Multiple vulnerabilities have been identified in Apple QuickTime, which could be exploited by remote attackers to take complete control of an affected system. These issues are caused by memory corruption and heap overflow errors when processing malformed H.264 movies, MPEG-4 videos, or FlashPix files, which could allow attackers to crash an affected application or execute arbitrary code e.g. via a specially crafted web page.

Affected Products

Apple QuickTime versions prior to 7.6.4

Solution

Upgrade to Apple QuickTime version 7.6.4 :
http://www.apple.com/quicktime/download/

References

http://www.vupen.com/english/advisories/2009/2584
http://support.apple.com/kb/HT3859

In-depth Binary Analysis

Available in customer area as part of VUPEN Binary Analysis & Exploits Service and VUPEN Vulnerability Notification Service Ultimate Feed Edition.
 

Private Exploit or PoC

Available in customer area as part of VUPEN Binary Analysis & Exploits Service and VUPEN Vulnerability Notification Service Ultimate Feed Edition.
 

Credits

Vulnerabilities reported by Tom Ferris (Adobe Secure Software Engineering Team), Alex Selivanov, Damian Put and ZDI.

Changelog

2009-09-09 : Initial release

Feedback

If you have additional information or corrections for this security advisory please submit them via our contact form.