U.S. Flag Official website of the Department of Homeland Security

Note: This page is part of the us-cert.gov archive.This document is part of the US-CERT website archive. These documents are no longer updated and may contain outdated information. Links may also no longer function. Please contact info@us-cert.gov if you have any questions about the US-CERT website archive.

TLP:WHITE

Alert (TA06-011A)

Apple QuickTime Vulnerabilities

Original release date: January 11, 2006 | Last revised: May 12, 2006

Systems Affected

Apple QuickTime on systems running

  • Apple Mac OS X
  • Microsoft Windows XP
  • Microsoft Windows 2000

Overview

Apple has released QuickTime 7.0.4 to correct multiple vulnerabilities. Exploitation of these vulnerabilities could allow a remote attacker to execute arbitrary code or cause a denial-of-service condition.

Description

Apple QuickTime 7.0.4 resolves vulnerabilities in how image and media files are handled. Details are available in the following Vulnerability Notes:

VU#629845 - Apple QuickTime image handling buffer overflow

Apple QuickTime contains a heap overflow vulnerability that may allow an attacker to execute arbitrary code or cause a denial-of-service condition.
(CVE-2005-2340)

VU#921193 - Apple QuickTime fails to properly handle corrupt media files

Apple QuickTime contains a heap overflow vulnerability in the handling of media files. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code or cause a denial of service on a vulnerable system.
(CVE-2005-4092)

VU#115729 - Apple QuickTime fails to properly handle corrupt TGA images

A flaw in the way Apple QuickTime handles Targa (TGA) image format files could allow a remote attacker to execute arbitrary code on a vulnerable system.
(CVE-2005-3707)

VU#150753 - Apple QuickTime fails to properly handle corrupt TIFF images

Apple QuickTime contains an integer overflow vulnerability in the handling of TIFF images. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code or cause a denial of service on a vulnerable system.
(CVE-2005-3710)

VU#913449 - Apple QuickTime fails to properly handle corrupt GIF images

A flaw in the way Apple QuickTime handles Graphics Interchange Format (GIF) files could allow a remote attacker to execute arbitrary code on a vulnerable system.
(CVE-2005-3713)

Impact

The impacts of these vulnerabilities vary. For more information, please see the Vulnerability Notes. Potential consequences include remote execution of arbitrary code or commands, and denial of service.

Solution

Upgrade

Upgrade to QuickTime 7.0.4.

Appendix A. References


Feedback can be directed to the US-CERT Technical Staff

Revision History

  • January 11, 2006: Initial release
    January 12, 2006: Added link to standalone QuickTime Player
    January 12, 2006: Changed CAN entries to CVE entries
    May 12, 2006: Corrected production statement

    Last updated

This product is provided subject to this Notification and this Privacy & Use policy.

Was this document helpful?  Yes  |  Somewhat  |  No

Back to Top