Operating System:

[WIN]

Published:

23 October 2014

Protect yourself against future threats.

//Service

AusCERT Education

Enhance your knowledge with our exceptional one day training offerings for individuals and organisations

Read more
Resources > Security Bulletins > ESB-2014.1934 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.1934
                              QuickTime 7.7.6
                              23 October 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          QuickTime
Publisher:        Apple
Operating System: Windows 7
                  Windows Vista
                  Windows XP
Impact/Access:    Denial of Service               -- Remote with User Interaction
                  Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution:       Patch/Upgrade
CVE Names:        CVE-2014-4979 CVE-2014-4351 CVE-2014-4350
                  CVE-2014-1391  

Reference:        ESB-2014.1877
                  ESB-2014.1617
                  ESB-2014.1226

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2014-10-22-1 QuickTime 7.7.6

QuickTime 7.7.6 is now available and addresses the following:

QuickTime
Available for:  Windows 7, Vista, XP SP2 or later
Impact:  Playing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description:  A memory corruption issue existed in the handling of
RLE encoded movie files. This issue was addressed through improved
bounds checking.
CVE-ID
CVE-2014-1391 : Fernando Munoz working with iDefense VCP, Tom
Gallagher & Paul Bates working with HP's Zero Day Initiative

QuickTime
Available for:  Windows 7, Vista, XP SP2 or later
Impact:  Playing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description:  A memory corruption issue existed in the handling of
the 'mvhd' atoms. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2014-4979 : Andrea Micalizzi aka rgod working with HP's Zero Day
Initiative

QuickTime
Available for:  Windows 7, Vista, XP SP2 or later
Impact:  Playing a maliciously crafted MIDI file may lead to an
unexpected application termination or arbitrary code execution
Description:  A buffer overflow existed in the handling of MIDI
files. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-4350 : s3tm3m working with HP's Zero Day Initiative

QuickTime
Available for:  Windows 7, Vista, XP SP2 or later
Impact:  Playing a maliciously crafted m4a file may lead to an
unexpected application termination or arbitrary code execution
Description:  A buffer overflow existed in the handling of audio
samples. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-4351 : Karl Smith of NCC Group


QuickTime 7.7.6 may be obtained from the QuickTime Downloads site:
http://www.apple.com/quicktime/download/

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQIcBAEBAgAGBQJUSBRSAAoJEBcWfLTuOo7tgDoQAIBUrnAQpbBQoanvqNDw5R2j
Ntl+aKzuZaVloKn78HN0T5ihcx3K0FxtjCN//KGwJpKBCG8MGnF/CisEnstkLM3t
jn6oZ0kmowAOt0CEM6s391uWTNnV+Na3dN7WBNu7943+qkTbUiSeojTEE9DHpxCN
tE/hmyBR3dEpAKza8rQzGYYZTBJ9wFhcL91M9hmo0ZXrfgdRE8xFQBnEHtUPqv1N
QBgVm6GVKxFhgNcUZnk/+JNWpPxlWGDyb+N7mB7H8FIPUJRbxMsJaAro9JjyjM2h
Za5gNgVTdNNeM0iVItbt8a6JLo+F1CFD6dJJvFZUSoGYhCevfIrRHNmZBKynLFNw
lciM0iUXgoEwTsgfwOQf9gr8QSzMdTrODXgX6PQptKL2xSxHQ15Vumz9Z+LdZb2B
osh/+iGndw+xQCojR3+IomTZlxlHEaGxm45PkRtYwrAsmXXNnsOIC5Eqrk5sFpPH
gDioMLytASE2Y+ASBTHT0kNOVs2BY/2uLlToE+/tf908oLOjDpmHmbzk9PZHrJsX
hGaqFdrpGmZsm1QcO05/ykoPiqka1C9cgJHYKdXddeTCZEss4oFB0ER/fQ7cz6Bc
iOV80BMWMFArsZMPmiwltCYfiw82HxeTgc7UvRHGFlXmpE4q1lHrU1dt+NkOnmv9
t/srMKTMnrGAAGLz0jqq
=PiXJ
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVEipSxLndAQH1ShLAQJX1g//fxA6xC4Yi3k5HVAWlNyNn9N9UUQhlcma
wbMiZkxHEGL5pCxYF1FA53Tj8YfXJMTp2cDFR944f33rsB3IT7FJdkZaWnWjMPyM
Mp4+6llZcX4C+1zfTLUHhkDA93zR15NYW9r/eXi9Ty46b/Sfd295wtshyL+aJhRf
W7G9W+RDegsNq2Zfjtvj33dI7nmS4ihU/pHJUs/xe+9OnjfUV2S+x7iwdQ8WacHF
AaKyLgGpep4zMcdRz2s4ykbbq5C3mJKORN63+gLit6inFZ/OQ4mslaVfwxXORwT/
ATy3iKyXBUBmj8mh9Wjo4tjvKtGFIEsiGBas0/XO657f3dVb0P65vzvy/on2UnkA
OCgLwj/2Dialfy9jc2RWw0KMZiiOuFaYoyp9J9xtZx0jxBmEBohxiEFtH4dQ864n
nwA5clbSMrfqH3SwzUfiBtU5LOtvYs/KA4aobLVvQUE3Fs8Yu7gZpB8A8oYvJABR
vZxymFRM6Qp0wATc5GiE0OTtdnBUEmNjAixRr3qBiWDf9XvsH2kahQzsJR7RZ48a
ZjQYw2FOjD0EgTRAb4qDzFV12CO1GPUJqMpqkzh6QgbnH2yO/5cgmkjn0XxywAHf
oYtaeA3I1qXwxKv0q9MpzDgY2hRd6RujLISi/El79l4hsVdZKmF/YS5AhXNpmxBm
Q7Tf453h4o4=
=Cl65
-----END PGP SIGNATURE-----