MS-ISAC ADVISORY NUMBER:
2009-003

DATE(S) ISSUED:
1/22/2009

SUBJECT:
Multiple Vulnerabilities in Apple QuickTime Could Allow for Remote Code Execution

OVERVIEW:

Multiple vulnerabilities have been discovered in Apple QuickTime. Apple QuickTime is used to play media files on Microsoft Windows and Mac OS X operating systems. These vulnerabilities can be exploited if a user visits a malicious webpage or opens a malicious e-mail attachment using a vulnerable version of QuickTime. Successful exploitation will result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

SYSTEMS AFFECTED:

  • All versions of Apple's QuickTime Player prior to 7.6

RISK:
Government:
Large and medium government entities: High
Small government entities: High

Businesses:
Large and medium business entities: High
Small business entities: High

Home users: High

DESCRIPTION:
Apple QuickTime is a media player for the Microsoft Windows and Mac OS X operating systems.

Multiple vulnerabilities have been discovered in QuickTime. These vulnerabilities are due to two types of flaws in the application. The first flaw is a heap-based buffer-overflow issue due to the application failing to perform adequate boundary checks on user-supplied data. This problem occurs when handling the following items:

  • 'THKD' atoms in a malicious QTVR (QuickTime Virtual Reality) movie files.
  • Malformed RTSP URLs.
  • AVI movie files. Specifically, a malformed 'nBlockAlign' value in the '_WAVEFORMATX' structure of the AVI header.
  • Malicious Cinepak-encoded movie files. Specifically when parsing data contained in the MDAT atom, a signedness error occurs resulting in a heap overflow.
  • Maliciously constructed movie files that contain an error in the JPEG_DComponentDispatch()' function which occurs when handling 'JPEG' atoms embedded in 'STSD' atoms.

The second flaw in the application is a memory corruption issue due to it failing to perform adequate boundary checks on user-supplied data. This problem occurs when handling the following items:

  • Malformed MPEG-2 Encoded video files.
  • Malicious H.263 Encoded movie files.

These vulnerabilities can be exploited if a user visits a malicious webpage or opens a malicious e-mail attachment using a vulnerable version of QuickTime. Successful exploitation will result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploit attempts may result in denial-of-service conditions.

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Apply the appropriate updates to vulnerable systems immediately after appropriate testing. The update is available at: http://www.apple.com/quicktime/download/(New Window)
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Do not visit unknown or un-trusted Web sites or follow links provided by unknown or un-trusted sources.

REFERENCES:
Security Focus:
http://www.securityfocus.com/advisories/16140(New Window)
http://www.securityfocus.com/advisories/16141(New Window)
http://www.securityfocus.com/bid/33384(New Window)
http://www.securityfocus.com/bid/33385(New Window)
http://www.securityfocus.com/bid/33386(New Window)
http://www.securityfocus.com/bid/33387(New Window)
http://www.securityfocus.com/bid/33388(New Window)
http://www.securityfocus.com/bid/33390(New Window)
http://www.securityfocus.com/bid/33393(New Window)

Apple:
http://support.apple.com/kb/HT3403(New Window)
http://support.apple.com/kb/HT3381(New Window)

Secunia:
http://secunia.com/advisories/33632/(New Window)

CVE:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0001(New Window)
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0002(New Window)
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0003(New Window)
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0004(New Window)
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0005(New Window)
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0006(New Window)
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0007(New Window)


This cyber advisory was issued by the Multi-State Information Sharing and Analysis Center (MS-ISAC) and was intended for government entities. The information may or may not be applicable to the general public and accordingly, the MS-ISAC does not warrant its use for any specific purposes.