ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Apple nukes QuickTime for Java, plugs more code execution holes

By | November 5, 2007, 12:16pm PST

Summary: Less that a week after its QuickTime media player made the top-ten list of most vulnerable Windows applications, Apple shipped QuickTime 7.3 to patch a total of seven vulnerabilities that could lead to code execution attacks.

Apple nukes QuickTime for Java, plugs 7 more vulnerabilitiesLess than a week after its QuickTime media player made the top-ten list of most vulnerable Windows applications, Apple shipped QuickTime 7.3 to patch a total of at least seven vulnerabilities that could lead to code execution attacks.

The update, available for both Mac and Windows (XP and Vista) users, also includes the removal of QuickTime for Java, a move that significantly reduces the attack surface on the company’s flagship digital media player.

Apple also shipped a new version of iTunes but there is no security content associated with that release.

According to an advisory from Cupertino, QuickTime 7.3 provides fixes for seven potentially serious flaws that could open up Mac and Windows machines to denial-of-service, privilege escalation or drive-by malware attacks.

[ SEE: Yahoo Messenger, QuickTime top list of most vulnerable Windows apps ]

The skinny on the flaws/fixes:

CVE-2007-2395: A memory corruption issue exists in QuickTime’s handling of image description atoms. By enticing a user to open a maliciously crafted movie file, an attacker may cause an unexpected application termination or arbitrary code execution.

CVE-2007-3750: A heap buffer overflow exists in QuickTime Player’s handling of Sample Table Sample Descriptor (STSD) atoms. By enticing a user to open a maliciously crafted movie file, an attacker may cause an unexpected application termination or arbitrary code execution.

CVE-2007-3751: Multiple vulnerabilities exist in QuickTime for Java, which may allow untrusted Java applets to obtain elevated privileges. By enticing a user to visit a web page containing a maliciously crafted Java applet, an attacker may cause the disclosure of sensitive information and arbitrary code execution with elevated privileges. This update addresses the issues by making QuickTime for Java no longer accessible to untrusted Java applets.

CVE-2007-4672: A stack buffer overflow exists in PICT image processing. By enticing a user to open a maliciously crafted image, an attacker may cause an unexpected application termination or arbitrary code execution.

CVE-2007-4676: A heap buffer overflow exists in PICT image processing. By enticing a user to open a maliciously crafted image, an attacker may cause an unexpected application termination or arbitrary code execution.

CVE-2007-4675: A heap buffer overflow exists in QuickTime’s handling of panorama sample atoms in QTVR (QuickTime Virtual Reality) movie files. By enticing a user to view a maliciously crafted QTVR file, an attacker may cause an unexpected application termination or arbitrary code execution.

CVE-2007-4677: A heap buffer overflow exists in the parsing of the color table atom when opening a movie file. By enticing a user to open a maliciously crafted movie file, an attacker may cause an unexpected application termination or arbitrary code execution.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Attacker, Apple QuickTime, Java, Movie, Vulnerability, Apple Inc., Buffer-overflow, Application Termination, Digital Music, Digital Media, Security, Personal Technology, Consumer Electronics, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
12
Comments
Add Your Opinion

Join the conversation!

Just In

.Net and Security
davidsarmstrong 12th Nov 2007
First, MS is known for not issuing a security advisory until they have a fix. It's closed source so you will never know it has a hole until is has been exploited. The source to Java is open (always has been) so most java advisories have no known exploits.

Believing that ANY MS code is secure displays a certain amount of wishful thinking, IMHO.
View in thread
0 Votes
+ -
But is it too late
tb01 5th Nov 2007
Yikes!
Some of those vulnerabilities are over 6 months old.
Plus, there is still a critical Java exploit unpatched as well...
0 Votes
+ -
The Java support will be sorely missed - NOT!!!
jackbond 5th Nov 2007
JAVA = POS
0 Votes
+ -
Java well established for enterprise solutions.
kraterz 5th Nov 2007
Java may not be very useful in your browser, but it's very well established for enterprise solutions. I cay say this because I've been in this industry (enterprise software) for about 15 years now, and this what you see today.
0 Votes
+ -
That doesnt mean it is good software.
Suicida| 5th Nov 2007
Java it is always popping up with new vulnerabilities. It seems every time I run a vulnerability scan I have to download and extract a new msi to push and then create a new start/shutdown script to ensure the old old version is removed and when you upgrade to a new version you may break the app that is dependent on it (unless it uses a bundled version).

Add to that the whole 1.3, 1.4, 1.5 and now 1.6 codepaths - it is a mess.

I have seen software with far less vulnerabilities get removed from distribution trees because of poor programing practices and excessive security advisories.
0 Votes
+ -
Maybe not for you
davidsarmstrong 5th Nov 2007
Just because you don't use Java doesn't mean millions of other people don't use java. I personally don't use QuickTime so it doesn't matter to me.

Java is huge in the enterprise space and in the micro-device space. I'll bet your cell phone is java-enabled.

Java used to be crap, but it's excellent now.
0 Votes
+ -
Java is horrible
Suicida| 5th Nov 2007
Take 1.5 which has 23 advisories since 2003 compare that to .NET 1.1 which has had 7 in the same time frame.

I never thought I would point to Microsoft in regards to secure code but there you go.

The worst thing about java vulnerabilities is that most people just upgrade and never remove the vulnerable versions.

I don't mean to hate on Java I love that I can have a web app that will work on Linux, Windows, BSD and OSX; but I agree with Apple's decision, no need to integrate software with as horrible security record as java into your product and introduce additional attack vectors.
0 Votes
+ -
.Net and Security
davidsarmstrong 12th Nov 2007
First, MS is known for not issuing a security advisory until they have a fix. It's closed source so you will never know it has a hole until is has been exploited. The source to Java is open (always has been) so most java advisories have no known exploits.

Believing that ANY MS code is secure displays a certain amount of wishful thinking, IMHO.
0 Votes
+ -
Apple's Quicktime is the problem, not Java
javarunner 5th Nov 2007
And considering that Java is the most-used programming language (21%) and that .net is in a backwater (4%) - source: http://www.tiobe.com/tpci.htm - it's not surprising that it gets more attention from the hackers.
0 Votes
+ -
Java is popular because it is excellent
xyz10_z 6th Nov 2007
1.2, 1.3, 1.4 to java 6 is the evolution path. Each version was used more than three years by millions of organisations. It provides an easy , flexible and safe programming language.

Which OS, which development platform has no vulnerabilities. Java has the best track record in this. Vulnerabilities are handled in a open way and quickly fixed.
0 Votes
+ -
No Java love here.
pmcgrath@... 6th Nov 2007
Look Java is a beautiful object oriented language.

That being said, Java was Scott McNealys attempt to displace Windows as on the desktop. And it failed, mostly due to lack of bandwidth and poor performance of the JVM. As a sysadmin I have had way to many problems with the JVM; incompatibilities breaking enterprise apps (ADP), breaking servers (APC power chute), and installing that stupid toolbar every time it updates (seems like every month).

If a software provider tells me he has a Java based app, I move him to the bottom of the list. I run a Windows shop with Windows desktops. Give me a .net app, or at least one optimized for windows. Why would I want a compromise?
0 Votes
+ -
Am I missing something?
Robert Kohlenberger 6th Nov 2007
In CVE-2007-3751:
> This update addresses the issues by making
> QuickTime for Java no longer accessible to untrusted
> Java applets.

So is qt for java "nuked" for everybody, including trusted
applets and SE apps, or just for untrusted applets?
0 Votes
+ -
Java is not the choice for consumer app... yet
fadzlan@... 6th Nov 2007
Although hopefully one day it will.

AFAIK, no problem in Java backward compatibility. Must be something I missed.

Java is great, for lot of other stuff, except of course, consumer apps. Can't deny that.

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix