Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.1934 QuickTime 7.7.6 23 October 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: QuickTime Publisher: Apple Operating System: Windows 7 Windows Vista Windows XP Impact/Access: Denial of Service -- Remote with User Interaction Execute Arbitrary Code/Commands -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2014-4979 CVE-2014-4351 CVE-2014-4350 CVE-2014-1391 Reference: ESB-2014.1877 ESB-2014.1617 ESB-2014.1226 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2014-10-22-1 QuickTime 7.7.6 QuickTime 7.7.6 is now available and addresses the following: QuickTime Available for: Windows 7, Vista, XP SP2 or later Impact: Playing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in the handling of RLE encoded movie files. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-1391 : Fernando Munoz working with iDefense VCP, Tom Gallagher & Paul Bates working with HP's Zero Day Initiative QuickTime Available for: Windows 7, Vista, XP SP2 or later Impact: Playing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in the handling of the 'mvhd' atoms. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4979 : Andrea Micalizzi aka rgod working with HP's Zero Day Initiative QuickTime Available for: Windows 7, Vista, XP SP2 or later Impact: Playing a maliciously crafted MIDI file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of MIDI files. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4350 : s3tm3m working with HP's Zero Day Initiative QuickTime Available for: Windows 7, Vista, XP SP2 or later Impact: Playing a maliciously crafted m4a file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of audio samples. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4351 : Karl Smith of NCC Group QuickTime 7.7.6 may be obtained from the QuickTime Downloads site: http://www.apple.com/quicktime/download/ Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ - -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJUSBRSAAoJEBcWfLTuOo7tgDoQAIBUrnAQpbBQoanvqNDw5R2j Ntl+aKzuZaVloKn78HN0T5ihcx3K0FxtjCN//KGwJpKBCG8MGnF/CisEnstkLM3t jn6oZ0kmowAOt0CEM6s391uWTNnV+Na3dN7WBNu7943+qkTbUiSeojTEE9DHpxCN tE/hmyBR3dEpAKza8rQzGYYZTBJ9wFhcL91M9hmo0ZXrfgdRE8xFQBnEHtUPqv1N QBgVm6GVKxFhgNcUZnk/+JNWpPxlWGDyb+N7mB7H8FIPUJRbxMsJaAro9JjyjM2h Za5gNgVTdNNeM0iVItbt8a6JLo+F1CFD6dJJvFZUSoGYhCevfIrRHNmZBKynLFNw lciM0iUXgoEwTsgfwOQf9gr8QSzMdTrODXgX6PQptKL2xSxHQ15Vumz9Z+LdZb2B osh/+iGndw+xQCojR3+IomTZlxlHEaGxm45PkRtYwrAsmXXNnsOIC5Eqrk5sFpPH gDioMLytASE2Y+ASBTHT0kNOVs2BY/2uLlToE+/tf908oLOjDpmHmbzk9PZHrJsX hGaqFdrpGmZsm1QcO05/ykoPiqka1C9cgJHYKdXddeTCZEss4oFB0ER/fQ7cz6Bc iOV80BMWMFArsZMPmiwltCYfiw82HxeTgc7UvRHGFlXmpE4q1lHrU1dt+NkOnmv9 t/srMKTMnrGAAGLz0jqq =PiXJ - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVEipSxLndAQH1ShLAQJX1g//fxA6xC4Yi3k5HVAWlNyNn9N9UUQhlcma wbMiZkxHEGL5pCxYF1FA53Tj8YfXJMTp2cDFR944f33rsB3IT7FJdkZaWnWjMPyM Mp4+6llZcX4C+1zfTLUHhkDA93zR15NYW9r/eXi9Ty46b/Sfd295wtshyL+aJhRf W7G9W+RDegsNq2Zfjtvj33dI7nmS4ihU/pHJUs/xe+9OnjfUV2S+x7iwdQ8WacHF AaKyLgGpep4zMcdRz2s4ykbbq5C3mJKORN63+gLit6inFZ/OQ4mslaVfwxXORwT/ ATy3iKyXBUBmj8mh9Wjo4tjvKtGFIEsiGBas0/XO657f3dVb0P65vzvy/on2UnkA OCgLwj/2Dialfy9jc2RWw0KMZiiOuFaYoyp9J9xtZx0jxBmEBohxiEFtH4dQ864n nwA5clbSMrfqH3SwzUfiBtU5LOtvYs/KA4aobLVvQUE3Fs8Yu7gZpB8A8oYvJABR vZxymFRM6Qp0wATc5GiE0OTtdnBUEmNjAixRr3qBiWDf9XvsH2kahQzsJR7RZ48a ZjQYw2FOjD0EgTRAb4qDzFV12CO1GPUJqMpqkzh6QgbnH2yO/5cgmkjn0XxywAHf oYtaeA3I1qXwxKv0q9MpzDgY2hRd6RujLISi/El79l4hsVdZKmF/YS5AhXNpmxBm Q7Tf453h4o4= =Cl65 -----END PGP SIGNATURE-----