip Navigation Links Home > Publications > Programs > Emergency management > Response > CCIRC > Analytical releases > AV07-099: Apple QuickTime File Processing Vulnerabilities

Institutional links

Apple QuickTime File Processing Vulnerabilities

AV07-099
Date: 06 November 2007

Purpose

The purpose of this advisory is to draw attention to multiple vulnerabilities in Apple Quicktime.

Assessment

The following seven vulnerabilities have been identified:

  • A memory corruption error when processing malformed image description atoms could be exploited to execute arbitrary code by tricking a user into opening a maliciously crafted movie.
  • A heap overflow error when processing malformed Sample Table Sample Descriptor (STSD) atoms could be exploited to execute arbitrary code by tricking a user into opening a maliciously crafted movie.
  • An error in QuickTime for Java could allow untrusted Java applets to obtain elevated privileges and disclose sensitive information or execute arbitrary code.
  • A stack overflow error in PICT image processing could be exploited to execute arbitrary code by tricking a user into opening a maliciously crafted image.
  • A heap overflow error in PICT image processing could be exploited to execute arbitrary code by tricking a user into opening a maliciously crafted image.
  • A heap overflow error when handling malformed panorama sample atoms in QTVR (QuickTime Virtual Reality) movie files could be exploited to execute arbitrary code by tricking a user into opening a maliciously crafted QTVR movie file.
  • A heap overflow error in the parsing of the color table atom when opening a movie file could be exploited to execute arbitrary code by tricking a user into opening a maliciously crafted movie file.

Affected Products:   

  • Apple QuickTime versions prior to 7.3

Suggested action

CCIRC recommends that administrators test and install Apple Quicktime version 7.3 at the earliest opportunity.

Reference:    
http://docs.info.apple.com/article.html?artnum=306896

Note to Readers

Public Safety Canada (PS) collects information related to cyber and physical threats to, and incidents involving, Canadian critical infrastructure. This allows us to monitor and analyze threats and to issue alerts, advisories, and other information products.

The Government Operations Centre (GOC) provides strategic level coordination and direction on behalf of the Government of Canada, in response to emerging or occurring events in the national interest, including threats to and incidents involving Canadian critical infrastructure. The GOC receives, shares, and coordinates information with other federal departments, as well as provincial/territorial and international partners.

For urgent matters or to report any incidents, please contact the Government Operations Centre at:

Phone: (613) 991-7000
Fax: (613) 996-0995
Secure Fax: (613) 991-7094
Email: goc-cog@ps-sp.gc.ca

For general information on critical infrastructure protection and emergency preparedness, please contact PS's Public Affairs division at:

Telephone: (613) 944-4875 or 1-800-830-3118
Fax: (613) 998-9589
E-mail: communications@ps-sp.gc.ca

Date Modified: 2007-11-07
Top of Page
Top of Page
Important Notices