ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Apple releases patches for dangerous QuickTime flaws in Apple TV 2.1 product

By | July 11, 2008, 10:00am PDT

Apple released patches for its Apple TV 2.1 product yesterday. Some of you might be saying, why do I care, I don’t use Apple TV. Well, if you do use Apple TV, you obviously should care as some of these are very serious flaws, but if you don’t, you might still care because of the nature of the flaws patched for Apple TV.

These flaws were all released for disclosure quite some time ago and are just now being patched. Most were released three months ago, one was released last month, and two were released way back in January. What does that mean? Well, either Apple neglected to patch Apple TV, which might be the case as they recently neglected to patch the iPhone, OR more likely, Apple flaws in integrated applications like QuickTime are not getting looked for and patched on all Apple equipment, as researchers and possibly Apple may not realize how widespread applications like QuickTime are.

This is concerning. It’s a tough problem for a vendor to tackle, but something I expect that Apple will be paying very close attention to going forward. Having a devastating QuickTime flaw un-patched for that long is pretty dangerous, as by this time, proof of concept code for exploit has probably been known about for quite some time.

Read on for more…

Have a look at these flaws from Apple’s support site. I’ve included with them the date that they were originally reported to the security community (as determined by the National Vulnerability Database repository):

CVE-ID: CVE-2008-1015
Date originally reported: 4/4/2008

Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution

Description: An issue in the handling of data reference atoms may result in a buffer overflow. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of data reference atoms. Credit to Chris Ries of Carnegie Mellon University Computing Services for reporting this issue.

CVE-ID: CVE-2008-1017
Date originally reported: 4/4/2008

Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution

Description: An issue in the parsing of ‘crgn’ atoms may result in a heap buffer overflow. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to Sanbin Li working with TippingPoint’s Zero Day Initiative for reporting this issue.

CVE-ID: CVE-2008-1018
Date originally reported: 4/4/2008

Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution

Description: An issue in the parsing of ‘chan’ atoms may result in a heap buffer overflow. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to an anonymous researcher working with TippingPoint’s Zero Day Initiative for reporting this issue.

CVE-ID: CVE-2008-1585
Date originally reported: 6/10/2008

Impact: Playing maliciously crafted QuickTime content may lead to arbitrary code execution

Description: A URL handling issue exists in the handling of file: URLs. This may allow arbitrary applications and files to be launched when a user plays maliciously crafted QuickTime content. This update addresses the issue by no longer launching local applications and files. Credit to Vinoo Thomas and Rahul Mohandas of McAfee Avert Labs, and Petko D. (pdp) Petkov of GNUCITIZEN working with TippingPoint’s Zero Day Initiative for reporting this issue.

CVE-ID: CVE-2008-0234
Date originally reported: 1/10/2008

Impact: Playing maliciously crafted QuickTime content may lead to an unexpected application termination or arbitrary code execution

Description: A heap buffer overflow exists in the handling of HTTP responses when RTSP tunneling is enabled. Playing maliciously crafted QuickTime content may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking.

CVE-ID: CVE-2008-0036
Date originally reported: 1/15/2008

Impact: Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution

Description: A buffer overflow may occur while processing a compressed PICT image. Opening a maliciously crafted compressed PICT file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to Chris Ries of Carnegie Mellon University Computing Services for reporting this issue.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Apple QuickTime, Movie, Patch Management, Apple Inc., Issue, Apple TV, Arbitrary Code Execution, Flaw, IMPACT, CVE-ID, Application Termination, Nathan McFeters

Disclosure

Nathan McFeters

http://i.zdnet.com/images/auth/nmcfeters_53x53.jpg

Biography

Nathan McFeters

Nathan McFeters is a Senior Security Advisor for Ernst & Young's Advanced Security Center in Chicago. Nathan has performed web application, deep source code, Internet, Intranet, wireless, dial-up, and social engineering engagements for numerous clients in the Fortune 500 during his career at Ernst & Young and has spoken at a number of prestigious conferences, including Black Hat, DEFCON, ToorCon, and Hack in the Box. He can be found at his Pwn* blog and XS-Sniper, a blog with Billy Rios.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
6
Comments
Add Your Opinion

Join the conversation!

Just In

You can
laura.b Updated - 11th Jul 2008
You can uninstall Safari from OSX. Well, it's not really uninstalling, but rather you just drag it to the trash.

Now, the next time OSX updates, it will have magically returned...but you can get rid of it again when that happens. happy

Now, Quicktime is a little different. It is a MULTI step process (according to apple.com 13 steps for the complete removal of the program and an additional 9 to remove the files and folders associated with it) to completely get rid of it. I'm not sure what it would do to the system (I imagine nothing good...sound manager, and all) as Apple clearly wants you to use this information for persnickety QTs that are going to be reinstalled but need to be completely uninstalled first. Forums I have seen before indicate that it can't really be just removed entirely without negative effects.

Internet Explorer can't be uninstalled, because many functions of the OS depend on pieces of it, like Windows Explorer for example. IE is not necessary for Windows to function, but many of the bits that are present in IE ARE necessary for Windows to function. If you don't want to deal with IE in any fashion ever again, go to Add/Remove Programs, Add/Remove Windows Components, and remove it. This disables it completely, and only a minimal amount of the app (the parts that are vital to other function) remain. The updater won't use it, it will never bring up another browser when a link is clicked, the icons and menu items associated with it go away, and it doesn't reverse itself on updates. If that isn't good enough for people, then they aren't going to be happy with Windows no matter what.
View in thread
0 Votes
+ -
Does anyone use AppleTV?
NonZealot 11th Jul 2008
Some of you might be saying, why do I care, I don?t use Apple TV.

AppleTV sales have been abysmal.
0 Votes
+ -
?
nmcfeters 11th Jul 2008
Honestly, I don't know. I hadn't heard of it until today. I guess for me the greater concern is how long until QuickTime flaws are popping up everywhere on my iPhone.

-Nate
0 Votes
+ -
Yeah, I'd be worried too
NonZealot 11th Jul 2008
Apple does seem awfully slow to release patches. From what I hear, the PWN2OWN exploit attacked a vulnerability in Perl that had been patched months earlier but Apple never bothered to release it. What I find interesting is that an Apple fan actually brought that up in an attempt to make Apple look better!!!

Is there any way of uninstalling Safari and QuickTime on your iPhone? I keep hearing how important it is to be able to uninstall browsers and how bad it is to tie a browser into the OS so I kind of assumed that you could uninstall Safari on the iPhone. Is that assumption correct? Can you uninstall Safari and QuickTime?
0 Votes
+ -
I don't think so
nmcfeters 11th Jul 2008
If you can, I don't know how, unless you've jailbroke your phone, but then you've voided your agreement with Apple and AT&T, so I'm not sure that's the best solution to being concerned about Safari/QuickTime either. I haven't upgraded to the latest version yet, but maybe with that you can.

It is a worthy feature request if not... although, I'm not entirely sure you can uninstall Safari or QuickTime from Mac OS X.

-Nate
0 Votes
+ -
You can
laura.b Updated - 11th Jul 2008
You can uninstall Safari from OSX. Well, it's not really uninstalling, but rather you just drag it to the trash.

Now, the next time OSX updates, it will have magically returned...but you can get rid of it again when that happens. happy

Now, Quicktime is a little different. It is a MULTI step process (according to apple.com 13 steps for the complete removal of the program and an additional 9 to remove the files and folders associated with it) to completely get rid of it. I'm not sure what it would do to the system (I imagine nothing good...sound manager, and all) as Apple clearly wants you to use this information for persnickety QTs that are going to be reinstalled but need to be completely uninstalled first. Forums I have seen before indicate that it can't really be just removed entirely without negative effects.

Internet Explorer can't be uninstalled, because many functions of the OS depend on pieces of it, like Windows Explorer for example. IE is not necessary for Windows to function, but many of the bits that are present in IE ARE necessary for Windows to function. If you don't want to deal with IE in any fashion ever again, go to Add/Remove Programs, Add/Remove Windows Components, and remove it. This disables it completely, and only a minimal amount of the app (the parts that are vital to other function) remain. The updater won't use it, it will never bring up another browser when a link is clicked, the icons and menu items associated with it go away, and it doesn't reverse itself on updates. If that isn't good enough for people, then they aren't going to be happy with Windows no matter what.
0 Votes
+ -
does this really matter in the case of appleTV?
doctorSpoc 11th Jul 2008
an appleTV is not like a computer or even like an iPhone... it's a
syncing and or streaming box. i have an appleTV and i have
absolutely nothing stored on it.. i stream all content from external
hard drives attached to my computer. even if i did have content on
my appleTV all content is synced from iTunes so if it gets deleted or
whatever i still have it. so let say someone does take over control of
my appleTV... what could they do? you can't lose anything.

maybe this is why apple wasn't to worried about patching these
things on appleTV the... consequences for a breach are
insignificant.. even if some hacker totally futzed up an appleTV.. the
user "restores to factory" and 15 mins later you are off to the races.

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix