ID

VAR-200605-0222

CVE

CVE-2006-1463

TITLE

Apple QuickTime H.264 Parsing Buffer Overflow Vulnerability

DESCRIPTION

Heap-based buffer overflow in Apple QuickTime before 7.1 allows remote attackers to execute arbitrary code via a H.264 (M4V) video format file with a certain modified size value. The implicit trust of a user-supplied size value during a memory copy loop allows an attacker to create an exploitable memory corruption condition. Exploitation requires that an attacker either coerce the target to open a malformed media file or visit a website embedding the malicious file. Multiple integer-overflow and buffer-overflow vulnerabilities affect QuickTime. These issues affect both Mac OS X and Microsoft Windows releases of the software. Successful exploits will result in the execution of arbitrary code in the context of the currently logged-in user. Failed exploit attempts will likely cause denial-of-service conditions. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA06-132B Apple QuickTime Vulnerabilities Original release date: May 12, 2006 Last revised: -- Source: US-CERT Systems Affected Apple QuickTime on systems running * Apple Mac OS X * Microsoft Windows Overview Apple QuickTime contains multiple vulnerabilities. I. Description Apple QuickTime 7.1 resolves multiple vulnerabilities in the way different types of image and media files are handled. An attacker could exploit these vulnerabilities by convincing a user to access a specially crafted image or media file with a vulnerable version of QuickTime. Since QuickTime configures most web browsers to handle QuickTime media files, an attacker could exploit these vulnerabilities using a web page. For more information, please refer to the Vulnerability Notes. II. Impact The impacts of these vulnerabilities could allow an remote, unauthenticated attacker to execute arbitrary code or commands, and cause a denial-of-service condition. For further information, please see the Vulnerability Notes. III. Disable QuickTime in your web browser An attacker may be able to exploit this vulnerability by persuading a user to access a specially crafted file with a web browser. Disabling QuickTime in your web browser will defend against this attack vector. For more information, refer to the Securing Your Web Browser document. Appendix A. References * Vulnerability Notes for QuickTime 7.1 - <http://www.kb.cert.org/vuls/byid?searchview&query=QuickTime_7.1> * Securing Your Web Browser - <http://www.us-cert.gov/reading_room/securing_browser/> * About the security content of the QuickTime 7.1 Update - <http://docs.info.apple.com/article.html?artnum=303752> * Apple QuickTime 7.1 - <http://www.apple.com/support/downloads/quicktime71.html> * Standalone Apple QuickTime Player - <http://www.apple.com/quicktime/download/standalone.html> * Mac OS X: Updating your software - <http://docs.info.apple.com/article.html?artnum=106704> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA06-132B.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA06-132B Feedback VU#289705" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2006 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History May 12, 2006: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRGT7JH0pj593lg50AQI2Uwf/U3zGDrR8UkWK4ry6AYMS7HPMdbiF6Vmo 9gP9Luc6Kj8zzxCWhnNKNzEq2P0B1oD03WcPFaIPnwvQJGApeUDRimyhQj8RDjME yAUt/reWG7RZ0Z2w/qaiZP7pQ7SjyIUKkN2OCG8LMmGKqsiCdFXoss/Bu0yFMH11 uvgwibfvkOdRLAPmRTVWk+gJEAdw3xFySm9r92qmig6CxKi7GAIpi9Gf7MXcRsKg oG3y5f06Kiq8ACYszPKneHE7WNvLP1ewuaWmf7PHiNebAB+W5hfwA2yEh6e6PSV2 eBi5cpigfXBrsjXk4L7wYrD8UcRl7nN8iqzWpMwYJkSloUmcYL1BBg== =LsFu -----END PGP SIGNATURE----- . ZDI-06-015: Apple QuickTime H.264 Parsing Heap Overflow Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-06-015.html May 11, 2006 -- CVE ID: CVE-2006-1463 -- Affected Vendor: Apple -- Affected Products: Apple QuickTime versions prior to 7.1 -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since March 20, 2006 by Digital Vaccine protection filter ID 4183. -- Vendor Response: Apple has identified and corrected this issue in QuickTime 7.1. Customers can obtain the fix from Apple's Software Downloads web site: http://www.apple.com/support/downloads/ For further details see: http://docs.info.apple.com/article.html?artnum=61798 -- Disclosure Timeline: 2006.03.20 - Vulnerability reported to vendor 2006.03.20 - Digital Vaccine released to TippingPoint customers 2006.05.11 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by ATmaCA. -- About the Zero Day Initiative (ZDI): Established by TippingPoint, a division of 3Com, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. TITLE: QuickTime Multiple Code Execution Vulnerabilities SECUNIA ADVISORY ID: SA20069 VERIFY ADVISORY: http://secunia.com/advisories/20069/ CRITICAL: Highly critical IMPACT: DoS, System access WHERE: >From remote SOFTWARE: Apple Quicktime 4.x http://secunia.com/product/7923/ Apple Quicktime 5.x http://secunia.com/product/215/ Apple Quicktime 6.x http://secunia.com/product/810/ Apple QuickTime 7.x http://secunia.com/product/5090/ DESCRIPTION: Multiple vulnerabilities have been reported in QuickTime, which can be exploited by malicious people to compromise a user's system. 1) An integer overflow error within the processing of JPEG images can be exploited via a specially crafted JPEG image to crash the application and potentially execute arbitrary code. 3) A boundary error within the processing of Flash movies can be exploited via a specially crafted Flash movie to crash the application and potentially execute arbitrary code. 5) A boundary error within the processing of MPEG4 movies can be exploited via a specially crafted MPEG4 movie to crash the application and potentially execute arbitrary code. 6) An integer overflow error within the processing of FlashPix images (".fpx") can be exploited via a specially crafted FlashPix image with an overly large value in the field specifying the number of data blocks in the file. 7) A boundary error within the processing of AVI movies can be exploited via a specially crafted AVI movie to crash the application and potentially execute arbitrary code. 8) Two boundary errors within the processing of PICT images can be exploited to either cause a stack-based via a PICT image with specially crafted font information or a heap-based buffer overflow via a PICT image with specially crafted image data. This can be exploited to crash the application and potentially execute arbitrary code. 9) A boundary error within the processing of BMP images can be exploited via a specially crafted BMP image to crash the application and potentially execute arbitrary code. SOLUTION: Update to version 7.1. http://www.apple.com/support/downloads/quicktime71.html PROVIDED AND/OR DISCOVERED BY: 1) Reported by the vendor. 2) Mike Price of McAfee AVERT Labs and Sowhat of Nevis Labs. 3) Mike Price, McAfee AVERT Labs. 4) Mike Price of McAfee AVERT Labs and ATmaCA. 5) Mike Price, McAfee AVERT Labs. 6) Fang Xing of eEye Digital Security and Mike Price of McAfee AVERT Labs. 7) Mike Price, McAfee AVERT Labs. 8) Mike Price, McAfee AVERT Labs. 9) Tom Ferris ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=303752 eEye Digital Security: http://www.eeye.com/html/research/advisories/AD20060511.html Zero Day Initiative: http://www.zerodayinitiative.com/advisories/ZDI-06-015.html Sowhat: http://secway.org/advisory/AD20060512.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

buffer overflow

EXPLOIT AVAILABILITY

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

ATmaCA

SOURCES

LAST UPDATE DATE

2024-08-14T12:33:24.252000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE