Severity: Medium
9 September, 2008
Summary:
§ These vulnerabilities affect: OS X 10.4.x (Tiger) and OS X 10.5.x (Leopard), Windows XP, and Windows Vista
§ How an attacker exploits them: By getting your user to view a maliciously-crafted movie, PICT, or QuickTime Virtual Reality (QTVR) file
§ Impact: Various results; in the worst case, an attacker could execute code on your user’s computer, potentially gaining control of it
§ What to do: Download, test and deploy QuickTime 7.5.5 for Windows or OS X
Severity: Medium
9 September, 2008
Summary:
§ These vulnerabilities affect: OS X 10.4.x (Tiger) and OS X 10.5.x (Leopard), Windows XP, and Windows Vista
§ How an attacker exploits them: By getting your user to view a maliciously-crafted movie, PICT, or QuickTime Virtual Reality (QTVR) file
§ Impact: Various results; in the worst case, an attacker could execute code on your user’s computer, potentially gaining control of it
§ What to do: Download, test and deploy QuickTime 7.5.5 for Windows or OS X
Exposure:
Today, Apple released a security update to fix vulnerabilities in QuickTime, their popular media player for both Windows and Macintosh OS X. The update fixes nine security issues (number based on CVE-IDs) present in how QuickTime processes certain file types. Only some of these nine vulnerabilities exploit file types that are in wide use by typical users, and we are not aware of exploits currently active in the wild, so we rate the severity of this update Medium. Apply it at your earliest convenience. The fixed vulnerabilities include:
§ Security flaws in how QuickTime handles movie files. By luring one of your users into viewing a maliciously crafted movie file, an attacker can exploit either of two QuickTime flaws to execute code on that user’s computer (or, less worrisome, crash QuickTime). Some of the files susceptible to this attack would be formatted as H.264 (typically arrives as a .MOV file), MPEG-4 Part 10 (the format used on Blu-Ray and HD-DVD files), or MPEG-4 AVC files (the format used by many consumer-grade camcorders and on iPod and PlayStation3). These vulnerabilities can be exploited on Windows and OS X computers.
§ Flaws in how QuickTime handles PICT images. PICT is a graphical image file format that still enjoys some use, but has largely been replaced by PDFs. An attacker can craft a malicious PICT file that is designed to exploit any of three different errors in how QuickTime opens PICT. If a user opened the booby-trapped file, the results could either crash QuickTime or execute the attacker’s code on the victim’s computer. These flaws affect both Windows and OS X.
Apple’s alert also describes flaws in handling QuickTime Virtual Reality (QTVR) files. QTVR essentially stitches photos together to give the impression of a 360-degree view. You might see it in use, for example, on a web site that shows what the inside of a hotel room looks like. It is not used by the vast majority of our subscribers, so we’ll spare you the details (although you can get them in Apple’s advisory). Apple also mentions flaws in QuickTime’s handling of a codec called Indeo. Indeo is just another way of creating .MOV files.
Solution Path:
Apple has released QuickTime 7.5.5 to fix these security issues. Windows and OS X administrators should download, test, and deploy the appropriate update at their earliest convenience. By default, the download bundles iTunes with QuickTime; because iTunes often has security issues of its own, we recommend that you select the option of downloading QuickTime alone.
§ QuickTime 7.5.5 for Leopard (Mac OS X 10.5 or later)
§ QuickTime 7.5.5 for Tiger (Mac OS X 10.4.x)
For All Users:
Because QuickTime handles so many different media types (many of which are essential for doing business today), trying to block exploitable file types using your firewall may not be the best way to support your organization’s mission. Instead, your best solution is to download and install Apple’s fixes.
Status:
Apple has released updates to fix these issues.