Apple plugs gaping QuickTime security holes
Summary: Apple today released a major makeover to its iTunes and QuickTime software products, fixing at least 11 documented security vulnerabilities that could lead to Mac and PC takeover attacks.QuickTime 7.
Apple today released a major makeover to its iTunes and QuickTime software products, fixing at least 11 documented security vulnerabilities that could lead to Mac and PC takeover attacks.
QuickTime 7.5.5, which should be considered an "extremely critical" update, address nine different vulnerabilities that could cause some serious damage if a Windows or Mac OS X user is tricked into viewing a rigged movie file. The iTunes 8 update addresses two separate bugs that could put users at risk of information disclosure.
Full details on the vulnerabilities and patches:
QUICKTIME 7.5.5
- CVE-2008-3615: An uninitialized memory access issue exists in the third-party Indeo v5 codec for QuickTime, which does not ship with QuickTime. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. Affects Windows Vista, XP SP2 and SP3
- CVE-2008-3635: A stack buffer overflow exists in the third-party Indeo v3.2 codec for QuickTime. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. Affects Windows Vista, XP SP2 and SP3.
- CVE-2008-3624: A heap buffer overflow exists in QuickTime's handling of panorama atoms in QTVR (QuickTime Virtual Reality) movie files. Viewing a maliciously crafted QTVR file may lead to an unexpected application termination or arbitrary code execution. Affects Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2 and SP3.
- CVE-2008-3625: A stack buffer overflow exists in QuickTime's handling of panorama atoms in QTVR (QuickTime Virtual Reality) movie files. Viewing a maliciously crafted QTVR file may lead to an unexpected application termination or arbitrary code execution. Available for Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2 and SP3
- CVE-2008-3614: An integer overflow exists in QuickTime's handling of PICT images. Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution. Affects Windows Vista, XP SP2 and SP3.
- CVE-2008-3626: A memory corruption issue exists in QuickTime's handling of STSZ atoms in movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. Available for Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2 and SP3
- CVE-2008-3627: Multiple memory corruption exist in QuickTime's handling of H.264 encoded movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. Available for Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2 and SP3
- CVE-2008-3628: An invalid pointer issue exists in QuickTime's handling of PICT images. Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution. Available for Windows Vista, XP SP2 and SP3.
- CVE-2008-3629: An out-of-bounds read issue exists in QuickTime's handling of PICT images. Opening a maliciously crafted PICT image may lead to an unexpected application termination. Affects Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2 and SP3.
iTunes 8
- CVE-2008-3634: When the firewall is configured to block iTunes Music Sharing and the user enables iTunes Music Sharing in iTunes, a warning dialog is displayed which incorrectly informs the user that unblocking iTunes Music Sharing doesn't affect the firewall's security. Allowing iTunes Music Sharing or any other service through the firewall inherently affects security by exposing the service to remote entities. This update addresses the issue by refining the text in the warning dialog. Available for Mac OS X v10.4.11, Mac OS X Server v10.4.11.
- CVE-2008-3636: A third-party driver provided with iTunes may trigger an integer overflow, and could allow a local user to obtain system privileges. Available for: Windows XP or Vista.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Looks to me Quicktime has been put through a code
About time Apple, and good work.
Don't think so
Quicktime has a long history of being unreliable and buggy on Windows, now we can add very insecure as well.
You're right
announce/2008/Sep/msg00000.html
Credits many third party researchers
If they haven't already
What is this, 2001?
It is rather pathetic that anyone would give them a thumbs up for that.
New tools becoming available all the time
"It is rather pathetic that anyone would give them a thumbs
up for that."
Closing security vulnerabilities isn't a good thing?
Wow, that's a lot of critical vulnerabilities
And the month before that there were a ton.
Gee, kind of makes you wonder if there will be a ton of vulnerabilities found next month.
And next month.
And next month.
There is a reason Quicktime isn't allowed on any of my computers.
Securing iTunes requires upgrading to 8?
Difference with iTunes 8...
How many people have complained about the "Free" IE7 update?
Because iTunes 8 also offers new features, this can be seen as a way to force these new features onto existing iTunes users whether they want them or not.
The problem with IE7
Wait....Look at this
And the problem with iTunes 8 is that it does not run well or at all on new systems.
http://blogs.zdnet.com/hardware/?p=2581
Sorry...I couldn't resist myself.
I banned QuickTime from my Windows
MOV is a good container format
refresh/redraw probs are probably IRQ and DMA problems
that come along with running Windows in a DIY box on
some PC motherboard that has a bunch of cards jammed in
the slots all vying for Bus access (and who knows maybe
the motherboard chipset has a driver update?) etc,etc... SO
glad I don't have worry about that stuff anymore. Lord
knows I did from my first PC in '91 to my last in 2002, you
just don't have to worry about all the subsystem conflicts
and interactions on a Mac. The video performance is
awesome and MOV is a good format, renders as well as the
source material it's given.
I've said it before, don't run with administrative rights
For Windows XP users, you should use a "limited account" or use this tool (more than likely this since you're too used to running with the default "out of the box" scenario - admin privileges):
http://www.download.com/RemoveAdmin/3000-2381_4-10824971.html?tag=lst-1&cdlPid=10835515
RemoveAdmin strips administrative rights of your browser... so when you click on that QuickTime link, the QuickTime player spawned doesn't have administrative rights either... which means the "arbitrary code execution" flaws are severely mitigated.
You can create easily shortcuts for alternate browsers such as Safari and Opera. Just look at the shortcuts created for Firefox and IE. RemoveAdmin is a general purpose tool, the installer just does some initial grunt work of creating two convenient shortcuts.
In closing, no system is 100% secure but mitigation is better than nothing.
-M
Quicktime is garbage.
Seriously, Apple, you could have built, from scratch, a forked BSD player 11 times over than all the constant and ineffectual futile effort to secure this true piece of garbage software. So keep throwing good money after bad, or once and for all, throw it out, take a BSD player, make it proprietary, remove all the functions it supports to play all formats and lock it to AAC and MP3, and be done with it.
I wonder how many infected computers, zero day vulnerabilities, stolen identities it will take before Apple is held responsible by enforcing garbage software?
TripleII
Quicktime X
assuming they will be starting with a new code base. But
enough with the sours grapes "make it proprietary, remove
all the functions it supports to play all formats and lock it
to AAC and MP3, and be done with it." Quicktime has
allowed for 3rd party codecs to be written for it (Perian for
example) and has QUITE a few built in, but sorry no
Ogg/Vorbis out of the box if that's what gets your FOSS
goat. But honestly QT trounces the only other widespread
OS installed media player and it's the much more awful
Windows Media Player, that can't even play a properly
encoded MP4 from Quicktime without it being in an AVI
wrapper, blech.
Good info, thanks. It will be massively proprietary.
http://blogs.zdnet.com/Bott/?p=536
Before conversion to Linux, my nephews iTunes constantly reset itself to AAC 128 as the default for encoding after every upgrade.
Apple tries, with every new release of firmware, to break Linux compatibility.
I am very jaundiced where it comes to Apple because of their history. From bricking phones to sneaky Safari to the link above. I have to agree with Ed's wonderment at how Apple can act worse than MS did in the mid 90's and get a complete pass. I don't even like Vista yet I feel for MS because Apple will come out smelling like roses, be the hero, and Vista will take the rap.
My main point, besides iTunes, AAC is a weak handcuff because not all MP3 players support it, and who wants to convert their entire collection from lossy to lossy?
TripleII
Building a solid house...
well cause problems. Even so, wake me when the
first 1000+ Windows PCs are made into a botnet
because of arcane bugs in quicktime. Notice that
these problems only happen with Windows? There
STILL are no zombied Macs to show for *any* of all
those so called "critical" vulnerabilities. Quicktime
and iTunes doesn't crash OSX because unlike
Windows, OSX is built on a solid UNIX foundation
which was designed from day one as a multi-user
OS. Windows PCs even still use the 1980s BIOS
system and other vestiges from the days of the
computing dinosaurs.
RE: Apple plugs gaping QuickTime security holes
QuickTime software products, fixing at least 11 documented
security vulnerabilities that could lead to Mac and PC
takeover attacks.
I did not see a single example of this in the things you listed?
How is it arbitrary code execution will lead to someone
taking over my machine?
Double Standard?
EVER been "taken over" through QuickTime -- considered
"gaping security holes" yet system problems with Windows --
which DOES have machines turned into spambots -- called
routine weekly "security patches"?
Just wondering. Flame away...