looks like you can now just update just the ActiveX control (as long as you have quicktime 3 or newer) instead of upgrading to quicktime 6. marc ===== Date: Wed, 25 Sep 2002 09:59:46 -0700 Subject: QuickTime for Windows ActiveX security advisory From: Ron Dumont <rondat_private> To: security-announceat_private X-Mailer: Apple Mail (2.546) X-MIME-Autoconverted: from quoted-printable to 8bit by lists.apple.com id g8PH0Wi18452 Sender: security-announce-adminat_private X-BeenThere: security-announceat_private X-Mailman-Version: 2.0.13 List-Unsubscribe: <http://www.lists.apple.com/mailman/listinfo/security-announce>, <mailto:security-announce-requestat_private?subject=unsubscribe> List-Id: Product security notifications and announcements from Apple <security-announce.lists.apple.com> List-Post: <mailto:security-announceat_private> List-Help: <mailto:security-announce-requestat_private?subject=help> List-Subscribe: <http://www.lists.apple.com/mailman/listinfo/security-announce>, <mailto:security-announce-requestat_private?subject=subscribe> -----BEGIN PGP SIGNED MESSAGE----- Apple Security Advisory APPLE-SA-2002-09-19 Overview A buffer overflow exists in the ActiveX control distributed in Apple QuickTime for Windows Version 5.0.2. Any user who opens this control in Microsoft Windows Internet Explorer or other affected Windows mail clients is vulnerable to attack. QuickTime versions for Mac OS X or Mac OS 9 are not vulnerable. Recommendation Users and web site administrators running the Windows operating system should upgrade to the new version of the ActiveX control as soon as possible. This can be done by either downloading a new ActiveX control, or updating to QuickTime 6 which contains a fixed version of the ActiveX control. ActiveX control only: http://www.apple.com/quicktime/download/qtcheck/ This control will work with QuickTime version 3.0 and later. QuickTime 6 (free update): http://www.apple.com/QuickTime/download/ Common Vulnerabilities and Exposures (CVE) Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following identification to this issue. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. CAN-2002-0376 Apple QuickTime ActiveX v5.0.2 Buffer Overrun Description QuickTime for Windows version 5.0.2 is distributed with an ActiveX control to allow QuickTime movies to be played on versions on Microsoft Windows Internet Explorer. The ActiveX control for QuickTime for Windows 5.0.2 has a buffer overflow vulnerability triggered by insufficient input validation when parsing the "pluginspage" parameter. This vulnerability can be exploited by a remote attacker who can induce a victim to visit any web site with malicious code offering the vulnerable code or executing a control already present on the victim's computer. Also affected are users who open HTML messages in Windows mail clients that use Internet Explorer to render HTML and load ActiveX controls (e.g., Outlook, Outlook Express, Eudora, etc). Note that an email attack would be rendered harmless if the end user email client handled HTML mail in Internet Explorer's Restricted Sites Zone (say by having applied the Outlook Email Security Update distributed by Microsoft; Outlook Express 6 and Outlook 2002 handle mail in the Restricted Site Zone by default). Mail clients unable to render HTML or that do not invoke Internet Explorer are unaffected. All web content managers who support QuickTime technology and all Windows users of Microsoft Internet Explorer are encouraged to upgrade to the new ActiveX control or QuickTime Version 6.0 as soon as possible. Solution Either download the new ActiveX control by itself, or update to QuickTime 6: ActiveX control only: http://www.apple.com/quicktime/download/qtcheck/ This control will work with QuickTime version 3.0 and later. QuickTime 6 (free update): http://www.apple.com/QuickTime/download/ Mitigating factors * In the case of the web-based attack, an attacker would need to force a user to visit the attackers Web site. Users who exercise caution in visiting web sites could minimize their risk. * In the web based attack, If ActiveX controls have been disabled in the zone in which the page were viewed, the vulnerability could not be exploited. Users who place untrusted sites in the Restricted Sites zone, which disables ActiveX by default, or have disabled ActiveX controls in the Internet zone could minimize their risk. * In the case of HTML email based attacks, customers who read email in the Restricted Sites zone would be protected against attempts to exploit this vulnerability. Customers using Outlook 2002 and Outlook Express 6.0, as well as Outlook 2000 and Outlook 98 customers who have applied the Outlook Email Security Update would thus be protected by default. Also, Outlook Express 5.0 customers who have chosen to read mail in the Restricted Sites zone would be protected by default. * In the HTML email based attack, Outlook 2002 customers who have enabled the "Read as Plain Text" option available in SP1 or later would also be protected. Further information Are there any caveats associated with the patch? Yes. Customers should be aware that although the vulnerabilities here involve an ActiveX control, the patch does not set the Kill Bit. Whats an ActiveX control? ActiveX controls are small, single-purpose programs that can be called by programs and web pages. ActiveX allows a programmer to write a piece of software one time, and make its functionality available to other programs that may need it. Whats the "Kill Bit"? The Kill Bit is a method by which an ActiveX control can be prevented from ever being invoked via Internet Explorer, even if its present on the system. (More information on the Kill Bit is available in Microsoft Knowledge Base article Q240797). Typically, when a security vulnerability involves an ActiveX control, the patch delivers a new control and sets the Kill Bit on the vulnerable control. However, it isnt feasible to do so in this case. Why isnt it feasible to set the Kill Bit in this case? The Kill bit is currently implemented in Windows as an "all or nothing" switch. Setting the Kill bit will totally disable your ability to use QuickTime in media which invokes it via the ActiveX control. This includes millions of web pages, along with many CDs and DVDs. By design, the Web pages, CDs and DVDs contain hard-coded references to the ActiveX control to load QuickTime. The QuickTime content on these web pages, CDs and DVDs would no longer be accessible. As a result, a new ActiveX control is provided to remove the vulnerabilities, but the Kill Bit is not set on the old one. Will the Kill Bit on this control be eventually set? Yes. Microsoft is developing a new technology that will enable it to set the Kill Bit on the vulnerable version of the control without forcing users to re-author web pages containing references to these controls. When the new technology is available, we'll provide a QuickTime update that makes use of it. References http://www.apple.com/QuickTime/download/ http://www.apple.com/quicktime/download/qtcheck/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0376 http://support.microsoft.com/directory/article.asp?ID=KB;EN-US;Q240797 http://support.microsoft.com/default.aspx?scid=kb;en-us;Q154850&FR=1 -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.3 iQEVAwUBPZHqmSFlYNdE6F9oAQFOwAf/Ywf+cZZVp9Q4N3xJnP5x8HQ6HYh8je9E jGCVB4jlTAaJp49dY9K/4JXaOIp358uqvDMzOcJPlXyTwRJb3aDytFzXs0sek3vK aAK0ltFUjEYM3fNwBv8KJoBpdxToe9C+dzswitootZWUTZK4CnisG61GrVcHpIGc 7hPkBDUepSwscnci8PmzYxCo6kWXvL4rMhVcUDA4dfQLslwnLlASXtN1sAeyOPus jpUT7Vj6lTrdbFSMrbBJbQXajXKBm0coF4g/c+JzYm/uV8GnQ4FD1LwN8oLkBC4c ogLSm52By9VREUHOaKIgg6Txp0nJVQbuQE68536yUDNe6qgJSCQZPQ== =JSPS -----END PGP SIGNATURE----- _______________________________________________ security-announce mailing list | security-announceat_private Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/security-announce Do not post admin requests to the list. They will be ignored. =====
This archive was generated by hypermail 2b30 : Wed Sep 25 2002 - 13:17:10 PDT