English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Apple QuickTime Multiple Vulnerabilities


Secunia ID

SA47447

CVE-ID

CVE-2011-3458, CVE-2011-3459, CVE-2011-3460, CVE-2012-0265, CVE-2012-0658, CVE-2012-0659, CVE-2012-0660, CVE-2012-0661, CVE-2012-0663, CVE-2012-0664, CVE-2012-0665, CVE-2012-0666, CVE-2012-0667, CVE-2012-0668, CVE-2012-0669, CVE-2012-0670, CVE-2012-0671

Release Date

16 May 2012

Last Change

23 Aug 2012

Criticality

Highly Critical

Solution Status

Vendor Patch

Software

Apple QuickTime 7.x

Where

From remote

Impact
System access

This covers vulnerabilities where malicious people are able to gain system access and execute arbitrary code with the privileges of a local user.

Description

Multiple vulnerabilities have been reported in QuickTime, which can be exploited by malicious people to compromise a user's system.

1) Boundary errors within QuickTime3GPP.qtx when handling various XML element attributes can be exploited to cause stack-based buffer overflows via a specially crafted TeXML file.

2) A boundary error within the handling of Text Track Descriptors can be exploited to cause a heap-based buffer overflow.

3) Insufficient validation when parsing H.264 encoded movie files can be exploited to cause a heap-based buffer overflow when the "pic_width_in_mbs_minus_1" and "pic_height_in_map_units_minus_1" values in the AVCC header data differs from the actual picture dimensions.

4) An error exists within the parsing of MP4 encoded files.

For more information see vulnerability #26 in:
SA47843

5) An off-by-one error can be exploited to cause a single byte buffer overflow.

For more information see vulnerability #28 in:
SA47843

6) An error when handling audio samples can be exploited to cause a buffer overflow.

For more information see vulnerability #8 in:
SA49039

7) An integer overflow error exists within the handling of MPEG files.

For more information see vulnerability #9 in:
SA49039

8) An error in Quicktime.qts within the plugin's handling of QTMovie objects can be exploited to cause a stack-based buffer overflow.

9) An error when parsing the MediaVideo header in videos encoded with the PNG format can be exploited to cause a buffer overflow.

For more information see vulnerability #30 in:
SA47843

10) A signedness error in QuickTimeVR.qtx when parsing a QTVRStringAtom with an overly large "stringLength" value can be exploited to cause a stack-based buffer overflow via a specially crafted QTVR movie file.

11) A use-after-free error exists when handling JPEG2000 encoded movie files.

For more information see vulnerability #11 in:
SA49039

12) An error within the decompression of RLE encoded movie files can be exploited to cause a buffer overflow.

13) An error when using the "mb_skip_run" value within a Sorenson v3 encoded movie file as a loop counter to write data can be exploited to cause a heap-based buffer overflow.

14) An integer overflow error in Quicktime.qts when handling 'sean' atoms can be exploited to execute arbitrary code.

15) An error within the DllMain module when parsing .pict files can be exploited to corrupt memory.

16) A boundary error in QuickTime.qts when extending a file path based on its short path form can be exploited to cause a stack-based buffer overflow via an overly long, specially crafted file path.

Successful exploitation of this vulnerability requires that a user is e.g. tricked into opening a file in a specially crafted path.

17) An error when handling MPEG files can be exploited to cause a buffer underflow.

For more information see vulnerability #10 in:
SA49039

The vulnerabilities are reported in versions prior to 7.7.2.

Solution

Update to version 7.7.2.

Reported by

1, 2) Alexander Gavrun via ZDI
3) Luigi Auriemma via ZDI
8) CHkr_D591 via ZDI
10) Alin Rad Pop via ZDI
12) Luigi Auriemma via ZDI and an anonymous person via ZDI
13) Damian Put via ZDI
14) Tom Gallagher and Paul Bates, Microsoft via ZDI.
15) Rodrigo Rubira Branco, Qualys Vulnerability & Malware Research Labs (VMRL)
16) Tielei Wang, Georgia Tech Information Security Center via Secunia

Original Advisory

Apple (APPLE-SA-2012-05-15-1):
http://lists.apple.com/archives/security-announce/2012/May/msg00005.html

Rodrigo Rubira Branco:
http://archives.neohapsis.com/archives/fulldisclosure/2012-05/0116.html

ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-12-075/
http://www.zerodayinitiative.com/advisories/ZDI-12-077/
http://www.zerodayinitiative.com/advisories/ZDI-12-078/
http://www.zerodayinitiative.com/advisories/ZDI-12-079/
http://www.zerodayinitiative.com/advisories/ZDI-12-095/
http://www.zerodayinitiative.com/advisories/ZDI-12-105/
http://www.zerodayinitiative.com/advisories/ZDI-12-107/
http://www.zerodayinitiative.com/advisories/ZDI-12-108/
http://www.zerodayinitiative.com/advisories/ZDI-12-109/
http://www.zerodayinitiative.com/advisories/ZDI-12-125/
http://www.zerodayinitiative.com/advisories/ZDI-12-153/