Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2013.0912 APPLE-SA-2013-07-02-1 Security Update 2013-003 3 July 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: QuickTime Publisher: Apple Operating System: OS X Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2013-1022 CVE-2013-1019 CVE-2013-1018 Reference: ESB-2013.0725 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2013-07-02-1 Security Update 2013-003 Security Update 2013-003 is now available and addresses the following: QuickTime Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.4 Impact: Playing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of Sorenson encoded movie files. This issue was addressed through improved bounds checking. CVE-ID CVE-2013-1019 : Tom Gallagher (Microsoft) & Paul Bates (Microsoft) working with HP's Zero Day Initiative QuickTime Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.4 Impact: Playing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of H.264 encoded movie files. This issue was addressed through improved bounds checking. CVE-ID CVE-2013-1018 : G. Geshev working with HP's Zero Day Initiative QuickTime Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.4 Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A buffer underflow existed in the handling of 'mvhd' atoms. This issue was addressed through improved bounds checking. CVE-ID CVE-2013-1022 : Andrea Micalizzi aka rgod working with HP's Zero Day Initiative Security Update 2013-003 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ The Software Update utility will present the update that applies to your system configuration. For OS X Mountain Lion v10.8.4 The download file is named: SecUpd2013-003.dmg Its SHA-1 digest is: 5452c463819106ec30e9f365031f65f1b6c538c0 For OS X Lion v10.7.5 The download file is named: SecUpd2013-003.dmg Its SHA-1 digest is: c94eeaee2e329f75830140598c8973b6a8e1b22d For OS X Lion Server v10.7.5 The download file is named: SecUpdSrvr2013-003.dmg Its SHA-1 digest is: 849d5d4fd5c5a46f84d3607a84b6957fe4f10a00 For Mac OS X v10.6.8 The download file is named: SecUpd2013-003.dmg Its SHA-1 digest is: 59f7be08ba2f3e343539c011793f7e31773f9caa For Mac OS X Server v10.6.8 The download file is named: SecUpdSrvr2013-003.dmg Its SHA-1 digest is: 7586022106c870e46139016ddc5e667def454430 Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ - -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJR0zpyAAoJEPefwLHPlZEwdZ8QAJvykdoFKGOHgn9HzpFJ+tbm 0uXPFrExBTcgpypxiZngJJ7Py46FyFvHR9EkfppJDBVEURDpu3/AJRBCi5GnvpoV 7yGPiy5vnHJzUn+wvKUloKIKQQoEbOqmh4f0lfgMsD5CQyZP4f2uulW3fSXrJNT2 bVUc8VrVuw3QSvjeIsl7ZneLHvCv/yZ8wepWS3bR8vPnyv7jLHtNbryKGL8Qhiwx MZEMaV1xQzKn82+0J4C5+TXsoqxLGKZMmlHjY3XbueQaV4NyU6hHnWdhjKjQ7aI1 frPRoE5tPuv+uMI51bxHNXT7vTYKVaBO+d2RVLclGRXvWm0l0q8N+liNEGrnYNY/ nD3A6KriFyONILSMOeHQUCh5CHDmuNhArtOMRICcQqBUfbVQ4XbDyKi7+4vv1Eug r4p8ViN5uM2SvbIfsmZR7VsydvxJZV9uiQmcVQRqu4Yu80jKqyBV0qHZtTnnC0td gL0vqYY7JuSRB3QDOzWPvRk+x4KdCHNQitdqj+fSq0iqFKb3ovvOn7Ug+UEpq60P EIiRORMtj/Gh/LmlVJg62Mtoq+dY/g5z1RBPBVfEINbMyTMFStqRtVcWFo2Augo/ ucFFQ671Xn8PoMJ/5PhGNjDCDSBzCyyAY8WGnMWS4uiIXt+rsrtBavc1L7j3LuYD R0og2PzHJPrZVEzhSZBn =0jKe - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUdN8tRLndAQH1ShLAQIUxhAAkt1jJGiH+6bjwzyxNbKvZKEV3r2H9IrF ATlEihQ6V00KaTu/noA+mY/449H8CI6NmacBx34ycJsSp2spzjJx7nbAmmNGUAHe WAPskCCqukkqGMt5ybHeIixLJMEK5EtoPHeXpU1PwyiLSfCDNkTkku7HEK8hdVJP UsZAuEj2Lljg2w6nZMmG9iWK/KGxwGGLf7ifl1GJR7H3M4DxbPeaRNnFizo+M9C5 IYeJsK7HpNohf12yZ1T+KOFjbHoMl03jbnCfGhCtO+fXiK5/74OTw+kMLqreRjmF QPxyhvinqGsyH3QwYGhbGxN7YViyRTFi9E7lgJCY+Jq5aDqCuXeX+LbIilUv242I UEnEA5/zDbGt6YHoZguW1iVMUnCfHnzyICP8RI2tTeUkRxM98wRRNJDXNkiFon5D 6MbaptLc9R8qIlOAwU3e8K5uEK4k8WjIpmRZd2Q0goOyX53xebU82ypqxWhtmFbT YQokARDEA8KlQKDXV9m23RnbFTsEGQ6tUDv/IFRIHLkP7CmqQOjc2pdlJwdV6yZT F8Ad+pP5gosNAOu72HligHv4sk/Zd4Onnz13PgrMACxUhvseASJWyX4POyCxX/TS FDaKKcfcg2US7crRyktkqUgGLSpLbq9qOZ+1qH0xxBJCDU/BIEl2HjrmxrGT1Xpg PzmlHmw1B7Q= =opeN -----END PGP SIGNATURE-----