You are here

T-654: Apple QuickTime Multiple Bugs Let Remote Users Execute Arbitrary

June 24, 2011 - 4:39am

Addthis

PROBLEM:

A vulnerability was reported in QuickTime. A remote user can cause arbitrary code to be executed on the target user's system.

PLATFORM:

Version(s): prior to QuickTime 7.6.8

ABSTRACT:

A remote user can create a specially crafted file that, when loaded by the target user, will execute arbitrary code on the target system. The code will run with the privileges of the target user.

reference LINKS:

SecurityTracker Alert ID: 1025705
Apple Security Article: HT4339
Apple Security Article: HT4723
Apple Security Article: HT1222
CVE-2011-0213
Secunia Advisory: SA45054

IMPACT ASSESSMENT

High

Discussion:

A remote user can create a specially crafted file that, when loaded by the target user, will execute arbitrary code on the target system. The code will run with the privileges of the target user.
A specially crafted RIFF WAV file can trigger an integer overflow [CVE-2011-0209].
Specially crafted sample tables in a QuickTime movie file can cause code execution [CVE-2011-0210].
A specially crafted movie file can trigger an integer overflow [CVE-2011-0211].
A specially crafted JPEG file can trigger a buffer overflow [CVE-2011-0213].

Impact:

A remote user can create a file that, when loaded by the target user, will execute arbitrary code on the target user's system.

Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.
An input validation issue exists in the QuickTime ActiveX control. An optional parameter '_Marshaled_pUnk' may be passed to the ActiveX control to specify an arbitrary integer that is later treated as a pointer. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed by ignoring the '_Marshaled_pUnk' parameter. This issue does not affect Mac OS X systems.

Viewing an image in a maliciously prepared directory may lead to arbitrary code execution.
A path searching issue exists in QuickTime Picture Viewer. If an attacker places a maliciously crafted DLL in the same directory as an image file, opening the image file with QuickTime Picture Viewer may lead to arbitrary code execution. This issue is addressed by removing the current working directory from the DLL search path. This issue does not affect Mac OS X systems.

Solution:

The vendor has issued a fix as part of Mac OS X v10.6.8 and Security Update 2011-004, available from the Software Update pane in System Preferences.
The Software Update utility will present the update that applies to your system configuration. Only one is needed, either Security Update 2011-004 or Mac OS X v10.6.8.

For Mac OS X v10.6.7
The download file is named: MacOSXUpd10.6.8.dmg
Its SHA-1 digest is: fee3d708be1cef09185eb9f6bfad1884efb3f0fc

For Mac OS X v10.6 - v10.6.6
The download file is named: MacOSXUpdCombo10.6.8.dmg
Its SHA-1 digest is: 7e22a53b62bf16f44fbba4042606af91888335cf

For Mac OS X Server v10.6.7
The download file is named: MacOSXServerUpd10.6.8.dmg
Its SHA-1 digest is: 34e8d742635d11fe483b2ca63cbd2df4fe6bd42a

For Mac OS X Server v10.6 - v10.6.6
The download file is named: MacOSXServerUpdCombo10.6.8.dmg
Its SHA-1 digest is: 123bebedc91e9483c7e44e671bf27fda34821b1f

For Mac OS X v10.5.8
The download file is named: SecUpd2011-004.dmg
Its SHA-1 digest is: 2d8967d783c08c4d7904c0138f5ea6fb0056a2f0

For Mac OS X Server v10.5.8
The download file is named: SecUpdSrvr2011-004.dmg
Its SHA-1 digest is: 9fe192900feb5808307aa0329f1d0df430f536f6

Apple Downloads

Addthis