QuickTime < 7.6.4 Multiple Vulnerabilities (Mac OS X)

This script is Copyright (C) 2009-2012 Tenable Network Security, Inc.


Synopsis :

The remote Mac OS X host contains an application that is affected by
multiple vulnerabilities.

Description :

The version of QuickTime installed on the remote Mac OS X host is
older than 7.6.4. Such versions contain several vulnerabilities :

- A memory corruption issue in QuickTime's handling of
H.264 movie files may lead to an application crash
or arbitrary code execution. (CVE-2009-2202)

- A buffer overflow in QuickTime's handling of MPEG-4
video files may lead to an application crash or
arbitrary code execution. (CVE-2009-2203)

- A heap buffer overflow in QuickTime's handling of
FlashPix files may lead to an application crash or
arbitrary code execution. (CVE-2009-2798)

- A heap buffer overflow in QuickTime's handling of H.264
movie files may lead to an application crash or
arbitrary code execution. (CVE-2009-2799)

See also :

http://support.apple.com/kb/HT3859
http://lists.apple.com/archives/security-announce/2009/Sep/msg00002.html

Solution :

Upgrade to QuickTime 7.6.4 or later.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.3
(CVSS2#E:POC/RL:OF/RC:C)
Public Exploit Available : true

Family: MacOS X Local Security Checks

Nessus Plugin ID: 40928 (macosx_Quicktime764.nasl)

Bugtraq ID: 36328

CVE ID: CVE-2009-2202
CVE-2009-2203
CVE-2009-2798
CVE-2009-2799