Lucene search

K
kasperskyKaspersky LabKLA10016
HistoryFeb 25, 2014 - 12:00 a.m.

KLA10016 Multiple vulnerabilities in Apple QuickTime

2014-02-2500:00:00
Kaspersky Lab
threats.kaspersky.com
32

9.3 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

7.9 High

AI Score

Confidence

Low

0.073 Low

EPSS

Percentile

94.1%

Multiple serious vulnerabilities have been found in Apple QuickTime. Malicious users can exploit these vulnerabilities to execute arbitrary code or cause denial of service. Below is a complete list of vulnerabilities

  1. Improper byte-swapping can be exploited to execute arbitrary code or cause denial of service via a specially designed ttfo element in a movie file
  2. Lack of unspecified pointer initialization can be exploited to execute arbitrary code or cause denial of service via a specially designed tracklist in a movie file
  3. Integer signing can be exploited to execute arbitrary code or cause denial of service via a specially designed stsz atom in a movie file
  4. Vectors related to unknown applications can be exploited to execute arbitrary code or cause denial of service via specially designed idsc, clef, dref and ftab atoms, by a specially designed PSD image or movie file with H.264 encoding.

Original advisories

Apple entry

Related products

Apple-QuickTime

CVE list

CVE-2014-1244 critical

CVE-2014-1245 critical

CVE-2014-1246 critical

CVE-2014-1247 critical

CVE-2014-1249 critical

CVE-2014-1248 critical

CVE-2013-1032 high

CVE-2014-1250 critical

CVE-2014-1243 critical

CVE-2014-1251 critical

Solution

Update to latest version

QuickTime

Impacts

  • ACE

Arbitrary code execution. Exploitation of vulnerabilities with this impact can lead to executing by abuser any code or commands at vulnerable machine or process.

  • DoS

Denial of service. Exploitation of vulnerabilities with this impact can lead to loss of system availability or critical functional fault.

Affected Products

  • Apple QuickTime versions 7.7.4. and earlier

9.3 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

7.9 High

AI Score

Confidence

Low

0.073 Low

EPSS

Percentile

94.1%