U radu programskog paketa QuickTime uočeno je više sigurnosnih prousta koji udaljenom napadaču omogućuju napad uskraćivanjem usluga (DoS), proizvoljno izvršavanje programskog koda, zaobilaženje postavljenih ograničenja te otkrivanje osjetljivih informacija.
| Paket: |
Apple Mac OS X 10.6.x |
| Operacijski sustavi: |
Apple Mac OS X 10.6, Apple Mac OS X 10.5, Microsoft Windows XP, Microsoft Windows Vista, Microsoft Windows 7 |
| Kritičnost: |
9.3 |
| Problem: |
cjelobrojno prepisivanje, korupcija memorije, neodgovarajuće rukovanje memorijom, preljev međuspremnika |
| Iskorištavanje: |
udaljeno |
| Posljedica: |
otkrivanje osjetljivih informacija, proizvoljno izvršavanje programskog koda, uskraćivanje usluga (DoS), zaobilaženje postavljenih ograničenja |
| Rješenje: |
programska zakrpa proizvođača |
| CVE: |
CVE-2011-0245, CVE-2011-0186, CVE-2011-0187, CVE-2011-0209, CVE-2011-0210, CVE-2011-0211, CVE-2011-0213, CVE-2011-0246, CVE-2011-0247, CVE-2011-0248, CVE-2011-0249, CVE-2011-0250, CVE-2011-0251, CVE-2011-0252 |
| Izvorni ID preporuke: |
APPLE-SA-2011-08-03 |
| Izvor: |
Apple |
| |
| Problem: |
Sigurnosni propusti su posljedica neodgovarajućeg rukovanja memorijom u MDAC (eng. Microsoft Data Access Components) komponentama te korupcije memorije, preljeva međuspremnika i cjelobrojnog prepisivanja programa QuickTime.
|
| Posljedica: |
Udaljeni napadač navedene propuste može iskoristiti za pokretanje proizvoljnog programskog koda, DoS (eng. Denial of Sevice) napad te zaobilaženje ograničenja u sustavu i pristup osjetljivim podacima.
|
| Rješenje: |
Rješenje problema sigurnosti je korištenje dostupnih programskih nadogradnji i zakrpa.
|
Izvorni tekst preporuke
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2011-08-03-1 QuickTime 7.7
QuickTime 7.7 is now available and addresses the following:
QuickTime
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted pict file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in QuickTime's handling of
pict files. Viewing a maliciously crafted pict file may lead to an
unexpected application termination or arbitrary code execution. For
Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8.
This issue does not affect Mac OS X v10.7 systems.
CVE-ID
CVE-2011-0245 : Subreption LLC working with TippingPoint's Zero Day
Initiative
QuickTime
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted JPEG2000 image with QuickTime
may lead to an unexpected application termination or arbitrary code
execution
Description: Multiple memory corruption issues existed in
QuickTime's handling of JPEG2000 images. Viewing a maliciously
crafted JPEG2000 image with QuickTime may lead to an unexpected
application termination or arbitrary code execution. For Mac OS X
v10.6 systems, this issue is addressed in Mac OS X v10.6.7. This
issue does not affect Mac OS X v10.7 systems.
CVE-ID
CVE-2011-0186 : Will Dormann of the CERT/CC
QuickTime
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to the
disclosure of video data from another site
Description: A cross-origin issue existed in QuickTime plug-in's
handling of cross-site redirects. Visiting a maliciously crafted
website may lead to the disclosure of video data from another site.
This issue is addressed by preventing QuickTime from following cross-
site redirects. For Mac OS X v10.6 systems, this issue is addressed
in Mac OS X v10.6.7. This issue does not affect Mac OS X v10.7
systems.
CVE-ID
CVE-2011-0187 : Nirankush Panchbhai and Microsoft Vulnerability
Research (MSVR)
QuickTime
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Windows 7, Vista, XP SP2 or later
Impact: Playing a maliciously crafted WAV file may lead to an
unexpected application termination or arbitrary code execution
Description: An integer overflow existed in QuickTime's handling of
RIFF WAV files. Playing a maliciously crafted WAV file may lead to an
unexpected application termination or arbitrary code execution. For
Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8.
This issue does not affect Mac OS X v10.7 systems.
CVE-ID
CVE-2011-0209 : Luigi Auriemma working with TippingPoint's Zero Day
Initiative
QuickTime
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in QuickTime's
handling of sample tables in QuickTime movie files. Viewing a
maliciously crafted movie file may lead to an unexpected application
termination or arbitrary code execution. For Mac OS X v10.6 systems,
this issue is addressed in Mac OS X v10.6.8. This issue does not
affect Mac OS X v10.7 systems.
CVE-ID
CVE-2011-0210 : Honggang Ren of Fortinet's FortiGuard Labs
QuickTime
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: An integer overflow existed in QuickTime's handling of
audio channels in movie files. Viewing a maliciously crafted movie
file may lead to an unexpected application termination or arbitrary
code execution. For Mac OS X v10.6 systems, this issue is addressed
in Mac OS X v10.6.8. This issue does not affect Mac OS X v10.7
systems.
CVE-ID
CVE-2011-0211 : Luigi Auriemma working with TippingPoint's Zero Day
Initiative
QuickTime
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted JPEG file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in QuickTime's handling of
JPEG files. Viewing a maliciously crafted JPEG file may lead to an
unexpected application termination or arbitrary code execution. For
Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8.
This issue does not affect Mac OS X v10.7 systems.
CVE-ID
CVE-2011-0213 : Luigi Auriemma working with iDefense VCP
QuickTime
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted GIF image may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow existed in QuickTime's handling
of GIF images. Viewing a maliciously crafted GIF image may lead to an
unexpected application termination or arbitrary code execution. This
issue does not affect Mac OS X systems.
CVE-ID
CVE-2011-0246 : an anonymous contributor working with Beyond
Security's SecuriTeam Secure Disclosure program
QuickTime
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted H.264 movie file may lead to
an unexpected application termination or arbitrary code execution
Description: Multiple stack buffer overflows existed in the handling
of H.264 encoded movie files. Viewing a maliciously crafted H.264
movie file may lead to an unexpected application termination or
arbitrary code execution. These issues do not affect Mac OS X
systems.
CVE-ID
CVE-2011-0247 : Roi Mallo and Sherab Giovannini working with
TippingPoint's Zero Day Initiative
QuickTime
Available for: Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website using Internet
Explorer may lead to an unexpected application termination or
arbitrary code execution
Description: A stack buffer overflow existed in the QuickTime
ActiveX control's handling of QTL files. Visiting a maliciously
crafted website using Internet Explorer may lead to an unexpected
application termination or arbitrary code execution. This issue does
not affect Mac OS X systems.
CVE-ID
CVE-2011-0248 : Chkr_d591 working with TippingPoint's Zero Day
Initiative
QuickTime
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow existed in the handling of STSC
atoms in QuickTime movie files. Viewing a maliciously crafted movie
file may lead to an unexpected application termination or arbitrary
code execution. This issue does not affect Mac OS X v10.7 systems.
CVE-ID
CVE-2011-0249 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero
Day Initiative
QuickTime
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow existed in the handling of STSS
atoms in QuickTime movie files. Viewing a maliciously crafted movie
file may lead to an unexpected application termination or arbitrary
code execution. This issue does not affect Mac OS X v10.7 systems.
CVE-ID
CVE-2011-0250 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero
Day Initiative
QuickTime
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow existed in the handling of STSZ
atoms in QuickTime movie files. Viewing a maliciously crafted movie
file may lead to an unexpected application termination or arbitrary
code execution. This issue does not affect Mac OS X v10.7 systems.
CVE-ID
CVE-2011-0251 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero
Day Initiative
QuickTime
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow existed in the handling of STTS
atoms in QuickTime movie files. Viewing a maliciously crafted movie
file may lead to an unexpected application termination or arbitrary
code execution. This issue does not affect Mac OS X v10.7 systems.
CVE-ID
CVE-2011-0252 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero
Day Initiative
QuickTime 7.7 may be obtained from the Software Update
application, or from the QuickTime Downloads site:
http://www.apple.com/quicktime/download/
For Mac OS X v10.5.8
The download file is named: "QuickTime77Leopard.dmg"
Its SHA-1 digest is: 0deb99cc44015af7c396750d2c9dd4cbd59fb355
For Windows 7 / Vista / XP SP3
The download file is named: "QuickTimeInstaller.exe"
Its SHA-1 digest is: a99f61d67be6a6b42e11d17b0b4f25cd88b74dc9
QuickTime is incorporated into Mac OS X v10.6 and later.
QuickTime 7.7 is not presented to systems running
Mac OS X v10.6 or later.
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (Darwin)
iQEcBAEBAgAGBQJOOZuHAAoJEGnF2JsdZQeeNWIH/A+KRxzYTBC5nCZQ6m/sRdU0
OrauYjVbXIj1LUgMS9+I0wW4Zg7xtGBEjYBnqiuNuajP5W2+Ts8mNe75ZlEFlNto
KFQI7NS/OsTrjCTR1m1sF2zvsyMKDOjviIy90+PDGKejC8c3Zu/Y8GSdZ++I4aEf
J2g7BqhBDW/RFOemPGrcvr/iwu3twdkiAHeLXFCcecNCKjSUfoxXDuPd/Ege/kS7
95wsNkLjypSEuLpcmjATSXp5X58nzbUCsrQ2doPzLy1/8oWiG9XsiZznmcYlLhHg
trYm+KIMdqBOQWI3uhG+3dG6l2xkJxdYNxHRHXFh78QH0NblHg9u3PmhELUBeXU=
=H+iO
-----END PGP SIGNATURE-----
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list (Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/security-announce/advisory%40lss.hr
This email sent to Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
Posljednje sigurnosne preporuke