ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Apple QuickTime bitten by code execution flaws

By | January 21, 2009, 11:15am PST

Summary: Apple today released QuickTime 7.6 to fix at least seven serious security flaws that expose Mac OS X and Windows users to remote code execution attacks. The latest upgrade, available for Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista and Windows XP SP2 and SP3, covers vulnerabilities that could be [...]

QuickTime bitten by code execution flawsApple today released QuickTime 7.6 to fix at least seven serious security flaws that expose Mac OS X and Windows users to remote code execution attacks.

The latest upgrade, available for Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista and Windows XP SP2 and SP3, covers vulnerabilities that could be exploited via malicious URLs or booby-trapped movie or audio files.

Here’s the skinny:

  • CVE-2009-0001 — A heap buffer overflow exists in QuickTime’s handling of RTSP URLs. Accessing a maliciously crafted RTSP URL may lead to an unexpected application termination or arbitrary code execution.
  • CVE-2009-0002 — A heap buffer overflow exists in QuickTime’s handling of THKD atoms in QTVR (QuickTime Virtual Reality) movie files. Viewing a maliciously crafted QTVR file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking.
  • CVE-2009-0003 — A heap buffer overflow may occur while processing an AVI movie file. Opening a maliciously crafted AVI movie file may lead to an unexpected application termination or arbitrary code execution.
  • CVE-2009-0004 — A buffer overflow exists in the handling of MPEG-2 video files with MP3 audio content. Viewing a maliciously crafted
    movie file may lead to an unexpected application termination or arbitrary code execution.
  • CVE-2009-0005 — A memory corruption exists in QuickTime’s handling of H.263 encoded movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution.
  • CVE-2009-0006 — A signedness issue exists in QuickTime’s handling of Cinepak encoded movie files, which may result in a heap buffer
    overflow. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution.
  • CVE-2009-0007 — A heap buffer overflow exists in QuickTime’s handling of jpeg atoms in QuickTime movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution.

The patch is available via the software update utility on Mac OS X and the automatic-updating tool for Windows XP and Vista.  Additionally, QuickTime 7.6 may be obtained from QuickTime Downloads site.

UPDATE:  Apple issued a separate advisory for an input validation issue  in the QuickTime MPEG-2 Playback Component for Windows:

  • CVE-2009-0008 (available for Windows Vista, XP SP2 and SP3):  Accessing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of MPEG-2 files. This issue does not affect systems running Mac OS X.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Apple QuickTime, Flaw, Movie, Apple Inc., Arbitrary Code Execution, Buffer-overflow, Application Termination, Movie File, Digital Music, Digital Media, Personal Technology, Consumer Electronics, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
72
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Apple QuickTime bitten by code execution flaws
lovedong 13th Sep
I wish you the best of luck! replica watches
View in thread
0 Votes
+ -
What OSs are vulnerable by default?
NonZealot 21st Jan 2009
Windows? OS X? Linux? Do any of these have QuickTime installed on them by default?
0 Votes
+ -
re: What OSs are vulnerable by default?
ChrisOPeterson 21st Jan 2009
Which OS has the most viruses, trojans, worms, malware, and
adware loose in the wild? Windows? OS X? Linux?
0 Votes
+ -
Please stay on topic
NonZealot 21st Jan 2009
We are talking about a large number of remote code execution vulnerabilities in a specific product (QuickTime) and I would like to know what OSs have QuickTime installed on them by default. Do you have an answer to this question or do you not know?
0 Votes
+ -
Only Mac OS X has Quicktime by default
betelgeuse68 21st Jan 2009
MS sure isn't going to ship QuickTime bits on their Windows CDs. So the "default" case is no. It's entirely possible an OEM (Dell, HP) has a disk image with QuickTime on it but that's too specific and not the "general case".

As for "Mac OS X" you don't run as "root" under so "arbitrary code execution" flaws are mitigated, i.e. you suddenly won't find your Mac as part of a bot network or with a keyboard logger installed.

Unfortunately 80% of Windows users are XP users which *DO* run as "root" ("Administrator" in the Windows vernacular) which unfortunately means keyboard loggers and/or having their machine instrumented is par for the course. More specifically the fact that they run as an administrator lends significantly more teeth to "arbitrary code execution" than on Mac OS X.

To mitigate this issue, I've pointed out "RemoveAdmin" numerous times on this forum:

http://www.download.com/RemoveAdmin/3000-2381_4-10824971.html?tag=mncol&cdlPid=10835515

The default RemoveAdmin installer creates shortcuts for IE and Firefox but if you analyze the shortcut, you see IE and Firefox are passed as an argument to the removeAdmin.exe program.

You can trivially setup another shortcut for Opera and/or any other Internet facing application... as you should since you shouldn't trust foreign computer systems you connect to and by proxy you leave your OS directories exposed if you run as an administrator.

Since most people reach QuickTime content through their browser, QuickTime will *NOT* have administrative rights if you launch your browser via RemoveAdmin. In the Windows model, child processes can only inherit as many privileges as the parent process. This means that you won't suddenly find your machine completely taken over because unlucky you just happened to via a QuickTime movie with a QuickTime player with arbitrary code execution holes.

Read the feedback on RemoveAdmin and the description itself. To convince yourself that it's doing something useful after you've quit your browser completely and subsequently fired it up via RemoveAdmin (SecureIE, SecureFirefox), view the source of any web page and then try to save the HTML/JavaScript to some place like C:\WINDOWS. You'll find that you can't because the editor launched to "View Source" which inherited rights from the browser doesn't have administrative rights. Likewise, QuickTime, Adobe's PDF reader and the browser itself no longer can be trivially leveraged to breach your system.

-M
0 Votes
+ -
Thanks for the info
NonZealot 21st Jan 2009
Yes, XP had lousy defaults although they weren't difficult to change. The first thing I did when installing XP was to remove my user account from the Administrators group. It only took 30 seconds.

You offer another great suggestion.

Or, you could always upgrade to the latest release of Windows that came out over 2 years ago.

Or, if you don't want to spend any money, you could download Linux for free and install it on your PC. Interestingly enough, Linux is immune to all vulnerabilities in all Apple products. happy

So many options!! happy
0 Votes
+ -
However...
betelgeuse68 21st Jan 2009
I found out HP & Dell with their Vista OEM image actually turn off UAC, or rather was told by someone well versed in the field (a former Microsoftie that's a coworker of mine now).

Turns out RemoveAdmin will work with Vista as well, i.e. the underlying security APIs haven't changed under Vista so RemoveAdmin will work with Vista with UAC turned off. My suggestion would be to use UAC. If someone complains about the prompting... unfortunately its way less painful than having your machine hosed because of malware, spyware, cr@pware.

Microsoft needs to cache a user's credentials for a period of time after the first prompting a la sudo.

Best bet is to NOT run as Administrator but the problem is this doesn't mean much to Jane & Joe Sixpack. I'm actually the author of RemoveAdmin and my goal was to be able to point something to my "Aunt Mary" (John Q. Public) and tell them to "run this". In other words, a turnkey solution to mitigate their security situation (all around bad for 99.999% of Windows XP users).

Telling your average Windows XP user not to run as administrator doesn't mean squat.

Even among techies it was bad. Despite the fact that a command line tool exists on Microsoft's site that pretty much does what RemoveAdmin does I discovered that I would largely get glazed looks. It was either a combination of flat out ignorance (not getting the principle of least privilege), laziness or pride (someone else knowing more than them on the topic).

Eventually I realized that an installer was a critical part of the equation -- providing a turnkey solution.

I need to work on a FAQ though and have that come out when the installer finishes since it's not at all obvious that anything has "changed". And again, few people understand that their desktop applications shouldn't be granted the right to write to OS directories.

-M
0 Votes
+ -
RE: However...
Cyrorm 21st Jan 2009
I found out HP & Dell with their Vista OEM image actually turn off UAC

I don'tknow your sources, but they are atleast dead wrong on the claim that HP turns of UAC on the OEM image.
0 Votes
+ -
Not My Dell Experience, Either
PMC-CON 22nd Jan 2009
Vista Business 32-bit - UAC is activated.
0 Votes
+ -
Not my experience on a Dell
tikigawd 22nd Jan 2009
I got my dad one 1 1/2 years ago and it had UAC on.

MS would throw a fit if the biggest OEMs undermined their OS so blatantly.
0 Votes
+ -
You can't fool all the time with some of the people
DannyO_0x98 21st Jan 2009
Linux immune to all vulnerabilities in all Apple products?
Maybe I'm parsing this in a manner that is disadvantageous to
your point, but my install of OS X (including the Developer
tools), both Apple products, means a Linux box and I both use
the same gtk2hs, cups, apache, bash, openssl, proftp, python,
perl, postgresql (okay, I download and compile from source),
ruby, sqllite, gcc, and I could go on. The firewall on Linux is
likely to be different from the one Apple uses which comes
from the BSDs.

So OS X shares some vulnerabilities with Linux at any one time.
Licensing issues mean Linuxes are using GPL variants and Apple
BSD/MIT variants and of course Apple has written their own
proprietary software, mix up that gumbo and I'd say Linux is
immune to some of the vulnerabilities in Apple products.
Apple, at the same time, is immune to some of the
vulnerabilities found in a Linux distro.

Seriously, if security was THE consideration for choosing an
operating system, I think your last suggestion would be first,
especially for one who wants to use a netbook or budget line
system. Get Linux. Avoid Windows.
0 Votes
+ -
Sandboxie works great for the same thing
Kid Icarus-21097050858087920245213802267493 21st Jan 2009
Sandboxing all of your internet activity.
0 Votes
+ -
Sandboxie also costs 22 pounds
betelgeuse68 21st Jan 2009
Which is whatever at the exchange rate for your country's currency. Whereas RemoveAdmin is FREE.

Admittedly, Sandboxie does more... but the question is, do you truly need it?

I'm a firm believer in employing the security capabilities that Windows already has that unfortunately few employ. Case in point, when you install the Windows version of Apache, it sets up your web server with administrative rights. Duh. Despite the fact that you can (and should) setup a non-privileged account to run such a network service.

-M
0 Votes
+ -
I made a rebuttal...
ChrisOPeterson 21st Jan 2009
Like you ever stay on topic...
It was very clear what you were trying to do with your
comment and i just wanted to point out how silly it is.
Quicktime has flaws like every application, and yet the one
platform that has it by default suffers almost no current
vulnerabilities. Your "point" is not only ridiculous but
fallacious.
0 Votes
+ -
So we're clear then...
Sleeper Service 22nd Jan 2009
Windows has the most malware because it has the largest - by far - market share however OS X - or its bundled applications - also has vulnerabilities.

Good. That's what most sensible people have been saying for some time.
0 Votes
+ -
re: What OSs are vulnerable by default?
Cyrorm Updated - 21st Jan 2009
This may be obvious to most, but I'll say it anyway... The OS with the most market share has the most viruses, trojans, worms, malware, and adware loose in the wild....

Of course coorelation does not equal causeation, but you have to wonder just a little bit...
0 Votes
+ -
Childish school yard question...
BubbaJones_ 21st Jan 2009
NonZealot it truly doesn't matter, it isn't OS specific it's
QuickTime. Apple fixed what was found.

Regardless the OS maker or the software maker issues will
be found then will be addressed. Haven't you out grown
those types of questions? Come on add something of
substance that will assist someone. Or are you that petty?
0 Votes
+ -
Interesting!
NonZealot 21st Jan 2009
So the default configuration of the OS is no longer important? Interesting! Can I quote you on that?

Also, vulnerabilities no longer matter the instant they are patched? Also interesting! Can I quote you on that too?
0 Votes
+ -
He's big time petty!
GoPower 21st Jan 2009
And he's truly got some psycho issues. He's totally obsessed with all things Apple.
0 Votes
+ -
NZ reason for living
frgough Updated - 21st Jan 2009
is to make excuses for Windows by pointing his finger at OS X and loudly shouting "it's just as bad or worse."

Adults recognize this as basically the equivalent as shouting out "oh, yeah? Well, your mother!"
0 Votes
+ -
Well, your mother!
M.R. Kennedy 21st Jan 2009
There. I said it.

Now, what's your excuse?
0 Votes
+ -
Answers to your questions.
Letophoro 22nd Jan 2009
What OSs are vulnerable by default?
All of them. If you meant to ask which are vulnerable to flaws in QuickTime by default, you should have asked that.

Windows?
Yes.

OS X?
Yes.

Linux?
Yes.

Do any of these have QuickTime installed on them by default?
Only OS X.
0 Votes
+ -
RE: Apple QuickTime bitten by code execution flaws
lovedong 13th Sep
I wish you the best of luck! replica watches
0 Votes
+ -
RE: Apple QuickTime bitten by code execution flaws
dave@... 21st Jan 2009
so the macs adds saying that they dont get virus and malware.. and saying they are stable and dont have errors are all lies???


Apples advertising is full of crap and everybody knows it... all their ads are based on fear.. and not truth... sorry their christmas add with pc rules... that was the truth
0 Votes
+ -
Huh?
Kid Icarus-21097050858087920245213802267493 21st Jan 2009
How do patches equate to not being stable, and having viruses and malware?

I've never had any of those problems despite Apple's patching of Quicktime.

Their ads are based on fear? More like poking fun at the popular kid at school with STDs.
0 Votes
+ -
Isn't it about time...
itpro_z 21st Jan 2009
...for Apple to put QT out of our misery and write a new application from the ground up? I am sure that I am not the only admin who removes all Apple software on sight, and I also tell my users just why they should not install any Apple software on their PCs, at home or work. Is this the reputation that Apple wants to promote?
0 Votes
+ -
I agree
x21x 21st Jan 2009
It seems like Quicktime has more security problems then windows 98.

For an application that is meant to play video's or audio files why does it have so many problems?

I wonder if there is a comparison vs media player
0 Votes
+ -
Re: Isn't it about time...
rsfinn 21st Jan 2009
Do you feel that Flash or WM are more reliable than
QuickTime? If not, what software do you use to play back
media?

I have never experienced problems with QuickTime on any of
my computers. On the other hand, I don't run Windows on
them either.
0 Votes
+ -
A couple of options
itpro_z 21st Jan 2009
WMP has toughened up considerably, and offers a more secure player than QT. VLC media player is another option that I use regularly, as it plays most anything. About the only times that I run into QT anymore is on machines with iTunes, which, at least on Windows, is total crapware as it installs both QT and Safari unless the user is quite diligent.

If Apple won't fix QT, then they either need to replace it or allow another player like WMP to function with iTunes. The Safari install should be off by default.
0 Votes
+ -
QuickTime alternative
tikigawd 22nd Jan 2009
works fine with iTunes.

The question is, why do you want to use iTunes anyway?
0 Votes
+ -
@itpro_z
Axsimulate 21st Jan 2009
And how many holes have been found in MS code over the course of 14 years?
0 Votes
+ -
That is not the issue
itpro_z 21st Jan 2009
Windows has made great strides in improving security, but that is beside the point. QT has been crap for years. Apple needs to either replace it entirely, or stop requiring it to use iTunes.
0 Votes
+ -
@itpro_z
Axsimulate Updated - 22nd Jan 2009
And Apple hasn't? This is a patch for QuickTime you know, they are working on it. How many years has MS been patching active x, IE, etc? It wasn't that long ago a lot of people were calling MS to scrap the above mentioned and start again because of gaping securty holes.
The fact is both have had their share of security issues. Only MS has been hit harder with theirs then with Apples.
0 Votes
+ -
You Can't Compare One APP with An O/S
PMC-CON 22nd Jan 2009
Apple can't get ONE APP to be secure, the one that it promotes to Windows users heavily.

It's just ONE APP, not an entire OS!!! Not an entire API, like ActiveX (which is not really that hole-y, just easy to program against and super-powerful against the file system.) If Quicktime is an example of the quality of Apple code and testing, considering it's being patched constantly, can you imagine how many holes are in the bastardized Unix they sell as OS/X?

The fact that the Apple holes are unknown today, and exploited little, is probably because the OEM partners for Microsoft chose the easy way out, and decided not to protect their customers by having any sort of reasonable account security by default. (It slows down initial setup and OOBE.) Vista UAC is the response to weak-minded OEMS, as well as the notifications escalation from Windows XP as Service Packs progressed.

Windows PCs predominate (because of lower initial cost and better software availability) and the user account structures are insecure, so why would any organized crime businessman attack Macs?

The cynical among us MIGHT THINK that Apple pumps out faulty Windows code to try to undermine the platform. (Like the time they shipped Windows malware in an appliance that was attached to Windows machines, then didn't apologize.) But the fact that Quicktime is a cesspool under OS/X just suggests that they are sloppy.
0 Votes
+ -
Subjective opinion stated as fact does not make it so
frgough 21st Jan 2009
MS just patched a major flaw in WMP a few days ago. WMP has been swiss cheese for quite long time. Do you go around cursing it and removing it from all your Windows computers?

Besides, QT is being scrapped and re-written from the ground up in Snow Leopard.
0 Votes
+ -
Like you said...
itpro_z 21st Jan 2009
...although your opinion is also subjective. I seem to remember a security test last year where the Mac fell in a matter of minutes, the first to go. Wasn't it QT that was exploited? However, the article was about QT, which is required for iTunes operation on Windows machines, and has been a severe security risk for years. Safari, which installs by default with iTunes, is an even bigger risk. I could care less what Apple does with any of their cute little kitties. My concern is keeping the computers on my network secure, and Apple software is a major risk. Yes, Adobe also ranks up there, but I need Adobe software. I absolutely do not need anything that Apple produces, and will continue to wipe it off my systems whenever and wherever I find it.

WMP has also had its issues over the years, but, like Windows itself, has hardened under the constant attacks that exist on the PC side of the universe. Windows systems are now mostly attacked through addon software, such as Flash, Acrobat, and QT. My point is valid: If Apple can't, or won't, secure their Windows apps, then they should give us the option of using something else. But, then again, Apple is not exactly known for giving us options, are they?
0 Votes
+ -
The winner of that contest...
logicearth@... 22nd Jan 2009
...exploited Safari, the contest before that one the winner exploited QuickTime. See a pattern?
0 Votes
+ -
I'm so glad to hear it!!
NonZealot 22nd Jan 2009
Besides, QT is being scrapped and re-written from the ground up in Snow Leopard.

That is truly wonderful news for all of us who care about security. It sounds like even Apple, contrary to what you apologists say, realize that QuickTime is hopelessly flawed and only a complete rewrite, from scratch, could possibly improve it. happy

Thanks frgough for proving what all of us have been trying to say. happy
0 Votes
+ -
FLAG ONTHE PLAY
PMC-CON 22nd Jan 2009
There was no WMP security flaw, and it wasn't patched.

MS fuzzing had isolated it; it was a local bug caused by potentially bad data in a media file and NOT a security flaw. The bug is that the file won't play and WMP crashes.
0 Votes
+ -
So..where was QuickTime Bitten???
CowLauncher 21st Jan 2009
No where. No one was able to exploit because it is
exceedingly difficult to do. Nice FUD headline.

Now lets look at Windows these days to see what being
bitten really means. The BBC reports today on the the
Conficker virus:

"As the virus - also known as Downadup - has spread to
an estimated 9m computers globally, a number of high-
profile instances of the virus have arisen," The Beeb
reports. "The Ministry of Defence has been battling an
outbreak of the virus across its network for more than two
weeks, and on Tuesday a network of hospitals across
Sheffield told technology website The Register that more
than 800 of their computers had been infected."
0 Votes
+ -
But, but..
Kid Icarus-21097050858087920245213802267493 Updated - 21st Jan 2009
There are a billion Windows users so 9m infected computers really this is nothing..

wink
0 Votes
+ -
Actually...
Sleeper Service 22nd Jan 2009
...it's not nothing but it is less than 1%.

Carry on.
0 Votes
+ -
@CowLauncher
Axsimulate 21st Jan 2009
Really, I read this story on Yahoo of all places. Where is this story on ZDNet? Isn't ZDNet suppose to be all about computers? They are saying this might possibly be the worst outbreak this century and where is ZDNet? Too busy talking about Apple fixing a few flaws that have never been breached? Come on ZDNet get with the program.
0 Votes
+ -
That story is right here...
DevJonny 22nd Jan 2009
... http://blogs.zdnet.com/security/?p=2388

It was posted on 15th Jan, before the BBC got it...But at the time of posting it was only 3.5 million.
0 Votes
+ -
PWNT.
Sleeper Service 22nd Jan 2009
{NT}
0 Votes
+ -
LOL
tikigawd 22nd Jan 2009
You'd think he would a least do a quick search for the article on ZDnet before putting his foot in his mouth.
0 Votes
+ -
@DevJonny
Axsimulate Updated - 23rd Jan 2009
Thanks for the link. Was it ever a headline on ZDNet? I've been very busy the last week and haven't had a lot of time to look.
0 Votes
+ -
@Axsimulate
DevJonny 23rd Jan 2009
Not too sure if it was or not. I have a feeling it was among the headlines but not sure if it was the main one. Problem was it was probably fighting for space amongst the Win7 blog posts.
0 Votes
+ -
You're not understanding the problem
betelgeuse68 21st Jan 2009
"Arbitrary code execution" means all you have to do is setup a rigged video somewhere on the Internet and have people hit the content.

It is a scenario that allows you to catapult to do other nefarious things... such as, start instrumenting people's machine. It does not mean some specific virus is at play.

It's kinda like leaving your house door wide open while you go off on vacation.

A perfectly viable way to do this is to breach some legitimate web site that has QuickTime content, modify whatever they're serving up to John Q. Public with a rigged video to leverage the arbitrary code execution flaws so as people come visit the legitimate site, they get screwed.

Better yet if the people visiting are Windows XP users. That's because 99.999% of them run with administrative rights which means you can trivially take control over their systems.

-M
0 Votes
+ -
Excellent Point My Friend
CowLauncher 21st Jan 2009
These kind of social behavior fired exploits are the most
dangerous. It is interesting how people think that autorun is
a great feature when in fact it is a huge vulnerability that has
never been properly managed on Windows.

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix