[ISN] Another QuickTime flaw found

From: InfoSec News (isn@private)
Date: Tue Nov 08 2005 - 22:05:37 PST


http://news.zdnet.com/2100-1009_22-5940081.html

By Dawn Kawamoto, CNET News.com 
Published on ZDNet News
November 8, 2005

Less than three weeks after Apple Computer issued an update to patch
four security flaws in its QuickTime media player, a new "critical"  
problem has been discovered.

The unpatched vulnerability could allow remote execution of code,
according to an advisory published Monday by eEye Digital Security. It
affects various versions of Apple QuickTime running on all types of
operating systems, the company said, but did not specify which
versions in particular were at risk.

eEye said it notified Apple of the flaw on Oct. 31, when it outlined
vulnerabilities that were not addressed in Apple's update of Oct. 12.  
And although Apple issued a security advisory Nov. 3 regarding its
patch and the four flaws, that advisory did not address the new flaw
eEye discovered, said Mike Puterbaugh, eEye's senior product marketing
director.

"We don't feel this flaw could result in an Internet worm, as it does
require end-user interaction (such as clicking on a link to a
malicious Web site or chat session). The affected component is,
however, enabled by default," Puterbaugh said.

This newly discovered flaw could allow an attacker to pose as the
logged-in user and launch remotely executable code. An intruder, for
example, could access and do everything that a user could do on his
computer. If the user had administrator rights, the hacker could also
access everything that the administrator could.

"The Apple flaw works with their latest version of QuickTime," said
Steve Manzuik, eEye product manager. "The only similarity with the
earlier flaws is it's in QuickTime."

The new issue affects a different QuickTime function than the four
earlier flaws, which included a missing movie attribute that could be
interpreted as an extension. The absence of the actual extension is
not detected, resulting in a "dereference of a null pointer."

Another of the earlier four flaws included an integer overflow that
could be remotely exploited through a specially crafted video file.

eEye has declined to provide more specifics in its security advisories
until the vendor has issued a patch. That policy is designed to
prevent hackers from reverse engineering the problem to launch an
attack while the vendor works to fix the flaw.

Apple's earlier patch, version 7.0.3, addressed vulnerabilities found
in QuickTime 6.5.2 and 7.0.1 for the Mac OS X operating system and
some versions running on Windows. One of those flaws allowed a
malicious attacker to launch a denial-of-service attack, while the
other three flaws allowed an attacker to remotely execute code and
take over users' computers.

Apple told CNET News.com that it was not prepared to comment at this
time. Manzuik said that on Monday Apple acknowledged receipt of eEye's
advisory, but gave no indication of when, or if, it plans to patch the
flaw.

"It is something they will undoubtedly have to patch," he added.



_________________________________________
Earn your Master's degree in Information Security ONLINE
www.msia.norwich.edu/csi
Study IA management practices and the latest infosec issues.
Norwich University is an NSA Center of Excellence.



This archive was generated by hypermail 2.1.3 : Tue Nov 08 2005 - 22:25:07 PST