Updated:  January 11, 2006

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2006-01-10 QuickTime 7.0.4 QuickTime 7.0.4 is available and delivers the following security enhancements: CVE-ID: CVE-2005-2340 Available for: Mac OS X v10.3.9 and later, Windows XP/2000 Impact: A maliciously-crafted QTIF image may result in arbitrary code execution Description: By carefully crafting a corrupt QTIF image, an attacker can trigger a heap buffer overflow that may result in arbitrary code execution. This update addresses the issue by performing additional validation of GIF images. Credit to Varun Uppal of Kanbay for reporting this issue. CVE-ID: CVE-2005-3707, CVE-2005-3708, CVE-2005-3709 Available for: Mac OS X v10.3.9 and later, Windows XP/2000 Impact: Viewing a maliciously-crafted TGA image may result in arbitrary code execution Description: By carefully crafting a corrupt TGA image, an attacker can trigger a buffer overflow, integer overflow, or integer underflow that may result in a denial-of-service or arbitrary code execution. This update addresses the issue by performing additional validation of TGA images. Credit to Dejun Meng of Fortinet for reporting this issue. CVE-ID: CVE-2005-3710, CVE-2005-3711 Available for: Mac OS X v10.3.9 and later, Windows XP/2000 Impact: Viewing a maliciously-crafted TIFF image may result in arbitrary code execution Description: By carefully crafting a corrupt TIFF image, an attacker can trigger an integer overflow that may result in a denial-of-service or arbitrary code execution. This update addresses the issue by performing additional validation of TIFF images. Credit to Dejun Meng of Fortinet for reporting this issue. CVE-ID: CVE-2005-3713 Available for: Mac OS X v10.3.9 and later, Windows XP/2000 Impact: A maliciously-crafted GIF image may result in arbitrary code execution Description: By carefully crafting a corrupt GIF image, an attacker can trigger a heap buffer overflow that may result in arbitrary code execution. This update addresses the issue by performing additional validation of GIF images. Credit to Karl Lynn of eEye Digital Security for reporting this issue. CVE-ID: CVE-2005-4092 Available for: Mac OS X v10.3.9 and later, Windows XP/2000 Impact: A maliciously-crafted media file may result in arbitrary code execution Description: By carefully crafting a corrupt media file, an attacker can trigger a heap buffer overflow that may result in arbitrary code execution. This update addresses the issue by performing additional validation of media files. Credit to Karl Lynn of eEye Digital Security for reporting this issue. QuickTime 7.0.4 may be obtained from the Software Update pane in System Preferences, or from the Download tab in the QuickTime site http://www.apple.com/quicktime/ For Mac OS X v10.3.9 or later The download file is named: "QuickTimeInstallerX.dmg" Its SHA-1 digest is: a605fc27d85b4c6b59ebbbc84ef553b37aa8fbca For Windows 2000/XP The download file is named: "iTunesSetup.exe" Its SHA-1 digest is: 1f7d1942fec2c3c205079916dc47b254e508de4e Information will also be posted to the Apple Product Security web site: http://docs.info.apple.com/article.html?artnum=61798 This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.4 (Build 4042) iQEVAwUBQ8QXBYHaV5ucd/HdAQJxEAgAmYODWY0Bi3uyqkrk7iH3jB3HsmjARyqz YMFag6iFmvkGJ4VAZ943RhbrcBsjk8XQAMtnolRuD4FGSQQHD7a4fzeYdGIRp3qo V2XZBVW1cMAS8x0KzGNKhbRZsZZQw+0AcXbBq8oJU87XtjxVIM7Oo89k03AtkY1M bSqM/IshcNrvbtUDqOsxFEufNN2gwPeGD4Hsqto1qd822AF4Ulpdp45E8kgCiqFA Jm72cj6g1LqXZs8PZZdp6/eD9AazDPDe6N4yC6WhZMXJcfiAaZY6wNSYXsSVceGK W6+0hr4el+bB3PA2o7stKVrK2FwhuYg0A/FiiyhkM6K25jwf8OgZsw== =SKXP -----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.