ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Apple plugs gaping QuickTime security holes

By | September 9, 2008, 2:05pm PDT

Summary: Apple today released a major makeover to its iTunes and QuickTime software products, fixing at least 11 documented security vulnerabilities that could lead to Mac and PC takeover attacks. QuickTime 7.5.5, which should be considered an “extremely critical” update, address nine different vulnerabilities that could cause some serious damage if a Windows or Mac OS X [...]

Code execution holes haunt QuickTimeApple today released a major makeover to its iTunes and QuickTime software products, fixing at least 11 documented security vulnerabilities that could lead to Mac and PC takeover attacks.

QuickTime 7.5.5, which should be considered an “extremely critical” update, address nine different vulnerabilities that could cause some serious damage if a Windows or Mac OS X user is tricked into viewing a rigged movie file. The iTunes 8 update addresses two separate bugs that could put users at risk of information disclosure.

Full details on the vulnerabilities and patches:

QUICKTIME 7.5.5

  • CVE-2008-3615: An uninitialized memory access issue exists in the third-party Indeo v5 codec for QuickTime, which does not ship with QuickTime. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. Affects Windows Vista, XP SP2 and SP3
  • CVE-2008-3635: A stack buffer overflow exists in the third-party Indeo v3.2 codec for QuickTime. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution.  Affects Windows Vista, XP SP2 and SP3.
  • CVE-2008-3624: A heap buffer overflow exists in QuickTime’s handling of panorama atoms in QTVR (QuickTime Virtual Reality) movie files. Viewing a maliciously crafted QTVR file may lead to an unexpected application termination or arbitrary code execution.  Affects Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2 and SP3.
  • CVE-2008-3625: A stack buffer overflow exists in QuickTime’s handling of panorama atoms in QTVR (QuickTime Virtual Reality) movie files. Viewing a maliciously crafted QTVR file may lead to an unexpected application termination or arbitrary code execution.
    Available for Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2 and SP3
  • CVE-2008-3614: An integer overflow exists in QuickTime’s handling of PICT images. Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution. Affects Windows Vista, XP SP2 and SP3.
  • CVE-2008-3626:  A memory corruption issue exists in QuickTime’s handling of STSZ atoms in movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution.  Available for Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2 and SP3
  • CVE-2008-3627: Multiple memory corruption exist in QuickTime’s handling of H.264 encoded movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. Available for Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2 and SP3
  • CVE-2008-3628: An invalid pointer issue exists in QuickTime’s handling of PICT images. Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution. Available for Windows Vista, XP SP2 and SP3.
  • CVE-2008-3629: An out-of-bounds read issue exists in QuickTime’s handling of PICT images. Opening a maliciously crafted PICT image may lead to an unexpected application termination. Affects Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2 and SP3.

iTunes 8

  • CVE-2008-3634: When the firewall is configured to block iTunes Music Sharing and the user enables iTunes Music Sharing in iTunes, a warning dialog is displayed which incorrectly informs the user that unblocking iTunes Music Sharing doesn’t affect the firewall’s
    security. Allowing iTunes Music Sharing or any other service through the firewall inherently affects security by exposing the service to
    remote entities. This update addresses the issue by refining the text in the warning dialog. Available for Mac OS X v10.4.11, Mac OS X Server v10.4.11.
  • CVE-2008-3636: A third-party driver provided with iTunes may trigger an integer overflow, and could allow a local user to obtain system privileges.  Available for:  Windows XP or Vista.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Security, Apple Macintosh, Apple QuickTime, Microsoft Windows XP, Service Pack 2, Movie, SP3, Microsoft Windows Vista, Apple Inc., Arbitrary Code Execution, Apple iTunes, Application Termination, Movie File, PICT, Apple Mac OS X, Apple Mac OS, Microsoft Windows XP Service Pack 2, Digital Music, Digital Media, Microsoft Windows, Operating Systems, Software, Personal Technology, Consumer Electronics, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
22
Comments
Add Your Opinion

Join the conversation!

Just In

Building a solid house...
arminw 22nd Sep 2008
on top of the garbage dump of Windows might
well cause problems. Even so, wake me when the
first 1000+ Windows PCs are made into a botnet
because of arcane bugs in quicktime. Notice that
these problems only happen with Windows? There
STILL are no zombied Macs to show for *any* of all
those so called "critical" vulnerabilities. Quicktime
and iTunes doesn't crash OSX because unlike
Windows, OSX is built on a solid UNIX foundation
which was designed from day one as a multi-user
OS. Windows PCs even still use the 1980s BIOS
system and other vestiges from the days of the
computing dinosaurs.
View in thread
0 Votes
+ -
Looks to me Quicktime has been put through a code
Richard Flude 9th Sep 2008
analyser, given the type of problems identified.

About time Apple, and good work.
0 Votes
+ -
Don't think so
tonymcs@... 9th Sep 2008
I think they're still relying on external hackers and of course, their ever-suffering fan base.

Quicktime has a long history of being unreliable and buggy on Windows, now we can add very insecure as well.
0 Votes
+ -
You're right
Richard Flude 9th Sep 2008
http://lists.apple.com/archives/security-
announce/2008/Sep/msg00000.html

Credits many third party researchers
0 Votes
+ -
If they haven't already
mdemuth 9th Sep 2008
Then my advise to everyone is touch nothing that Apple has coded.
What is this, 2001?

It is rather pathetic that anyone would give them a thumbs up for that.
0 Votes
+ -
New tools becoming available all the time
Richard Flude 9th Sep 2008
And they're getting better.

"It is rather pathetic that anyone would give them a thumbs
up for that."

Closing security vulnerabilities isn't a good thing?
0 Votes
+ -
Wow, that's a lot of critical vulnerabilities
NonZealot 9th Sep 2008
And last month there were a ton.

And the month before that there were a ton.

Gee, kind of makes you wonder if there will be a ton of vulnerabilities found next month.

And next month.

And next month.

There is a reason Quicktime isn't allowed on any of my computers.
0 Votes
+ -
Securing iTunes requires upgrading to 8?
PB_z 9th Sep 2008
Is there no patch to iTunes 7.x -- the only option to secure yourself is upgrading to iTunes 8? Wow. That's the kind of thing that Microsoft gets sued over.
0 Votes
+ -
Difference with iTunes 8...
ExCorpGuy 10th Sep 2008
Updating to iTunes 8 is FREE. How could they possibly get sued for something that is free?
0 Votes
+ -
How many people have complained about the "Free" IE7 update?
PB_z 10th Sep 2008
People have complained very loudly about Microsoft trying to force XP users to upgrade from IE6 to IE7, yet 1) IE7 is free, 2) Automatic Updates offers IE7 but you are free to decline it.

Because iTunes 8 also offers new features, this can be seen as a way to force these new features onto existing iTunes users whether they want them or not.
0 Votes
+ -
The problem with IE7
lumpy_blumpkin 10th Sep 2008
The problem with the IE7 upgrade is that IE7 does not run well or at all on older systems. My father ran into this problem when he tried to upgrade IE on an older Dell. And by older I only mean 3-4 years old. I told him to forget IE and go with Firefox. There is also a big difference in the interface between IE6 and IE7.
0 Votes
+ -
Wait....Look at this
laura.b 10th Sep 2008
The problem with the IE7 upgrade is that IE7 does not run well or at all on older systems

And the problem with iTunes 8 is that it does not run well or at all on new systems.

http://blogs.zdnet.com/hardware/?p=2581


Sorry...I couldn't resist myself.
0 Votes
+ -
I banned QuickTime from my Windows
qmlscycrajg Updated - 10th Sep 2008
I banned QuickTime from my Windows due too much security flaws. I also hate the .mov format because it's poorly rendered, it has gliches and refresh redraw problems
0 Votes
+ -
MOV is a good container format
brunerd 10th Sep 2008
Well... just to chime in here... the glitches and
refresh/redraw probs are probably IRQ and DMA problems
that come along with running Windows in a DIY box on
some PC motherboard that has a bunch of cards jammed in
the slots all vying for Bus access (and who knows maybe
the motherboard chipset has a driver update?) etc,etc... SO
glad I don't have worry about that stuff anymore. Lord
knows I did from my first PC in '91 to my last in 2002, you
just don't have to worry about all the subsystem conflicts
and interactions on a Mac. The video performance is
awesome and MOV is a good format, renders as well as the
source material it's given.
0 Votes
+ -
I've said it before, don't run with administrative rights
betelgeuse68 10th Sep 2008
Most of the "arbitrary code execution" flaws are sparrow farts if you don't run with administrative privileges. Which you don't if you're on Vista with UAC (default behavior).

For Windows XP users, you should use a "limited account" or use this tool (more than likely this since you're too used to running with the default "out of the box" scenario - admin privileges):

http://www.download.com/RemoveAdmin/3000-2381_4-10824971.html?tag=lst-1&cdlPid=10835515

RemoveAdmin strips administrative rights of your browser... so when you click on that QuickTime link, the QuickTime player spawned doesn't have administrative rights either... which means the "arbitrary code execution" flaws are severely mitigated.

You can create easily shortcuts for alternate browsers such as Safari and Opera. Just look at the shortcuts created for Firefox and IE. RemoveAdmin is a general purpose tool, the installer just does some initial grunt work of creating two convenient shortcuts.

In closing, no system is 100% secure but mitigation is better than nothing.

-M
0 Votes
+ -
Quicktime is garbage.
TripleII-21189418044173169409978279405827 10th Sep 2008
I said it two years ago, one year ago, Quicktime is the single worst application in terms of security. The 11 vulnerabilities bring the count, in this blog to 64 zero day vulnerabilities in 2 years.

Seriously, Apple, you could have built, from scratch, a forked BSD player 11 times over than all the constant and ineffectual futile effort to secure this true piece of garbage software. So keep throwing good money after bad, or once and for all, throw it out, take a BSD player, make it proprietary, remove all the functions it supports to play all formats and lock it to AAC and MP3, and be done with it.

I wonder how many infected computers, zero day vulnerabilities, stolen identities it will take before Apple is held responsible by enforcing garbage software?

TripleII
0 Votes
+ -
Quicktime X
brunerd 10th Sep 2008
Snow Leopard will be featuring Quicktime X, a rewrite, I'm
assuming they will be starting with a new code base. But
enough with the sours grapes "make it proprietary, remove
all the functions it supports to play all formats and lock it
to AAC and MP3, and be done with it." Quicktime has
allowed for 3rd party codecs to be written for it (Perian for
example) and has QUITE a few built in, but sorry no
Ogg/Vorbis out of the box if that's what gets your FOSS
goat. But honestly QT trounces the only other widespread
OS installed media player and it's the much more awful
Windows Media Player, that can't even play a properly
encoded MP4 from Quicktime without it being in an AVI
wrapper, blech.
0 Votes
+ -
Good info, thanks. It will be massively proprietary.
TripleII-21189418044173169409978279405827 10th Sep 2008
You can read this blog to see Apple in action these days.
http://blogs.zdnet.com/Bott/?p=536

Before conversion to Linux, my nephews iTunes constantly reset itself to AAC 128 as the default for encoding after every upgrade.

Apple tries, with every new release of firmware, to break Linux compatibility.

I am very jaundiced where it comes to Apple because of their history. From bricking phones to sneaky Safari to the link above. I have to agree with Ed's wonderment at how Apple can act worse than MS did in the mid 90's and get a complete pass. I don't even like Vista yet I feel for MS because Apple will come out smelling like roses, be the hero, and Vista will take the rap.

My main point, besides iTunes, AAC is a weak handcuff because not all MP3 players support it, and who wants to convert their entire collection from lossy to lossy?

TripleII
0 Votes
+ -
Building a solid house...
arminw 22nd Sep 2008
on top of the garbage dump of Windows might
well cause problems. Even so, wake me when the
first 1000+ Windows PCs are made into a botnet
because of arcane bugs in quicktime. Notice that
these problems only happen with Windows? There
STILL are no zombied Macs to show for *any* of all
those so called "critical" vulnerabilities. Quicktime
and iTunes doesn't crash OSX because unlike
Windows, OSX is built on a solid UNIX foundation
which was designed from day one as a multi-user
OS. Windows PCs even still use the 1980s BIOS
system and other vestiges from the days of the
computing dinosaurs.
0 Votes
+ -
RE: Apple plugs gaping QuickTime security holes
jimboutilier 10th Sep 2008
Apple today released a major makeover to its iTunes and
QuickTime software products, fixing at least 11 documented
security vulnerabilities that could lead to Mac and PC
takeover attacks.

I did not see a single example of this in the things you listed?
How is it arbitrary code execution will lead to someone
taking over my machine?
0 Votes
+ -
Double Standard?
KaplanMike 10th Sep 2008
Why are obscure QuickTime bugs -- no one's machine has
EVER been "taken over" through QuickTime -- considered
"gaping security holes" yet system problems with Windows --
which DOES have machines turned into spambots -- called
routine weekly "security patches"?

Just wondering. Flame away...
0 Votes
+ -
Curious eh?
isulzer 11th Sep 2008
Its a fad.

Although the reason the QT vulnerabilities aren't abused is simply because:
1. Not everyone installs QT on windows. And everyone who uses windows... is vulnerable to unpatched windows vulnerabilities. So the total amount of people vulnerable is small.
2. QT vulnerabilities require the user to be given or find a malicious video file. Its a difficult to use attack vector. Whereas windows vulnerabilities could have many attack vectors, some of which are damned easy to exploit.
3. Fad. People hate quick time. Its understood that no one wants it, therefore no one bothers to exploit it. "It sucks so I wont bother abusing it cus its pointless."
0 Votes
+ -
RE: Apple plugs gaping QuickTime security holes
mjburns@... 10th Sep 2008
I need to have a relatively bug free Quicktime installed. Adobe CS3 Flash Encoder doesn't work without it, which I need for Web work. I use VideoLAN to open everything Web related (including .MOV and .WMV files). Least you think I'm lampooning Apple, I don't use any version of Media Player for anything. It's just that I like open source solutions when it's possible to use them.

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix