Apple released QuickTime 7.7.2 for Windows, a security update that Apple is pushing for all QuickTime 7 users on Windows. The patch addresses 17 specific issues.
Apple’s patch notes:
QuickTime 7.7.2 is now available and addresses the following:
- QuickTime
Available for: Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: Multiple stack overflows existed in QuickTime’s handling of TeXML files. These issues do not affect OS X systems.
CVE-ID
CVE-2012-0663 : Alexander Gavrun working with HP’s Zero Day
Initiative
- QuickTime
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: A heap overflow existed in QuickTime’s handling of text tracks. This issue does not affect OS X systems.
CVE-ID
CVE-2012-0664 : Alexander Gavrun working with HP’s Zero Day
Initiative
- QuickTime
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: A heap buffer overflow existed in the handling of H.264 encoded movie files.
CVE-ID
CVE-2012-0665 : Luigi Auriemma working with HP’s Zero Day Initiative
- QuickTime
Available for: Windows 7, Vista, XP SP2 or later
Impact: Opening a maliciously crafted MP4 encoded file may lead to an unexpected application termination or arbitrary code execution
Description: An uninitialized memory access issue existed in the handling of MP4 encoded files. For OS X Lion systems, this issue is addressed in OS X Lion v10.7.3. For Mac OS X v10.6 systems, this issue is addressed in Security Update 2012-001.
CVE-ID
CVE-2011-3458 : Luigi Auriemma and pa_kt both working with HP’s Zero Day Initiative
- QuickTime
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: An off by one buffer overflow existed in the handling of rdrf atoms in QuickTime movie files. For OS X Lion systems, this issue is addressed in OS X Lion v10.7.3. For Mac OS X v10.6 systems, this issue is addressed in Security Update 2012-001.
CVE-ID
CVE-2011-3459 : Luigi Auriemma working with HP’s Zero Day Initiative
- QuickTime
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted movie file during progressive download may lead to an unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of audio sample tables. For OS X Lion systems, this issue is addressed in OS X Lion v10.7.4. For Mac OS X v10.6 systems, this issue is addressed in Security Update 2012-002.
CVE-ID
CVE-2012-0658 : Luigi Auriemma working with HP’s Zero Day Initiative
- QuickTime
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted MPEG file may lead to an unexpected application termination or arbitrary code execution
Description: An integer overflow existed in the handling of MPEG files. For OS X Lion systems, this issue is addressed in OS X Lion v10.7.4. For Mac OS X v10.6 systems, this issue is addressed in Security Update 2012-002.
CVE-ID
CVE-2012-0659 : An anonymous researcher working with HP’s Zero Day Initiative
- QuickTime
Available for: Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A stack buffer overflow existed in the QuickTime plugin’s handling of QTMovie objects. This issue does not affect OS X systems.
CVE-ID
CVE-2012-0666 : CHkr_D591 working with HP’s Zero Day Initiative
- QuickTime
Available for: Windows 7, Vista, XP SP2 or later
Impact: Processing a maliciously crafted PNG image may lead to an unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of PNG files. For OS X Lion systems, this issue is addressed in OS X Lion v10.7.3. For Mac OS X v10.6 systems, this issue is addressed in Security Update 2012-001.
CVE-ID
CVE-2011-3460 : Luigi Auriemma working with HP’s Zero Day Initiative
- QuickTime
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted QTVR movie file may lead to an unexpected application termination or arbitrary code execution
Description: A signedness issue existed in the handling of QTVR movie files. This issue does not affect OS X systems.
CVE-ID
CVE-2012-0667 : Alin Rad Pop working with HP’s Zero Day Initiative
- QuickTime
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: A use after free issue existed in the handling of JPEG2000 encoded movie files. This issue does not affect systems prior to OS X Lion. For OS X Lion systems, this issue is addressed in OS X Lion v10.7.4.
CVE-ID
CVE-2012-0661 : Damian Put working with HP’s Zero Day Initiative
- QuickTime
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of RLE encoded movie files.
CVE-ID
CVE-2012-0668 : Luigi Auriemma working with HP’s Zero Day Initiative
- QuickTime
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in QuickTime’s handling of Sorenson encoded movie files. This issue does not affect OS X systems.
CVE-ID
CVE-2012-0669 : Damian Put working with HP’s Zero Day Initiative
- QuickTime
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: An integer overflow existed in QuickTime’s handling of sean atoms.
CVE-ID
CVE-2012-0670 : Tom Gallagher (Microsoft) and Paul Bates (Microsoft) working with HP’s Zero Day Initiative
- QuickTime
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted .pict file may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the handling of .pict files.
CVE-ID
CVE-2012-0671 : Rodrigo Rubira Branco (twitter.com/bsdaemon) from the
Qualys Vulnerability & Malware Research Labs (VMRL)
- QuickTime
Available for: Windows 7, Vista, XP SP2 or later
Impact: Opening a file in a maliciously crafted path may lead to an unexpected application termination or arbitrary code execution
Description: A stack buffer overflow existed in QuickTime’s handling of file paths. This issue does not affect OS X systems.
CVE-ID
CVE-2012-0265 : Tielei Wang of Georgia Tech Information Security
Center via Secunia SVCRP
- QuickTime
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted MPEG file may lead to an unexpected application termination or arbitrary code execution
Description: An integer underflow existed in QuickTime’s handling of audio streams in MPEG files.
CVE-ID
CVE-2012-0660 : Justin Kim at Microsoft and Microsoft Vulnerability
Research (MSVR)
As is true with prior updates, QuickTime 7.x will disable the Pro features of QuickTime 5.x and 6.x. According to Apple, “If you are a QuickTime 6 Pro user and you proceed with this installation, you will need to purchase a QuickTime 7 Pro registration code in order to regain QuickTime Pro functionality.”
The update is a 37.65MB download through Apple’s support site. You can also find it in the Apple Updater utility installed with Safari, iTunes, or QuickTime.