HighProventia Desktop, Proventia Network IPS, Proventia Server IPS for Linux technology, RealSecure Desktop, RealSecure Server Sensor, RealSecure Network, BlackICE Server Protection, BlackICE PC Protection, Proventia-G 1.1 and earlier, Proventia Network IDS, IBM Security Server Protection for Windows, Proventia Network MFS, Virtual Server Protection for Vmware:
This signature detects an attempt to call QuickTime Java code from within a Java bytecode object.
Proventia Desktop, Proventia Network IPS, Proventia Server IPS for Linux technology, RealSecure Server Sensor, RealSecure Network, BlackICE Server Protection, BlackICE PC Protection, Proventia-G 1.1 and earlier, Proventia Network IDS, IBM Security Server Protection for Windows, Proventia Network MFS, Virtual Server Protection for Vmware: This signature triggers when QuickTime java code is referenced from within a Java bytecode object. It is possible however, that the QuickTime code is never executed, which would result in a false positive.
High
Proventia Desktop: 2020, Proventia Network IPS: XPU 27.010, Proventia Server IPS for Linux technology: 27.010, RealSecure Desktop: eqh, RealSecure Server Sensor: XPU 27.010, RealSecure Network: XPU 27.010, BlackICE Server Protection: 3.6.cqh, BlackICE PC Protection: 3.6cqh, Proventia-G 1.1 and earlier: XPU 27.010, Proventia Network IDS: XPU 27.010, IBM Security Server Protection for Windows: 2.1.14.2400, IBM Security Server Protection for Windows: 1.0.914.2020, Proventia Network MFS: XPU 27.010, Virtual Server Protection for Vmware: 1.0
Apple QuickTime: 7.0.1, Apple QuickTime: 7.0.3, Apple QuickTime: 7.1.3, Apple QuickTime: 7.0, Apple QuickTime: 7.0.2, Apple QuickTime: 7.0.4, Apple QuickTime: 7.0.8, Apple QuickTime: 7.1, Apple QuickTime: 7.1.1, Apple QuickTime: 7.1.2, Apple QuickTime: 7.1.4, Apple QuickTime: 7.1.5
Unauthorized Access Attempt
Apple QuickTime could allow a remote attacker to execute arbitrary code on the system, caused by a vulnerability in the toQTPointer() function in the QuickTime Java extensions (QTJava.dll). By persuading a victim to visit a malicious Web page using the Safari, Internet Explorer, or Firefox Web browsers, a remote attacker could exploit this vulnerability to overwrite memory and execute arbitrary code on the system.
Apply the Apple QuickTime 7.1.6 update. See References.
Matasano Chargen Blog, April 23, 2007
BREAKING: MacBook Vuln In Quicktime, Affects Win32 Apple Code
http://www.matasano.com/log/812/breaking-macbook-vuln-in-quicktime-affects-win32-apple-code/
Apple QuickTime Web site
Apple - QuickTime
http://www.apple.com/quicktime/win.html
Apple QuickTime 7.1.6 update
About the security content of QuickTime 7.1.6
http://docs.info.apple.com/article.html?artnum=305446
ZDI-07-023
Apple QTJava toQTPointer() Pointer Arithmetic Memory Overwrite Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-07-023.html
IBM Internet Security Systems Protection Alert, May 1, 2007
Apple QuickTime Code Execution
http://www.iss.net/threats/261.html
ISS X-Force
Apple QuickTime Java toQTPointer() code execution
http://www.iss.net/security_center/static/33827.php
CVE
CVE-2007-2175
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2175