QuickTime < 7.5.5 Multiple Vulnerabilities (Mac OS X)

high Nessus Plugin ID 34118

Synopsis

The remote Mac OS X host contains an application that is affected by multiple vulnerabilities.

Description

The version of QuickTime installed on the remote Mac OS X host is older than 7.5.5. Such versions contain several vulnerabilities :

- Heap and stack-based buffer overflows in the handling of panorama atoms in QTVR (QuickTime Virtual Reality) movie files could lead to an application crash or arbitrary code execution (CVE-2008-3624 and CVE-2008-3625).

- A memory corruption issue in QuickTime's handling of STSZ atoms in movie files could lead to an application crash or arbitrary code execution (CVE-2008-3626).

- Multiple memory corruption issues in QuickTime's handling of H.264-encoded movie files could lead to an application crash or arbitrary code execution (CVE-2008-3627).

- An out-of-bounds read issue in QuickTime's handling of PICT images could lead to an application crash (CVE-2008-3629).

Solution

Either use QuickTime's Software Update preference to upgrade to the latest version or manually upgrade to QuickTime 7.5.5 or later.

See Also

http://support.apple.com/kb/HT3027

http://lists.apple.com/archives/security-announce/2008/Sep/msg00000.html

Plugin Details

Severity: High

ID: 34118

File Name: macosx_Quicktime755.nasl

Version: 1.15

Type: local

Agent: macosx

Published: 9/10/2008

Updated: 7/14/2018

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 6.9

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: cpe:/a:apple:quicktime

Required KB Items: MacOSX/QuickTime/Version

Exploit Ease: No known exploits are available

Patch Publication Date: 9/9/2008

Reference Information

CVE: CVE-2008-3624, CVE-2008-3625, CVE-2008-3626, CVE-2008-3627, CVE-2008-3629

BID: 31086, 31546, 31548

CWE: 119, 399