Apple released QuickTime 7.5 late on Monday, fixing a handful of security issues, including holes that would have allowed someone to run malicious code on a computer and remotely control it.
One of the issues, which would have allowed a maliciously crafted PICT image file to run code, affected computers running Windows Vista and XP SP2.
Four other issues affected Vista and XP SP2, as well as Mac OS X 10.3.9, Mac OS X 10.4.9 through 10.4.11, and Mac OS X 10.5 or later. QuickTime 7.5 fixes a memory corruption issue in the software's handling of AAC-encoded media content; a heap buffer overflow related to PICT images; a stack buffer overflow related to the handling of Indeo video codec content; and a URL issue that was addressed by revealing files in Finder or Windows Explorer rather than launching them.
More information can be found on the Apple Web site.
Credit for reporting the different security issues was given to Dyon Balding of Secunia Research; Dave Soldera of NGS Software and Jens Alfke; Liam O Murchu of Symantec; an anonymous researcher working with TippingPoint's Zero Day Initiative; and Vinoo Thomas and Rahul Mohandas of McAfee Avert Labs, along with Petko D. Petkov of Gnucitizen working with TippingPoint's Zero Day Initiative.
Two months ago, Apple released QuickTime 7.4.5, which addressed a number of "highly critical" security flaws in the media player.
Apple has released a QuickTime security update to address "highly critical" security flaws in its media player that could allow malicious attackers to take control of a user's system.
The security flaws affect QuickTime 7 versions running on the Mac OS X and Windows. Users are advised to update to QuickTime 7.4.5, according to an Apple advisory issued Wednesday.
Apple issued 11 security updates designed to prevent malicious attackers from disclosing users' sensitive information, executing arbitrary code, or causing an application to suddenly crash.
Users can be hit with such evil dealings when visiting a Web site rigged with malicious Java applets, view a tampered movie file or open a malicious PICT image file, according to the advisory.
Lovely, eh?
For those who want to delve deeper into the nitty gritty details of the vulnerabilities check out TippingPoint Zero Day Initiative, which discovered some of these flaws, as well as security researcher Secunia, which lists all 11 updates.
Apple released the first patches for 2008 to the QuickTime media player as well as the iPhone and iPod Touch on January 15.
The updates to QuickTime 7.4 for Windows and Mac users are designed to prevent a system from being hijacked when malicious movie files are opened.
Apple Downloads lists the updates for Windows XP and Vista as well as Mac OS X 10.3.9 and higher. Mac users also can access the download via Apple's Software Update.
Memory corruption issues in QuickTime's handling of Sorenson 3 video, Macintosh Resource Records, and Image Descriptor atoms are to blame for three of four noted security holes. The fix also closes a gap left when QuickTime processes compressed PICT graphics.
However, the updates do not address a vulnerability in QuickTime's streaming media protocol, publicized by Italian researcher Luigi Auriemma earlier this month.
The last fix to QuickTime was made December 13.
Apple's iPhone and iPod Touch updates are designed to bolster Passcode Lock and prevent unauthorized users from launching applications, as well as to keep owners from inadvertently leaking sensitive data via phishing Web sites accessed through Safari.
The version 1.1.3 fixes are available for download only through updates to iTunes, which should prompt users to accept the changes. Docking an iPhone or iPod Touch will also trigger the updates to be made.
I'm starting to wonder if anything about Linux is going to be easy. But I remain undaunted in my efforts to use Ubuntu 7.10, or Gutsy Gibbon, to accomplish the same computing tasks for which I use Windows. Now that I've got Flash and QuickTime working in Ubuntu, I feel like I'm nearly there.
I say "nearly" because I'm still running into some glitches, this week relating to getting the full suite of updates available for Gutsy installed. The update failure is a minor inconvenience compared to the crashes I experienced last week whenever I tried to run a Flash or QuickTime video.
After poking around the Linux forums, I found out that Ubuntu installs a la carte: only the truly free supporting software is included in the default installation, which excludes proprietary media players such as Adobe's Flash and Apple's QuickTime. To get these restricted formats to play, you have to install a set of files called ubuntu-restricted-extras.
Once I got them loaded, I checked the Synaptic Package Manager and found their listing. I still had to find, download, and install the Flash Player for Linux. I'm not going to complain about the multiple steps required, though. Compared to Windows' kitchen sink approach to software installation and updating, I'm coming to appreciate Ubuntu's download-as-needed philosophy.
To get Flash, QuickTime, and other proprietary media players to work in Ubuntu, you have to install a set of files manually.
After I reopened Firefox, the Flash and QuickTime files that previously sent Ubuntu into a tailspin ran without a hitch. Even though the process took me about three hours of searching, downloading, installing, downloading some more, and installing some more, I'm becoming familiar with the operating system.
Using Ubuntu's Terminal applet for system maintenance is similar to the old DOS days of living on the command line. You won't save much time initially when you switch from Windows to Ubuntu, but once you get used to the Linux style of computing, I bet you'll spend more time working and less time futzing with your "tools".
That's not to say everything's peachy for me on Linux Street: right now, the update notification icon keeps telling me that there's an update available, but when I run the Update Manager, the file xserver-xorg-core won't download. It's a minor annoyance, I know, but when I close the error dialog box, the updater keeps prompting me to download the update. I have no idea how important the file is--or whether I really need it. All I know is that I can't get it.
Ubuntu's Update Manager can't download a file the Notification alert recommends that you install.
Apart from this minor annoyance, I'm pretty happy about the progress I've made as a Linux neophyte. I'm a long way from wiping Windows off the drives of my other PCs, but it's a heck of a start.
Tomorrow: Five super Office add-ons.
There is a new exploit that affects how Apple QuickTime handles the Real Time Streaming Protocol (RTSP) and may allow an attacker to execute arbitrary code or cause a denial-of-service attack on a vulnerable system. The condition is similar yet different from a QuickTime RTSP flaw reported in December. This new vulnerability can occur on a fully patched QuickTime version 7.3.1, running on Windows and possibly Mac OS X.
Discovered by Luigi Auriemma, details can be found here, and here. Auriemma provides an exploit example on his site and writes: "For exploiting this vulnerability is only needed that an user follows a rtsp:// link, if the port 554 of the server is closed QuickTime will automatically change the transport and will try the HTTP protocol on port 80, the 404 error message of the server (other error numbers are valid too) will be visualized in the LCD-like screen."
Apple has not said when a patch for this will become available.
The Apple QuickTime zero-day exploits are also targeting systems running Apple Safari 3.0 on Windows, Firefox, and Microsoft's Vista, XP, Internet Explorer 6, and IE7,
SANS also reminded people to undo the workarounds once Apple develops a patch for the security problem. Otherwise, the QuickTime streams won't work on your system.
Security researchers are warning that exploit code has been published that can take advantage of an extremely critical security flaw in a protocol supported by Apple QuickTime.
Apple QuickTime versions 7.2 and 7.3 on Microsoft Windows Vista and Windows XP Pro SP2 are both affected, according to an advisory originally posted on Milw0rm.com.
And because Apple's iTunes contains a component of QuickTime, installations of iTunes are also at risk, according to a security advisory by the United States Computer Emergency Readiness Team (US-CERT).
The security flaw is found in the Real Time Streaming Protocol (RTSP) supported by Apple's QuickTime Streaming Server and QuickTime player, US-CERT notes. As a result, users who load a malicious RTSP stream via a QuickTime Media Link file or by visiting a malicious Web page, may find their systems compromised. Malicious attackers, for example, could execute arbitrary code from users' systems or launch a denial-of-service attack.
Earlier this month, Apple released QuickTime 7.3 to address seven security flaws in QuickTime 7.2. The fixes, however, did not deal with the RTSP vulnerability cited by security researchers over the past three days.
US-CERT is recommending users consider several workarounds to potentially minimize exposure to the RTSP vulnerabilities. The workarounds include disabling QuickTime ActiveX controls on Internet Explorer, QuickTime plug-ins for Mozilla-based browsers, JavaScript, and file association for QuickTime files. Other suggestions include avoiding QuickTime files that come from untrusted sources.
Security firm Secunia has rated the vulnerability "extremely critical."
Apple on Monday released QuickTime version 7.3, addressing seven security vulnerablities for QuickTime 7.2 and earlier. Some of the flaws are serious and can be exploited by luring a victim to a Web site that contains a malicious crafted image or movie. The patches include both Mac OS X and Windows. A month ago, Apple patched another serious flaw within QuickTime for Windows. The latest version is available through the built-in software update feature of QuickTime or from the Apple Downloads site.
QuickTime (image description)
This patch affects users of QuickTime 7.2 on Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5, Windows Vista, and Windows XP SP2, and addresses the vulnerability in CVE-2007-2395. According to Apple, "a memory corruption issue exists in QuickTime's handling of image description atoms. By enticing a user to open a maliciously crafted movie file, an attacker may cause an unexpected application termination or arbitrary code execution." Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution." Apple credits Dylan Ashe of Adobe Systems for reporting this vulnerability.
QuickTime (Sample Table Sample Descriptor (STSD) )
This patch affects users of QuickTime 7.2 on Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5, Windows Vista, and Windows XP SP2, and addresses the vulnerability in CVE-2007-3750. Apple says "a heap buffer overflow exists in QuickTime Player's handling of Sample Table Sample Descriptor (STSD) atoms. By enticing a user to open a maliciously crafted movie file, an attacker may cause an unexpected application termination or arbitrary code execution." Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. Apple credits Tobias Klein of www.trapkit.de for reporting this vulnerability.
QuickTime (Java)
This patch affects users of QuickTime 7.2 on Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5, Windows Vista, and Windows XP SP2, and addresses the vulnerability in CVE-2007-3751. According to Apple, "multiple vulnerabilities exist in QuickTime for Java, which may allow untrusted Java applets to obtain elevated privileges. By enticing a user to visit a Web page containing a maliciously crafted Java applet, an attacker may cause the disclosure of sensitive information and arbitrary code execution with elevated privileges." Untrusted Java applets may obtain elevated privileges. Apple credits Adam Gowdiak for reporting this issue.
QuickTime (PICT image processing I)
This patch affects users of QuickTime 7.2 on Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5, Windows Vista, and Windows XP SP2, and addresses the vulnerability in CVE-2007-4672. Apple says "a stack buffer overflow exists in PICT image processing. By enticing a user to open a maliciously crafted image, an attacker may cause an unexpected application termination or arbitrary code execution." A user opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution. Apple credits Ruben Santamarta of ReverseMode.com working with TippingPoint and the Zero Day Initiative for reporting this issue.
QuickTime (PICT image processing II)
This patch affects users of QuickTime 7.2 on Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5, Windows Vista, and Windows XP SP2, and addresses the vulnerability in CVE-2007-4676. According to Apple "a heap buffer overflow exists in PICT image processing. By enticing a user to open a maliciously crafted image, an attacker may cause an unexpected application termination or arbitrary code execution." A user opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution. Apple credits Ruben Santamarta of ReverseMode.com working with TippingPoint and the Zero Day Initiative for reporting this issue.
QuickTime (QTVR)
This patch affects users of QuickTime 7.2 on Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5, Windows Vista, and Windows XP SP2, and addresses the vulnerability in CVE-2007-4675. Apple says "a heap buffer overflow exists in QuickTime's handling of panorama sample atoms in QTVR (QuickTime Virtual Reality) movie files. By enticing a user to view a maliciously crafted QTVR file, an attacker may cause an unexpected application termination or arbitrary code execution." Viewing a maliciously crafted QTVR movie file may lead to an unexpected application termination or arbitrary code execution. Apple credits Mario Ballano from 48Bits.com working with the VeriSign iDefense VCP for reporting this issue.
QuickTime (color table)
This patch affects users of QuickTime 7.2 on Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5, Windows Vista, and Windows XP SP2, and addresses the vulnerability in CVE-2007-4677. According to Apple, "a heap buffer overflow exists in the parsing of the color table atom when opening a movie file. By enticing a user to open a maliciously crafted movie file, an attacker may cause an unexpected application termination or arbitrary code execution." Apple credits Ruben Santamarta of ReverseMode.com and Mario Ballano of 48Bits.com working with TippingPoint and the Zero Day Initiative for reporting this issue.
Apple today released security updates for the Windows version of Quicktime. The update is available from the Apple Downloads site.
The patch affects users of QuickTime 7.2 on Windows Vista, XP SP2, and addresses the vulnerability in CVE-2007-4673. Currently, viewing maliciously crafted Quicktime files may lead to arbitrary code execution. "A command injection issue exists in QuickTime's handling of URLs in the qtnext field in files with QTL content. By enticing a user to open a specially crafted file, an attacker may cause an application to be launched with controlled command line arguments, which may lead to arbitrary code execution," Apple describes.
Mozilla today fixed a vulnerable in how Apple QuickTime Media-Link files contain a qtnext attribute that could be used on Windows systems to launch the default browser with arbitrary command-line options. Although the problem appeared to be resolved earlier this year, researcher Petko D. Petkov and others found recently that it could still be exploited.
A previous fix in July's Firefox version 2.0.05 was intended to resolve this issue, but, according to Mozilla, "QuickTime calls the browser in an unexpected way that bypasses that fix." Also, Apple's own fix in the release of QuickTime 7.1.5 last March failed to resolve the issue.
The security update for Firefox has been automatically pushed out to current users. New users can download the latest version from Mozilla directly .
Finally, Mozilla notes that the upcoming release of Firefox 3 (Gran Paradiso) Alpha 8, expected today or tomorrow, does not contain the fix for this vulnerability.
In addition to providing full-screen viewing and various iPhone options, the latest version of QuickTime 7.2 includes eight important security fixes. This update affects users of Mac OS X v10.3.9, Mac OS X v10.4.9, as well as users of Windows XP and Windows Vista. The QuickTime update is available from Apple's Software Download for both Mac OS X and Windows users.
QuickTime H.264 movie files
This patch affects users of Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Windows Vista, and XP SP2 and addresses the vulnerability in CVE-2007-2295. When viewing a maliciously crafted H.264 movie, an attack may produce an unexpected application termination or arbitrary code execution. Apple credits Tom Ferris of Security-Protocols.com, and Matt Slot of Ambrosia Software, Inc. for reporting this issue.
... Read more
