English
Log in
Search
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

HomeDescriptionsSA39259

Apple QuickTime Multiple Vulnerabilities


Secunia ID

SA39259
CVE-ID

CVE-2010-0530, CVE-2010-1508, CVE-2010-3787, CVE-2010-3788, CVE-2010-3789, CVE-2010-3790, CVE-2010-3791, CVE-2010-3792, CVE-2010-3793, CVE-2010-3794, CVE-2010-3795, CVE-2010-3800, CVE-2010-3801, CVE-2010-3802, CVE-2010-4009
Release Date

11 Nov 2010
Last Change

21 Sep 2011
Criticality

Highly Critical
Solution Status

Vendor Patch
Software

Apple QuickTime 7.x
Where

From remote
Impact
System access

This covers vulnerabilities where malicious people are able to gain system access and execute arbitrary code with the privileges of a local user.

Exposure of sensitive information

Vulnerabilities where documents or credentials are leaked or can be revealed either locally or from remote.

Manipulation of data

This includes vulnerabilities where a user or a remote attacker can manipulate local data on a system, but not necessarily be able to gain escalated privileges or system access.

The most frequent type of vulnerabilities with this impact are SQL-injection vulnerabilities, where a malicious user or person can manipulate SQL queries.
Description

Multiple vulnerabilities have been reported in QuickTime, which can be exploited by malicious, local users to disclose potentially sensitive information or manipulate certain data, and by malicious people to compromise a user's system.

1) An array-indexing error when parsing the extra data bits in Sorenson Video 3 content can be exploited to cause a value outside an array of pointers to erroneously be used as a write pointer during decompression.

The vulnerability is confirmed in versions 7.6.6 and 7.6.8. Other versions may also be affected.

2) An error when parsing "rec" chunks within AVI files can be exploited to corrupt memory.

3) An uninitialised pointer error in the support for Huffman tables within FlashPix files can be exploited to use an invalid value as a destination pointer when copying data.

4) An input validation error in the support for a component within the "SIZ" marker in a JPEG 2000 image can be exploited to use uninitialised data as an object during decompression.

5) An input validation error in the LZW decompression of GIF images can be exploited to cause a heap-based buffer overflow.

6) An input validation error in QuickTimeMPEG.qtx when parsing the media rate field of an "ELST" atom's edit list table data can be exploited to corrupt memory.

7) A signedness error in quicktime.qtx when parsing a certain offset in a "m1s" atom can be exploited to corrupt memory.

8) An type confusion error in QuickTime within the processing of JP2 codestreams can be exploited to cause a heap-based buffer overflow, which may allow execution of arbitrary code when a specially crafted JP2 image is being viewed.

9) An error in QuickTime when performing transformations may allow execution of arbitrary code.

For more information see vulnerability #43 in:
SA42151

10) Input validation errors in the Quicktime PictureViewer when processing a PICT file can be exploited to e.g. cause a buffer overflow.

11) An input validation error in the processing of length properties in FlashPix images can be exploited to corrupt memory.

12) An signedness error in the handling of panorama atoms in QTVR (QuickTime Virtual Reality) movie files can be exploited to trigger the usage of an invalid pointer and corrupt memory.

13) A security issue is caused due to the application creating the "%UserProfile%\Local Settings\Application Data\Apple Computer\" directory with insecure default permissions. This can be exploited by unprivileged users to write or read from potentially sensitive files placed inside the affected directory by e.g. Safari.

14) An integer overflow error the handling of movie files can be exploited to corrupt memory.

15) A boundary error when copying track content based on the track's dimensions can be exploited to cause a heap-based buffer overflow.

Successful exploitation of the vulnerabilities may allow execution of arbitrary code.
Solution

Update to version 7.6.9.
http://support.apple.com/kb/DL837

Note: When updating from a previous version, manually check and adjust the permissions of the "%UserProfile%\Local Settings\Application Data\Apple Computer\" directory.
Reported by

1) Carsten Eiram, Secunia Research.
An anonymous person via ZDI.
2) Damian Put
3, 5, 6, 7) An anonymous person via ZDI.
4) Damian Put and Procyun via ZDI.
8) Nils, MWR InfoSecurity and Will Dormann, CERT/CC.
9) Honggang Ren, Fortinet's FortiGuard Labs
An anonymous person via ZDI.
13) Geoff Strickler

10) Hossein Lotfi (s0lute), reported via iDefense.
Moritz Jodeit (n.runs AG), Damian Put, Procyun, and Andrzej Dyjak, working with the ZDI.
11) Damian Put, via ZDI and Rodrigo Rubira Branco, Check Point Vulnerability Discovery Team (VDT).
12) An anonymous person via ZDI.
14) Honggang Ren, Fortinet's FortiGuard Labs.
15) Carsten Eiram, Secunia Research.
Moritz Jodeit of n.runs AG, via ZDI.
Original Advisory

Apple:
http://support.apple.com/kb/HT4435
http://support.apple.com/kb/HT4447

Secunia Research:
http://secunia.com/secunia_research/2010-60/
http://secunia.com/secunia_research/2010-72/

ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-249/
http://www.zerodayinitiative.com/advisories/ZDI-10-250/
http://www.zerodayinitiative.com/advisories/ZDI-10-251/
http://www.zerodayinitiative.com/advisories/ZDI-10-252/
http://www.zerodayinitiative.com/advisories/ZDI-10-253/
http://www.zerodayinitiative.com/advisories/ZDI-10-254/
http://www.zerodayinitiative.com/advisories/ZDI-10-255/
http://www.zerodayinitiative.com/advisories/ZDI-10-258/
http://www.zerodayinitiative.com/advisories/ZDI-10-259/
http://www.zerodayinitiative.com/advisories/ZDI-10-260/
http://www.zerodayinitiative.com/advisories/ZDI-10-261/
http://www.zerodayinitiative.com/advisories/ZDI-10-262/
http://www.zerodayinitiative.com/advisories/ZDI-11-038/

MWR InfoSecurity:
http://labs.mwrinfosecurity.com/advisories/apple_quicktime_jp2_codestream_type_confusion/

iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=882

Rodrigo Rubira Branco:
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0468.html

FortiGuard Labs:
http://www.fortiguard.com/advisory/FGA-2010-62.html
http://www.fortiguard.com/advisory/FGA-2010-61.html

Geoff Strickler:
http://archives.neohapsis.com/archives/fulldisclosure/2011-09/0230.html

© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.

kaspersky.com

Products

eStore

Threats

Downloads

Support

Partners

About Us

Search

securelist.com

Threats

Analysis

Blog

Descriptions

Glossary

RSS feeds

Contacts

Search