ID

VAR-200605-0212

CVE

CVE-2006-1453

TITLE

Apple QuickTime QuickDraw Stack overflow vulnerability

DESCRIPTION

Stack-based buffer overflow in Apple QuickTime before 7.1 allows remote attackers to execute arbitrary code via a crafted QuickDraw PICT image format file containing malformed font information. Multiple integer-overflow and buffer-overflow vulnerabilities affect QuickTime. Successful exploits will result in the execution of arbitrary code in the context of the currently logged-in user. Failed exploit attempts will likely cause denial-of-service conditions. Apple Mac OS X is reported prone to multiple security vulnerabilities. These issue affect Mac OS X in the following applications or modules: - AppKit - ImageIO - BOM - CFNetwork - ClamAV - CoreFoundation - CoreGraphics - Finder - FTPServer - Flash Player - ImageIO - Keychain - LaunchServices - libcurl - Mail - MySQL Manager - Preview - QuickDraw - QuickTime Streaming Server - Ruby - Safari A remote attacker may exploit these issues to execute arbitrary code, trigger a denial-of-service condition, gain access to potentially sensitive information, or overwrite files. Other attacks may also be possible. Apple Mac OS X 10.4.6 and prior are reported vulnerable to these issues. Apple QuickTime is a popular multimedia player that supports a wide variety of media formats. Malformed font information may cause stack overflow, and malformed graphics data may cause heap overflow. An attacker could exploit these vulnerabilities by convincing a user to access a specially crafted image or media file with a vulnerable version of QuickTime. Since QuickTime configures most web browsers to handle QuickTime media files, an attacker could exploit these vulnerabilities using a web page. Disable QuickTime in your web browser An attacker may be able to exploit this vulnerability by persuading a user to access a specially crafted file with a web browser. Disabling QuickTime in your web browser will defend against this attack vector. For more information, refer to the Securing Your Web Browser document. Appendix A. ____________________________________________________________________ McAfee, Inc. McAfee Avert\x99 Labs Security Advisory Public Release Date: 2006-05-11 Apple QuickDraw/QuickTime Multiple Vulnerabilities CVE-2006-1249, CVE-2006-1453, CVE-2006-1454, CVE-2006-1459, CVE-2006-1460, CVE-2006-1461, CVE-2006-1462, CVE-2006-1464, CVE-2006-1465 ______________________________________________________________________ * Synopsis Apple QuickTime and Apple QuickDraw are multimedia technologies used to process image, audio and video data. Two code execution vulnerabilities are present in QuickDraw PICT image format support. Twenty one code execution vulnerabilities are present in QuickTime support for various multimedia formats including: MOV, H.264, MPEG 4, AVI, FPX and SWF. In order for an attack to succeed user interaction is required and therefore the risk factor for these issues is medium. CVE-2006-1459 Seven integer overflow vulnerabilities are present in QuickTime MOV video format support. CVE-2006-1460 Five buffer overflow vulnerabilities are present in QuickTime MOV video format support. CVE-2006-1461 Two buffer overflow vulnerabilities are present in QuickTime Flash (SWF) support. CVE-2006-1462 Three integer overflow vulnerabilities are presenting QuickTime H.264 (M4V) video format support. CVE-2006-1464 One buffer overflow vulnerability is present in QuickTime MPEG4 (M4P) video format support. CVE-2006-1465 One buffer overflow vulnerability is present in QuickTime AVI video format support. ______________________________________________________________________ * Legal Notice Copyright (C) 2006 McAfee, Inc. The information contained within this advisory is provided for the convenience of McAfee\x92s customers, and may be redistributed provided that no fee is charged for distribution and that the advisory is not modified in any way. McAfee makes no representations or warranties regarding the accuracy of the information referenced in this document, or the suitability of that information for your purposes. McAfee, Inc. and/or its affiliated companies in the United States and/or other Countries. All other registered and unregistered trademarks in this document are the sole property of their respective owners. ______________________________________________________________________ . 1) An error in the AppKit framework allows an application to read characters entered into secure text field in the same window session. 2) Errors in the AppKit and ImageIO framework when processing GIF and TIFF images can be exploited to crash an application or potentially execute arbitrary code. For more information: SA19686 3) A boundary error within the BOM component when expanding archives can be exploited to crash an application or potentially execute arbitrary code. For more information: SA19686 4) An input validation error in the BOM component when expanding archives can be exploited to cause files to be written to arbitrary locations outside the specified directory via directory traversal attacks. 5) An integer overflow error in the CFNetwork component when handling chunked transfer encoding may allow execution of arbitrary code if a user is tricked into visiting a malicious web site. For more information: SA19534 7) An error in the CoreFoundation component allows dynamic libraries to load and execute when a bundle is registered. This can be exploited to execute arbitrary code if an untrusted bundle is registered. 8) An integer underflow error within the "CFStringGetFileSystemRepresentation()" API during string conversion may allow execution of arbitrary code. 9) An error in the CoreGraphics component allows an application in the same window session to read characters entered into secure text field when "Enable access for assistive devices" is enabled. 10) An error in Finder within the handling of Internet Location items makes it possible to specify a different Internet Location type than the actual URL scheme used. 11) Boundary errors in the FTPServer component when handling path names can be exploited to malicious users to cause a buffer overflow, which may allow execution of arbitrary code. 12) Various errors in the Flash Player makes it possible to compromise a user's system via specially crafted Flash files. For more information: SA17430 SA19218 13) An integer overflow error in the ImageIO framework when processing JPEG images can be exploited to crash an application or potentially execute arbitrary code. 14) An error in the Keychain component allows an application to use Keychain items even when the Keychain is locked. This requires that the application has obtained a reference to a Keychain item before the Keychain was locked. 15) An error in the LaunchServices component when processing long filename extensions may allow bypassing of the Download Validation functionality. 16) Boundary errors in the libcurl URL handling may allow execution of arbitrary code. For more information: SA17907 17) An integer overflow error in the Mail component may allow execution of arbitrary code when viewing a specially crafted email message with MacMIME encapsulated attachments. 18) An error in the Mail component when handling invalid colour information in enriched text email messages may allow execution of arbitrary code. 19) An design error in MySQL Manager makes it possible to access the MySQL database with an empty password as the MySQL password supplying during initial setup is not used. This can be exploited to crash an application and potentially execute arbitrary code. 22) A NULL pointer dereference error in QuickTime Streaming Server when processing QuickTime movies with a missing track can be exploited to crash the application. 23) A boundary error in QuickTime Streaming Server when processing RTSP requests can be exploited to crash the application or potentially execute arbitrary code. 24) An error in Ruby can be exploited to bypass safe level restrictions. For more information: SA16904 25) An error in Safari when handling archives with symbolic links may place the symbolic links on a user's desktop. This requires that the "Open 'safe' files after downloading" option is enabled. SOLUTION: Apply Security Update 2006-003. 13) The vendor credits Brent Simmons, NewsGator Technologies. 14) The vendor credits Tobias Hahn, HU Berlin. 19) The vendor credits Ben Low, University of New South Wales. 21) The vendor credits Mike Price, McAfee AVERT Labs. 23) Mu Security research team ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=303737 OTHER REFERENCES: SA19686: http://secunia.com/advisories/19686/ SA19534: http://secunia.com/advisories/19534/ SA17430: http://secunia.com/advisories/17430/ SA19218: http://secunia.com/advisories/19218/ SA17907: http://secunia.com/advisories/17907/ SA16904: http://secunia.com/advisories/16904/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Impacts of other vulnerabilities include bypassing security restrictions and denial of service. Further details are available in the individual Vulnerability Notes. II. Impact The impacts of these vulnerabilities vary. For information about specific impacts, please see the Vulnerability Notes. Potential consequences include remote execution of arbitrary code or commands, bypass of security restrictions, and denial of service. III. This and other updates are available via Apple Update. Please see the Vulnerability Notes for individual reporter acknowledgements. ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA06-132A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA06-132A Feedback VU#519473" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2006 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History May 12, 2006: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRGTxnX0pj593lg50AQKebgf+PTa7qCt6QQRcXGlJ3vjPFOdO1VNRMGr8 WOP8JKHbCK93O3E6YtHJ3nQTJBfyq169TQijWvoWvjjXM603DojGXUXgTBZFhTSG c4L0jE2+nD3273nZXGPreFJAsPxK6me7d4Of/KQ/prJnUfrnWNxfrP90CmXRKNLD +4eC4BEjNXCqpb0ki62WQM7NED6IgfgNZWfO7faTSRYNRdEyLAgetQxZVm5eepyK BJO3rRBBRkOIkIIG5o/J5ViqgiuUP75N37QqTc7BtyzQR2OeWepytJvkMvJUBVAG r0fLUKvhT4wdHxsNGVGCxLNf3NHG1UuWNO3UZ9MeBmREdmeT+K0l9A== =cabu -----END PGP SIGNATURE----- . http://www.apple.com/support/downloads/quicktime71.html PROVIDED AND/OR DISCOVERED BY: 1) Reported by the vendor

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

buffer overflow

EXTERNAL IDS

REFERENCES

CREDITS

Mike Price ATmaCA atmaca@atmacasoft.com http://www.zerodayinitiative.com/ Sowhat smaillist@gmail.com

SOURCES

LAST UPDATE DATE

2024-08-14T12:37:07.734000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE