September 9th, 2008

Apple plugs gaping QuickTime security holes

Posted by Ryan Naraine @ 2:05 pm

Categories: Apple, Arbitrary Code Execution, Browsers, Data theft, Denial of Service (DoS), Exploit code, Passwords, Patch Watch, Pen testing, Vulnerability research, Web Applications, Zero-day attacks, iPhone

Tags: Security, Apple Macintosh, Apple QuickTime, Microsoft Windows XP, Service Pack 2, Movie, SP3, Microsoft Windows Vista, Apple Inc., Arbitrary Code Execution

Apple today released a major makeover to its iTunes and QuickTime software products, fixing at least 11 documented security vulnerabilities that could lead to Mac and PC takeover attacks.

QuickTime 7.5.5, which should be considered an “extremely critical” update, address nine different vulnerabilities that could cause some serious damage if a Windows or Mac OS X user is tricked into viewing a rigged movie file. The iTunes 8 update addresses two separate bugs that could put users at risk of information disclosure.

Full details on the vulnerabilities and patches:

QUICKTIME 7.5.5

• CVE-2008-3615: An uninitialized memory access issue exists in the third-party Indeo v5 codec for QuickTime, which does not ship with QuickTime. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. Affects Windows Vista, XP SP2 and SP3
• CVE-2008-3635: A stack buffer overflow exists in the third-party Indeo v3.2 codec for QuickTime. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution.  Affects Windows Vista, XP SP2 and SP3.
• CVE-2008-3624: A heap buffer overflow exists in QuickTime’s handling of panorama atoms in QTVR (QuickTime Virtual Reality) movie files. Viewing a maliciously crafted QTVR file may lead to an unexpected application termination or arbitrary code execution.  Affects Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2 and SP3.
• CVE-2008-3625: A stack buffer overflow exists in QuickTime’s handling of panorama atoms in QTVR (QuickTime Virtual Reality) movie files. Viewing a maliciously crafted QTVR file may lead to an unexpected application termination or arbitrary code execution.
  Available for Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2 and SP3
• CVE-2008-3614: An integer overflow exists in QuickTime’s handling of PICT images. Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution. Affects Windows Vista, XP SP2 and SP3.
• CVE-2008-3626:  A memory corruption issue exists in QuickTime’s handling of STSZ atoms in movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution.  Available for Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2 and SP3
• CVE-2008-3627: Multiple memory corruption exist in QuickTime’s handling of H.264 encoded movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. Available for Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2 and SP3
• CVE-2008-3628: An invalid pointer issue exists in QuickTime’s handling of PICT images. Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution. Available for Windows Vista, XP SP2 and SP3.
• CVE-2008-3629: An out-of-bounds read issue exists in QuickTime’s handling of PICT images. Opening a maliciously crafted PICT image may lead to an unexpected application termination. Affects Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2 and SP3.

iTunes 8

• CVE-2008-3634: When the firewall is configured to block iTunes Music Sharing and the user enables iTunes Music Sharing in iTunes, a warning dialog is displayed which incorrectly informs the user that unblocking iTunes Music Sharing doesn’t affect the firewall’s
  security. Allowing iTunes Music Sharing or any other service through the firewall inherently affects security by exposing the service to
  remote entities. This update addresses the issue by refining the text in the warning dialog. Available for Mac OS X v10.4.11, Mac OS X Server v10.4.11.
• CVE-2008-3636: A third-party driver provided with iTunes may trigger an integer overflow, and could allow a local user to obtain system privileges.  Available for:  Windows XP or Vista.