Sign-up

ID

VAR-200901-0253


CVE

CVE-2009-0008


TITLE

Windows Run on Apple QuickTime of MPEG-2 Playback Component Service disruption in (DoS) Or arbitrary code execution vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2009-001597

DESCRIPTION

Unspecified vulnerability in Apple QuickTime MPEG-2 Playback Component before 7.60.92.0 on Windows allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via a crafted MPEG-2 movie. The Apple QuickTime MPEG-2 Playback Component is prone to a memory-corruption issue because it fails to perform adequate boundary checks on user-supplied data. An attacker can exploit this issue by enticing an unsuspecting user to open a specially crafted movie file. Failed exploit attempts likely result in denial-of-service conditions. This issue affects Apple QuickTime MPEG-2 Playback Component running on Microsoft Windows Vista and Windows XP SP2 and SP3. Apple QuickTime is a very popular multimedia player. The QuickTime MPEG-2 Playback Component allows QuickTime users to import and play back format-specific MPEG-2 content, available for purchase and download separately from the Apple Online Store. ---------------------------------------------------------------------- Did you know that a change in our assessment rating, exploit code availability, or if an updated patch is released by the vendor, is not part of this mailing-list? Click here to learn more: http://secunia.com/advisories/business_solutions/ ---------------------------------------------------------------------- TITLE: Apple QuickTime MPEG-2 Playback Component Input Validation Vulnerability SECUNIA ADVISORY ID: SA33642 VERIFY ADVISORY: http://secunia.com/advisories/33642/ CRITICAL: Highly critical IMPACT: System access WHERE: >From remote SOFTWARE: Apple QuickTime MPEG-2 Playback Component 7.x http://secunia.com/advisories/product/21083/ DESCRIPTION: A vulnerability has been reported in the Apple QuickTime MPEG-2 Playback component, which can potentially be exploited by malicious people to compromise a user's system. The vulnerability is reported in QuickTime MPEG-2 Playback Component for Windows in versions prior to 7.60.92.0. SOLUTION: Update to version 7.60.92.0. PROVIDED AND/OR DISCOVERED BY: The vendor credits Richard Lemon, Code Lemon ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT3404 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 2.07

sources: NVD: CVE-2009-0008 // JVNDB: JVNDB-2009-001597 // BID: 33393 // VULHUB: VHN-37454 // PACKETSTORM: 74233

AFFECTED PRODUCTS

vendor:applemodel:quicktime mpeg-2 playback componentscope:eqversion:*

Trust: 1.0

vendor:applemodel:quicktimescope: - version: -

Trust: 0.8

vendor:applemodel:quicktime mpeg-2 playback componentscope: - version: -

Trust: 0.6

vendor:applemodel:quicktime mpeg-2 playback componentscope:eqversion:7.60

Trust: 0.3

vendor:applemodel:quicktime mpeg-2 playback componentscope:neversion:7.60.920

Trust: 0.3

sources: BID: 33393 // JVNDB: JVNDB-2009-001597 // CNNVD: CNNVD-200901-288 // NVD: CVE-2009-0008

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2009-0008
value: HIGH

Trust: 1.0

NVD: CVE-2009-0008
value: HIGH

Trust: 0.8

CNNVD: CNNVD-200901-288
value: HIGH

Trust: 0.6

VULHUB: VHN-37454
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2009-0008
severity: HIGH
baseScore: 7.6
vectorString: AV:N/AC:H/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 4.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-37454
severity: HIGH
baseScore: 7.6
vectorString: AV:N/AC:H/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 4.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-37454 // JVNDB: JVNDB-2009-001597 // CNNVD: CNNVD-200901-288 // NVD: CVE-2009-0008

PROBLEMTYPE DATA

problemtype:CWE-20

Trust: 1.9

sources: VULHUB: VHN-37454 // JVNDB: JVNDB-2009-001597 // NVD: CVE-2009-0008

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200901-288

TYPE

input validation

Trust: 0.6

sources: CNNVD: CNNVD-200901-288

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2009-001597

PATCH
title:HT3403url:http://support.apple.com/kb/HT3403
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2009-001597

EXTERNAL IDS
db:NVDid:CVE-2009-0008
Trust: 2.8
db:BIDid:33393
Trust: 2.0
db:SECUNIAid:33642
Trust: 1.8
db:VUPENid:ADV-2009-0211
Trust: 1.7
db:SECTRACKid:1021621
Trust: 1.7
db:JVNDBid:JVNDB-2009-001597
Trust: 0.8
db:CNNVDid:CNNVD-200901-288
Trust: 0.7
db:XFid:2
Trust: 0.6
db:XFid:48162
Trust: 0.6
db:APPLEid:APPLE-SA-2009-01-21
Trust: 0.6
db:OVALid:OVAL:ORG.MITRE.OVAL:DEF:5974
Trust: 0.6
db:VULHUBid:VHN-37454
Trust: 0.1
db:PACKETSTORMid:74233
Trust: 0.1
sources:
            
            
            VULHUB: VHN-37454 // 
            
            
            
            BID: 33393 // 
            
            
            
            JVNDB: JVNDB-2009-001597 // 
            
            
            
            PACKETSTORM: 74233 // 
            
            
            
            CNNVD: CNNVD-200901-288 // 
            
            
            
            NVD: CVE-2009-0008

REFERENCES
url:http://support.apple.com/kb/ht3404
Trust: 1.8
url:http://lists.apple.com/archives/security-announce//2009/jan/msg00001.html
Trust: 1.7
url:http://www.securityfocus.com/bid/33393
Trust: 1.7
url:http://www.securitytracker.com/id?1021621
Trust: 1.7
url:http://secunia.com/advisories/33642
Trust: 1.7
url:https://oval.cisecurity.org/repository/search/definition/oval%3aorg.mitre.oval%3adef%3a5974
Trust: 1.1
url:http://www.vupen.com/english/advisories/2009/0211
Trust: 1.1
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/48162
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-0008
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2009-0008
Trust: 0.8
url:http://xforce.iss.net/xforce/xfdb/48162
Trust: 0.6
url:http://www.frsirt.com/english/advisories/2009/0211
Trust: 0.6
url:http://oval.mitre.org/repository/data/getdef?id=oval:org.mitre.oval:def:5974
Trust: 0.6
url:http://www.apple.com/quicktime/
Trust: 0.3
url:http://support.apple.com/kb/ht3381
Trust: 0.3
url:http://www.apple.com/quicktime/mpeg2/
Trust: 0.3
url:http://secunia.com/advisories/secunia_security_advisories/
Trust: 0.1
url:http://secunia.com/advisories/33642/
Trust: 0.1
url:http://secunia.com/advisories/business_solutions/
Trust: 0.1
url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
Trust: 0.1
url:http://secunia.com/advisories/product/21083/
Trust: 0.1
url:http://secunia.com/advisories/about_secunia_advisories/
Trust: 0.1
sources:
            
            
            VULHUB: VHN-37454 // 
            
            
            
            BID: 33393 // 
            
            
            
            JVNDB: JVNDB-2009-001597 // 
            
            
            
            PACKETSTORM: 74233 // 
            
            
            
            CNNVD: CNNVD-200901-288 // 
            
            
            
            NVD: CVE-2009-0008

CREDITS
Richard Lemon
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-200901-288

SOURCES
db:VULHUBid:VHN-37454
db:BIDid:33393
db:JVNDBid:JVNDB-2009-001597
db:PACKETSTORMid:74233
db:CNNVDid:CNNVD-200901-288
db:NVDid:CVE-2009-0008

LAST UPDATE DATE
2025-04-10T20:30:24.164000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-37454date:2017-09-29T00:00:00
db:BIDid:33393date:2009-01-21T22:02:00
db:JVNDBid:JVNDB-2009-001597date:2009-07-08T00:00:00
db:CNNVDid:CNNVD-200901-288date:2009-03-04T00:00:00
db:NVDid:CVE-2009-0008date:2025-04-09T00:30:58.490

SOURCES RELEASE DATE
db:VULHUBid:VHN-37454date:2009-01-22T00:00:00
db:BIDid:33393date:2009-01-21T00:00:00
db:JVNDBid:JVNDB-2009-001597date:2009-07-08T00:00:00
db:PACKETSTORMid:74233date:2009-01-22T07:58:43
db:CNNVDid:CNNVD-200901-288date:2009-01-22T00:00:00
db:NVDid:CVE-2009-0008date:2009-01-22T18:30:03.797