12 July, 2007
Summary:
Late yesterday, Apple released an update that fixes eight security vulnerabilities in all versions of Quicktime earlier than 7.2 for Windows XP, Windows Vista, and OS X. By enticing one of your users into visiting a malicious web page, or viewing a maliciously crafted movie file, an attacker could exploit any one of these vulnerabilities to execute his attack code on your user’s computer, possibly gaining control of it. If you allow Quicktime or iTunes in your network (or suspect that users have installed them), you should have users either remove the applications or install Apple’s Quicktime 7.2 update.
Exposure:
Late yesterday, Apple released an alert describing eight security vulnerabilities in Apple’s popular media player application, Quicktime. Current versions of iTunes also ship with Quicktime. If your users have iTunes, they most likely have Quicktime. These applications run on Windows and Macintosh computers, and the vulnerabilities affect both platforms.
The eight vulnerabilities fall into two general categories:
Memory corruption errors
Four of the security holes result when an attacker purposely crafts a Quicktime-compatible file to trigger a buffer overflow when a victim plays the malicious file. Files that trigger the problem can be formatted as H.264 (also known as MPEG-4 AVC), MPEG-2, .MOV (the normal Quicktime movie format), or Synchronized Media Integration Language (SMIL). In the worst-case scenario, the attacker could completely take over a victim’s computer.
Improper handling of Java applets
12 July, 2007
Summary:
Late yesterday, Apple released an update that fixes eight security vulnerabilities in all versions of Quicktime earlier than 7.2 for Windows XP, Windows Vista, and OS X. By enticing one of your users into visiting a malicious web page, or viewing a maliciously crafted movie file, an attacker could exploit any one of these vulnerabilities to execute his attack code on your user’s computer, possibly gaining control of it. If you allow Quicktime or iTunes in your network (or suspect that users have installed them), you should have users either remove the applications or install Apple’s Quicktime 7.2 update.
Exposure:
Late yesterday, Apple released an alert describing eight security vulnerabilities in Apple’s popular media player application, Quicktime. Current versions of iTunes also ship with Quicktime. If your users have iTunes, they most likely have Quicktime. These applications run on Windows and Macintosh computers, and the vulnerabilities affect both platforms.
The eight vulnerabilities fall into two general categories:
Memory corruption errors
Four of the security holes result when an attacker purposely crafts a Quicktime-compatible file to trigger a buffer overflow when a victim plays the malicious file. Files that trigger the problem can be formatted as H.264 (also known as MPEG-4 AVC), MPEG-2, .MOV (the normal Quicktime movie format), or Synchronized Media Integration Language (SMIL). In the worst-case scenario, the attacker could completely take over a victim’s computer.
Improper handling of Java applets
By tricking one of your Quicktime users into visiting a booby-trapped web page, an attacker can exploit two of the remaining four flaws to bypass Java’s normal security checks, allowing the attacker to execute his attack code on that user’s computer. Two more Java applet flaws could allow an attacker to see what’s on the user’s screen, possibly disclosing sensitive information; or to take over the computer’s memory, loading it with attack code. Apple does not specify what level of permissions and privileges the attacker gains with these exploits.
Solution Path:
Apple has released an update for Quicktime 7.2 that corrects these vulnerabilities. If you allow (or suspect that users have installed) Quicktime or iTunes in your network, recommend that users either remove the applications or install the upgrade.
The latest versions of Quicktime and iTunes for Windows ship with Apple Software Update. Apple Software Update automatically detects updates such as this one for Quicktime, then informs you, so that you can install the update as soon as possible. If you choose to allow Quicktime or iTunes in your network, we recommend you set Apple Software Update to check for new updates daily and allow it to assist you in keeping your Apple software current.
Note: By default, Apple ships Quicktime combined with iTunes. If you do not want iTunes, download the standalone version of Quicktime.
For All Users:
These attacks rely on a person to play a specially crafted movie or launch a Java applet in order to succeed. Some of WatchGuard’s Firebox models allow you to block the download of movie files and java applets, which prevents these types of attacks from working. However, blocking the download of these common files would also prevent users from viewing otherwise legitimate content. Instead, you should insist that users either remove Quicktime and iTunes, or install Apple’s Quicktime update as soon as possible.
Status:
Apple released an update for Quicktime 7.2, which fixes this issue.
References:
This alert was researched and written by Scott Pinzon, CISSP and Steve Fallin.