SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Multimedia)  >   QuickTime Vendors:   Apple Computer
QuickTime Movie/PICT/QTVR/Java Bugs Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1018894
SecurityTracker URL:  http://securitytracker.com/id/1018894
CVE Reference:   CVE-2007-2395, CVE-2007-3750, CVE-2007-3751, CVE-2007-4672, CVE-2007-4674, CVE-2007-4675, CVE-2007-4676, CVE-2007-4677   (Links to External Site)
Updated:  Nov 28 2007
Original Entry Date:  Nov 5 2007
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 7.3
Description:   Several vulnerabilities were reported in QuickTime. A remote user can cause arbitrary code to be executed on the target user's system.

A remote user can create a specially crafted file that, when loaded by the target user, will execute arbitrary code on the target system. The code will run with the privileges of the target user.

A movie with a specially crafted image description atom can trigger code execution [CVE-2007-2395]. Dylan Ashe of Adobe Systems Incorporated reported this vulnerability.

A movie with specially crafted Sample Table Sample Descriptor (STSD) atoms can trigger code execution [CVE-2007-3750]. Tobias Klein of www.trapkit.de reported this vulnerability.

A specially crafted Java applet can obtain potentially sensitive information or execute arbitrary code with elevated privileges on the target user's system [CVE-2007-3751]. Adam Gowdiak for reported this vulnerability.

A specially crafted PICT image can trigger arbitrary code execution [CVE-2007-4672, CVE-2007-4676]. Ruben Santamarta of reversemode.com reported these vulnerabilities via TippingPoint.

A movie file with a specially crafted movie atom can trigger arbitrary code execution [CVE-2007-4674]. Cody Pierce of TippingPoint DVLabs reported this vulnerability.

A specially crafted QTVR movie can trigger arbitrary code execution [CVE-2007-4675]. Mario Ballano from 48bits.com reported this vulnerability via iDefense.

A movie file with a specially crafted color table atom can trigger arbitrary code execution [CVE-2007-4677]. Ruben Santamarta of reversemode.com and Mario Ballano of 48bits.com reported this vulnerability via TippingPoint.

Impact:   A remote user can create a file that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution:   The vendor has issued a fixed version (7.3), available from the Software Update application, or from the Apple Downloads site at:

http://www.apple.com/support/downloads/

For Mac OS X v10.5
The download file is named: "QuickTime730_Leopard.dmg"
Its SHA-1 digest is: 581a470ce7b98b3c7e515fd8d610502a94214933

For Mac OS X v10.4.9 or later
The download file is named: "QuickTime730_Tiger.dmg"
Its SHA-1 digest is: 191e9789a9207921424185db1dc37792c7ec78e

For Mac OS X v10.3.9
The download file is named: "QuickTime730_Panther.dmg"
Its SHA-1 digest is: 969324ae94afe82173f155d7db31dbce8c02dd0

QuickTime 7.3 for Windows Vista, XP SP2
The download file is named: "QuickTimeInstaller.exe"
Its SHA-1 digest is: 14788da58ad4e1cc219d4a92b833ca49b9d99e59

QuickTime 7.3 with iTunes for Windows Vista, XP SP2
The download file is named: "iTunes75Setup.exe"
Its SHA-1 digest is: b38005b53e608dcd2b4fe18b44cc419fefbc9411

The Apple advisory is available at:

http://docs.info.apple.com/article.html?artnum=306896

Vendor URL:  docs.info.apple.com/article.html?artnum=306896 (Links to External Site)
Cause:   Access control error, Boundary error, Input validation error
Underlying OS:   UNIX (OS X), Windows (Vista), Windows (XP)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Oct 3 2008 (Apple Issues Fix for Apple TV) QuickTime Movie/PICT/QTVR/Java Bugs Let Remote Users Execute Arbitrary Code   (Apple Product Security <product-security-noreply@lists.apple.com>)
Apple has released a fix for Apple TV.



 Source Message Contents

Date:  Mon, 5 Nov 2007 12:46:05 -0800
Subject:  APPLE-SA-2007-11-05 QuickTime 7.3

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

APPLE-SA-2007-11-05 QuickTime 7.3

QuickTime 7.3 is now available and addresses the following issues:

QuickTime
CVE-ID:  CVE-2007-2395
Available for:  Mac OS X v10.3.9, Mac OS X v10.4.9 or later,
Mac OS X v10.5, Windows Vista, XP SP2
Impact:  Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description:  A memory corruption issue exists in QuickTime's
handling of image description atoms. By enticing a user to open a
maliciously crafted movie file, an attacker may cause an unexpected
application termination or arbitrary code execution. This update
addresses the issue by performing additional validation of QuickTime
image descriptions. Credit to Dylan Ashe of Adobe Systems
Incorporated for reporting this issue.

QuickTime
CVE-ID:  CVE-2007-3750
Available for:  Mac OS X v10.3.9, Mac OS X v10.4.9 or later,
Mac OS X v10.5, Windows Vista, XP SP2
Impact:  Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description:  A heap buffer overflow exists in QuickTime Player's
handling of Sample Table Sample Descriptor (STSD) atoms. By enticing
a user to open a maliciously crafted movie file, an attacker may
cause an unexpected application termination or arbitrary code
execution. This update addresses the issue by performing additional
validation of STSD atoms. Credit to Tobias Klein of www.trapkit.de
for reporting this issue.

QuickTime
CVE-ID:  CVE-2007-3751
Available for:  Mac OS X v10.3.9, Mac OS X v10.4.9 or later,
Mac OS X v10.5, Windows Vista, XP SP2
Impact:  Untrusted Java applets may obtain elevated privileges
Description:  Multiple vulnerabilities exist in QuickTime for Java,
which may allow untrusted Java applets to obtain elevated privileges.
By enticing a user to visit a web page containing a maliciously
crafted Java applet, an attacker may cause the disclosure of
sensitive information and arbitrary code execution with elevated
privileges. This update addresses the issues by making QuickTime for
Java no longer accessible to untrusted Java applets. Credit to Adam
Gowdiak for reporting this issue.

QuickTime
CVE-ID:  CVE-2007-4672
Available for:  Mac OS X v10.3.9, Mac OS X v10.4.9 or later,
Mac OS X v10.5, Windows Vista, XP SP2
Impact:  Opening a maliciously crafted PICT image may lead to an
unexpected application termination or arbitrary code execution
Description:  A stack buffer overflow exists in PICT image
processing. By enticing a user to open a maliciously crafted image,
an attacker may cause an unexpected application termination or
arbitrary code execution. This update addresses the issue by
performing additional validation of PICT files. Credit to Ruben
Santamarta of reversemode.com working with TippingPoint and the Zero
Day Initiative for reporting this issue.

QuickTime
CVE-ID:  CVE-2007-4676
Available for:  Mac OS X v10.3.9, Mac OS X v10.4.9 or later,
Mac OS X v10.5, Windows Vista, XP SP2
Impact:  Opening a maliciously crafted PICT image may lead to an
unexpected application termination or arbitrary code execution
Description:  A heap buffer overflow exists in PICT image processing.
By enticing a user to open a maliciously crafted image, an attacker
may cause an unexpected application termination or arbitrary code
execution. This update addresses the issue by performing additional
validation of PICT files. Credit to Ruben Santamarta of
reversemode.com working with TippingPoint and the Zero Day Initiative
for reporting this issue.

QuickTime
CVE-ID:  CVE-2007-4675
Available for:  Mac OS X v10.3.9, Mac OS X v10.4.9 or later,
Mac OS X v10.5, Windows Vista, XP SP2
Impact:  Viewing a maliciously crafted QTVR movie file may lead to an
unexpected application termination or arbitrary code execution
Description:  A heap buffer overflow exists in QuickTime's handling
of panorama sample atoms in QTVR (QuickTime Virtual Reality) movie
files. By enticing a user to view a maliciously crafted QTVR file, an
attacker may cause an unexpected application termination or arbitrary
code execution. This update addresses the issue by performing bounds
checking on panorama sample atoms. Credit to Mario Ballano from
48bits.com working with the VeriSign iDefense VCP for reporting this
issue.

QuickTime
CVE-ID:  CVE-2007-4677
Available for:  Mac OS X v10.3.9, Mac OS X v10.4.9 or later,
Mac OS X v10.5, Windows Vista, XP SP2
Impact:  Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description:  A heap buffer overflow exists in the parsing of the
color table atom when opening a movie file. By enticing a user to
open a maliciously crafted movie file, an attacker may cause an
unexpected application termination or arbitrary code execution. This
update addresses the issue by performing additional validation of
color table atoms. Credit to Ruben Santamarta of reversemode.com and
Mario Ballano of 48bits.com working with TippingPoint and the Zero
Day Initiative for reporting this issue.

QuickTime 7.3 may be obtained from the Software Update
application, or from the Apple Downloads site:
http://www.apple.com/support/downloads/

For Mac OS X v10.5
The download file is named:  "QuickTime730_Leopard.dmg"
Its SHA-1 digest is:  581a470ce7b98b3c7e515fd8d610502a94214933

For Mac OS X v10.4.9 or later
The download file is named:  "QuickTime730_Tiger.dmg"
Its SHA-1 digest is:  191e9789a9207921424185db1dc37792c7ec78e

For Mac OS X v10.3.9
The download file is named:  "QuickTime730_Panther.dmg"
Its SHA-1 digest is:  969324ae94afe82173f155d7db31dbce8c02dd0

QuickTime 7.3 for Windows Vista, XP SP2
The download file is named:  "QuickTimeInstaller.exe"
Its SHA-1 digest is:  14788da58ad4e1cc219d4a92b833ca49b9d99e59

QuickTime 7.3 with iTunes for Windows Vista, XP SP2
The download file is named:  "iTunes75Setup.exe"
Its SHA-1 digest is:  b38005b53e608dcd2b4fe18b44cc419fefbc9411

Information will also be posted to the Apple Product Security
web site:  http://docs.info.apple.com/article.html?artnum=61798

This message is signed with Apple's Product Security PGP key,
and details are available at:
http://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.3 (Build 2932)

iQEVAwUBRy+AA8gAoqu4Rp5tAQiMpggAkcS1K1tPbqHw+KvdP7e3ck2jMIAUXN83
/ghr8z5yL54pONas3GE96vsp1qyYVAzKuGoG4iRpMe+7fMYk+TOfLR7TWhaC+Usw
m+NVPESANt8sKamKNdbtLyHhHEvXSi4dC8/WdIbifW115IvfAH/E/L2IDSlB6Nih
jpQ83jWDluI+T/jit04A7p0aAfry8PJEjal7sQ8ZLnBHthRsel78a729Nk036dl7
+Pfh/SZedNq0v4aLH22gDTt7rImcyJ1oY4hBOLh9KGZGe1ppmCB/UtG5woAqgbFz
G98/8MEQT0/bwBjsoTJ8G6eSUeMvmmUuBACSrW+EwxoUExres5zHGw==
=u231
-----END PGP SIGNATURE-----

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list      (Security-announce@lists.apple.com)
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC