November 5th, 2007

Apple nukes QuickTime for Java, plugs more code execution holes

Posted by Ryan Naraine @ 12:16 pm

Categories: Apple, Botnets, Browsers, Data theft, Exploit code, Firefox, Metasploit, Passwords, Patch Watch, Pen testing, Responsible disclosure, Rootkits, Spam and Phishing, Spyware and Adware, Uncategorized, Vulnerability research, Windows Vista

Tags: Attacker, Apple QuickTime, Java, Movie, Vulnerability, Apple Inc., Buffer-overflow, Application Termination, Digital Music, Digital Media

Less than a week after its QuickTime media player made the top-ten list of most vulnerable Windows applications, Apple shipped QuickTime 7.3 to patch a total of at least seven vulnerabilities that could lead to code execution attacks.

The update, available for both Mac and Windows (XP and Vista) users, also includes the removal of QuickTime for Java, a move that significantly reduces the attack surface on the company’s flagship digital media player.

Apple also shipped a new version of iTunes but there is no security content associated with that release.

According to an advisory from Cupertino, QuickTime 7.3 provides fixes for seven potentially serious flaws that could open up Mac and Windows machines to denial-of-service, privilege escalation or drive-by malware attacks.

[ SEE: Yahoo Messenger, QuickTime top list of most vulnerable Windows apps ]

The skinny on the flaws/fixes:

CVE-2007-2395: A memory corruption issue exists in QuickTime’s handling of image description atoms. By enticing a user to open a maliciously crafted movie file, an attacker may cause an unexpected application termination or arbitrary code execution.

CVE-2007-3750: A heap buffer overflow exists in QuickTime Player’s handling of Sample Table Sample Descriptor (STSD) atoms. By enticing a user to open a maliciously crafted movie file, an attacker may cause an unexpected application termination or arbitrary code execution.

CVE-2007-3751: Multiple vulnerabilities exist in QuickTime for Java, which may allow untrusted Java applets to obtain elevated privileges. By enticing a user to visit a web page containing a maliciously crafted Java applet, an attacker may cause the disclosure of sensitive information and arbitrary code execution with elevated privileges. This update addresses the issues by making QuickTime for Java no longer accessible to untrusted Java applets.

CVE-2007-4672: A stack buffer overflow exists in PICT image processing. By enticing a user to open a maliciously crafted image, an attacker may cause an unexpected application termination or arbitrary code execution.

CVE-2007-4676: A heap buffer overflow exists in PICT image processing. By enticing a user to open a maliciously crafted image, an attacker may cause an unexpected application termination or arbitrary code execution.

CVE-2007-4675: A heap buffer overflow exists in QuickTime’s handling of panorama sample atoms in QTVR (QuickTime Virtual Reality) movie files. By enticing a user to view a maliciously crafted QTVR file, an attacker may cause an unexpected application termination or arbitrary code execution.

CVE-2007-4677: A heap buffer overflow exists in the parsing of the color table atom when opening a movie file. By enticing a user to open a maliciously crafted movie file, an attacker may cause an unexpected application termination or arbitrary code execution.