July 11th, 2008
Apple releases patches for dangerous QuickTime flaws in Apple TV 2.1 product
Apple released patches for its Apple TV 2.1 product yesterday. Some of you might be saying, why do I care, I don’t use Apple TV. Well, if you do use Apple TV, you obviously should care as some of these are very serious flaws, but if you don’t, you might still care because of the nature of the flaws patched for Apple TV.
These flaws were all released for disclosure quite some time ago and are just now being patched. Most were released three months ago, one was released last month, and two were released way back in January. What does that mean? Well, either Apple neglected to patch Apple TV, which might be the case as they recently neglected to patch the iPhone, OR more likely, Apple flaws in integrated applications like QuickTime are not getting looked for and patched on all Apple equipment, as researchers and possibly Apple may not realize how widespread applications like QuickTime are.
This is concerning. It’s a tough problem for a vendor to tackle, but something I expect that Apple will be paying very close attention to going forward. Having a devastating QuickTime flaw un-patched for that long is pretty dangerous, as by this time, proof of concept code for exploit has probably been known about for quite some time.
Read on for more…
Have a look at these flaws from Apple’s support site. I’ve included with them the date that they were originally reported to the security community (as determined by the National Vulnerability Database repository):
CVE-ID: CVE-2008-1015
Date originally reported: 4/4/2008
Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: An issue in the handling of data reference atoms may result in a buffer overflow. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of data reference atoms. Credit to Chris Ries of Carnegie Mellon University Computing Services for reporting this issue.
CVE-ID: CVE-2008-1017
Date originally reported: 4/4/2008
Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: An issue in the parsing of ‘crgn’ atoms may result in a heap buffer overflow. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to Sanbin Li working with TippingPoint’s Zero Day Initiative for reporting this issue.
CVE-ID: CVE-2008-1018
Date originally reported: 4/4/2008
Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: An issue in the parsing of ‘chan’ atoms may result in a heap buffer overflow. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to an anonymous researcher working with TippingPoint’s Zero Day Initiative for reporting this issue.
CVE-ID: CVE-2008-1585
Date originally reported: 6/10/2008
Impact: Playing maliciously crafted QuickTime content may lead to arbitrary code execution
Description: A URL handling issue exists in the handling of file: URLs. This may allow arbitrary applications and files to be launched when a user plays maliciously crafted QuickTime content. This update addresses the issue by no longer launching local applications and files. Credit to Vinoo Thomas and Rahul Mohandas of McAfee Avert Labs, and Petko D. (pdp) Petkov of GNUCITIZEN working with TippingPoint’s Zero Day Initiative for reporting this issue.
CVE-ID: CVE-2008-0234
Date originally reported: 1/10/2008
Impact: Playing maliciously crafted QuickTime content may lead to an unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in the handling of HTTP responses when RTSP tunneling is enabled. Playing maliciously crafted QuickTime content may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking.
CVE-ID: CVE-2008-0036
Date originally reported: 1/15/2008
Impact: Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution
Description: A buffer overflow may occur while processing a compressed PICT image. Opening a maliciously crafted compressed PICT file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to Chris Ries of Carnegie Mellon University Computing Services for reporting this issue.
Nathan McFeters is a Senior Security Advisor for Ernst & Young's Advanced Security Center in Chicago. The views and opinions expressed in this article are his own and do not represent the views and opinions of Ernst & Young Advanced Security Center or Ernst & Young, LLP. Nathan has performed web application, deep source code, Internet, Intranet, wireless, dial-up, and social engineering engagements for numerous clients in the Fortune 500 during his career at Ernst & Young and has spoken at a number of prestigious conferences, including Black Hat, DEFCON, ToorCon, and Hack in the Box. He can be found at his Pwn* blog and XS-Sniper, a blog with Billy Rios. See his full profile and disclosure of his industry affiliations.
