QuickTime < 7.6.6 Multiple Vulnerabilities (Mac OS X)

This script is Copyright (C) 2010-2012 Tenable Network Security, Inc.


Synopsis :

The remote Mac OS X host contains an application that is affected by
multiple vulnerabilities.

Description :

The version of QuickTime installed on the remote Mac OS X host is
older than 7.6.6. Such versions contain several vulnerabilities :

- A memory corruption issue in QuickTime's handling of
QDM2 encoded audio content may lead to an application
crash or arbitrary code execution. (CVE-2010-0059)

- A memory corruption issue in QuickTime's handling of
QDMC encoded audio content may lead to an application
crash or arbitrary code execution. (CVE-2010-0060)

- A heap buffer overflow in QuickTime's handling of H.263
encoded movie files may lead to an application crash or
arbitrary code execution. (CVE-2010-0062)

- A heap buffer overflow in QuickTime's handling of H.261
encoded movie files may lead to an application crash or
arbitrary code execution. (CVE-2010-0514)

- A memory corruption issue in QuickTime's handling of
H.264 encoded movie files may lead to an application
crash or arbitrary code execution. (CVE-2010-0515)

- A heap buffer overflow in QuickTime's handling of RLE
encoded movie files may lead to an application crash or
arbitrary code execution. (CVE-2010-0516)

- A heap buffer overflow in QuickTime's handling of M-JPEG
encoded movie files may lead to an application crash or
arbitrary code execution. (CVE-2010-0517)

- A memory corruption issue in QuickTime's handling of
Sorenson encoded movie files may lead to an application
crash or arbitrary code execution. (CVE-2010-0518)

- An integer overflow in QuickTime's handling of FlashPix
encoded movie files may lead to an application crash or
arbitrary code execution. (CVE-2010-0519)

- A heap buffer overflow in QuickTime's handling of FLC
encoded movie files may lead to an application crash or
arbitrary code execution. (CVE-2010-0520)

- A heap buffer overflow in QuickTime's handling of MPEG
encoded movie files may lead to an application crash or
arbitrary code execution. (CVE-2010-0526)

See also :

http://support.apple.com/kb/HT4104
http://lists.apple.com/archives/security-announce/2010/Mar/msg00002.html
http://www.securityfocus.com/advisories/19386

Solution :

Upgrade to QuickTime 7.6.6 or later.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.7
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true