MS-ISAC ADVISORY NUMBER:
2009-032

DATE(S) ISSUED:
6/3/2009

SUBJECT:
Multiple Vulnerabilities in Apple QuickTime Player Could Allow for Remote Code Execution

OVERVIEW:

Multiple vulnerabilities have been discovered in Apple QuickTime Player. Apple QuickTime Player is used to play media files on Microsoft Windows and Mac OS X operating systems. These vulnerabilities can be exploited if a user visits a malicious webpage or opens a malicious file, including an e-mail attachment, using a vulnerable version of Apple QuickTime Player. Successful exploitation will result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

SYSTEMS AFFECTED:

  • Apple QuickTime Player 7.6.1
  • Apple QuickTime Player 7.5.x
  • Apple QuickTime Player 7.4.x
  • Apple QuickTime Player 7.3.x
  • Apple QuickTime Player 7.2
  • Apple QuickTime Player 7.1.x
  • Apple QuickTime Player 7.0.x
  • Apple QuickTime Player 6.5.x
  • Apple QuickTime Player 6.4
  • Apple QuickTime Player 6.1.0
  • Apple QuickTime Player 6
  • Apple QuickTime Player 5.0.2

RISK:

Government:
Large and medium government entities: High
Small government entities: High

Businesses:
Large and medium business entities: High
Small business entities: High

Home users: High

DESCRIPTION:
Apple QuickTime Player is a media player for the Microsoft Windows and Mac OS X operating systems.

Multiple vulnerabilities have been discovered in Apple QuickTime Player. These vulnerabilities are due to three types of flaws in the application. The first flaw is a heap-based buffer-overflow issue due to the application failing to perform adequate boundary checks on user-supplied data. This problem occurs when handling the following items:

  • 'CRGN' (Clipping Region) atoms in movie files.
  • PICT images.
  • JP2 images.
  • MS ADPCM-encoded audio files (AVI files).
  • Compressed PSD image files.
  • PSD File

The second flaw in the application is a memory corruption issue due to the application failing to perform adequate boundary checks on user-supplied data. This problem occurs when handling malformed Sorenson 3 video files.

The third flaw in the application is in the way Apple QuickTime Player handles image description atoms. Image description atoms are memory structures which are used to organize movie tracks. Opening a malicious video file can cause either an unexpected application termination or code execution on the victim's computer.

These vulnerabilities can be exploited if a user visits a malicious webpage or opens a malicious file, including an e-mail attachment, using a vulnerable version of Apple QuickTime Player. Successful exploitation will result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploit attempts may result in denial-of-service conditions.

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Apply the appropriate updates to vulnerable systems immediately after appropriate testing. The update is available at: http://www.apple.com/quicktime/download/(New Window)
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Do not visit unknown or un-trusted Web sites or follow links provided by unknown or un-trusted sources.
  • Do not open email attachments from unknown or un-trusted sources.
  • Consider blocking QuickTime media at your proxy server and email gateways.

REFERENCES:

Security Focus:
http://www.securityfocus.com/advisories/17041(New Window)
http://www.securityfocus.com/bid/35159(New Window)
http://www.securityfocus.com/bid/35161(New Window)
http://www.securityfocus.com/bid/35162(New Window)
http://www.securityfocus.com/bid/35163(New Window)
http://www.securityfocus.com/bid/35164(New Window)
http://www.securityfocus.com/bid/35165(New Window)
http://www.securityfocus.com/bid/35166(New Window)
http://www.securityfocus.com/bid/35167(New Window)
http://www.securityfocus.com/bid/35168(New Window)

Secunia:
http://secunia.com/advisories/35091/(New Window)
http://secunia.com/secunia_research/2009-6(New Window)

CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0010(New Window)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-00185(New Window)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-00188(New Window)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0951(New Window)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0952(New Window)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0953(New Window)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0954(New Window)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0955(New Window)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0956(New Window)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0957(New Window)

Apple:
http://support.apple.com/kb/HT3591(New Window)


This cyber advisory was issued by the Multi-State Information Sharing and Analysis Center (MS-ISAC) and was intended for government entities. The information may or may not be applicable to the general public and accordingly, the MS-ISAC does not warrant its use for any specific purposes.