QuickTime < 7.7.2 Multiple Vulnerabilities (Windows)

This script is Copyright (C) 2012-2016 Tenable Network Security, Inc.


Synopsis :

The remote Windows host contains an application that may be affected
by multiple vulnerabilities.

Description :

The version of QuickTime installed on the remote Windows host is
older than 7.7.2 and may be affected by the following
vulnerabilities :

- An uninitialized memory access issue exists in the
handling of MP4 encoded files. (CVE-2011-3458)

- An off-by-one buffer overflow exists in the handling of
rdrf atoms in QuickTime movie files. (CVE-2011-3459)

- A stack-based buffer overflow exists in the QuickTime
plugin's handling of PNG files. (CVE-2011-3460)

- A stack-based buffer overflow exists in QuickTime's
handling of file paths. (CVE-2012-0265)

- A buffer overflow exists in the handling of audio sample
tables. (CVE-2012-0658)

- An integer overflow exists in the handling of MPEG
files. (CVE-2012-0659)

- An integer underflow exists in QuickTime's handling of
audio streams in MPEG files. (CVE-2012-0660)

- A use-after-free issue exists in the handling of
JPEG2000 encoded movie files. (CVE-2012-0661)

- Multiple stack overflows exist in QuickTime's handling
of TeXML files. (CVE-2012-0663)

- A heap overflow exists in QuickTime's handling of text
tracks. (CVE-2012-0664)

- A heap overflow exists in the handling of H.264 encoded
movie files. (CVE-2012-0665)

- A stack-based buffer overflow exists in the QuickTime
plugin's handling of QTMovie objects. (CVE-2012-0666)

- A signedness issue exists in the handling of QTVR movie
files. (CVE-2012-0667)

- A buffer overflow exists in QuickTime's handling of
Sorenson encoded movie files. (CVE-2012-0669)

- An integer overflow exists in QuickTime's handling of
sean atoms. (CVE-2012-0670)

- A memory corruption issue exists in the handling of
.pict files. (CVE-2012-0671)

See also :

http://www.zerodayinitiative.com/advisories/ZDI-12-075/
http://www.zerodayinitiative.com/advisories/ZDI-12-076/
http://www.zerodayinitiative.com/advisories/ZDI-12-077/
http://www.zerodayinitiative.com/advisories/ZDI-12-078/
http://www.zerodayinitiative.com/advisories/ZDI-12-095/
http://www.zerodayinitiative.com/advisories/ZDI-12-103/
http://www.zerodayinitiative.com/advisories/ZDI-12-105/
http://www.zerodayinitiative.com/advisories/ZDI-12-107/
http://www.zerodayinitiative.com/advisories/ZDI-12-108/
http://www.zerodayinitiative.com/advisories/ZDI-12-109/
http://www.zerodayinitiative.com/advisories/ZDI-12-125/
http://www.zerodayinitiative.com/advisories/ZDI-12-130/
http://www.zerodayinitiative.com/advisories/ZDI-12-153/
http://www.securityfocus.com/archive/1/523524/30/0/threaded
http://support.apple.com/kb/HT5261
http://lists.apple.com/archives/security-announce/2012/May/msg00005.html

Solution :

Upgrade to QuickTime 7.7.2 or later.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.3
(CVSS2#E:POC/RL:OF/RC:C)
Public Exploit Available : true