QuickTime < 7.6.6 Multiple Vulnerabilities (Windows)

This script is Copyright (C) 2010-2014 Tenable Network Security, Inc.


Synopsis :

The remote Windows host contains an application that is affected by
multiple vulnerabilities.

Description :

The version of QuickTime installed on the remote Windows host is older
than 7.6.6. Such versions contain several vulnerabilities :

- A heap-based buffer overflow in QuickTime's handling of
PICT images may lead to an application crash or
arbitrary code execution. (CVE-2009-2837)

- A memory corruption issue in QuickTime's handling of
QDM2 encoded audio content may lead to an application
crash or arbitrary code execution. (CVE-2010-0059)

- A memory corruption issue in QuickTime's handling of
QDMC encoded audio content may lead to an application
crash or arbitrary code execution. (CVE-2010-0060)

- A heap-based buffer overflow in QuickTime's handling of
H.263 encoded movie files may lead to an application
crash or arbitrary code execution. (CVE-2010-0062)

- A heap-based buffer overflow in QuickTime's handling of
H.261 encoded movie files may lead to an application
crash or arbitrary code execution. (CVE-2010-0514)

- A memory corruption issue in QuickTime's handling of
H.264 encoded movie files may lead to an application
crash or arbitrary code execution. (CVE-2010-0515)

- A heap-based buffer overflow in QuickTime's handling of
RLE encoded movie files may lead to an application
crash or arbitrary code execution. (CVE-2010-0516)

- A heap-based buffer overflow in QuickTime's handling of
M-JPEG encoded movie files may lead to an application
crash or arbitrary code execution. (CVE-2010-0517)

- A memory corruption issue in QuickTime's handling of
Sorenson encoded movie files may lead to an application
crash or arbitrary code execution. (CVE-2010-0518)

- An integer overflow in QuickTime's handling of FlashPix
encoded movie files may lead to an application crash or
arbitrary code execution. (CVE-2010-0519)

- A heap-based buffer overflow in QuickTime's handling of
FLC encoded movie files may lead to an application crash
or arbitrary code execution. (CVE-2010-0520)

- A heap-based buffer overflow in QuickTime's handling of
MPEG encoded movie files may lead to an application
crash or arbitrary code execution. (CVE-2010-0526)

- An integer overflow in QuickTime's handling of PICT
images may lead to an application crash or arbitrary
code execution. (CVE-2010-0527)

- A memory corruption issue in QuickTime's handling of
color tables in movie files may lead to an application
crash or arbitrary code execution. (CVE-2010-0528)

- A heap-based buffer overflow in QuickTime's handling of
PICT images may lead to an application crash or
arbitrary code execution. (CVE-2010-0529)

- A memory corruption issue in QuickTime's handling of
BMP images may lead to an application crash or arbitrary
code execution. (CVE-2010-0536)

See also :

http://support.apple.com/kb/HT4104
http://lists.apple.com/archives/security-announce/2010/Mar/msg00002.html
http://www.securityfocus.com/advisories/19386

Solution :

Upgrade to QuickTime 7.6.6 or later.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 6.9
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false