Apple QuickTime Code Execution

Notification Type: IBM Internet Security Systems Protection Alert
Notification Date: May 1, 2007
Notification Version: 1.2
   
Name: Apple QuickTime Code Execution
Public disclosure/
In the wild date:		 April 23, 2007 (vuln disclosure)
Description: X-Force is currently tracking a vulnerability in Apple QuickTime for Java that could allow a remote attacker to execute arbitrary code on the system.

 

ISS Coverage
Product Content Version
Network Sensor 7.0
Proventia A
Proventia IPS (G/GX)
Server Sensor 7.0
Proventia Multifunction Appliance
Proventia Server (Linux)		 27.010
Proventia Server (Windows)
Proventia Desktop		 x.x.x.2020
RealSecure Desktop 7.0 EQH
BlackICE PC Protection 3.6 CQH
Propagation Techniques ISS Protection Available
remote exploit HTTP_QuickTime_Java_Code_Exec May 8, 2007

Detailed Description
Business Impact: Apple QuickTime could allow a remote attacker to execute arbitrary code on the system, caused by a vulnerability related to Java handling. If Java and Quicktime are browser enabled, a remote attacker could exploit this vulnerability by creating a specially-crafted QuickTime file to execute arbitrary code on the system or cause the browser to crash, if the attacker could persuade the victim to view the malicious file or visit a malicious Web site.
CVSS: Base Score: 8
  Access Vector: Remote
Access Complexity: High
Authentication: Not Required
Confidentiality Impact: Complete 
Integrity Impact: Complete 
Availability Impact: Complete 
Impact Bias: Normal 
Adjusted Temporal Score: 7.2
  Exploitability: Functional
Remediation Level: Workaround
Report Confidence: Confirmed 
Affected Products:

 QuickTime: Any version prior to 7.1.6

Technical Description:

Apple QuickTime for Java extends media handling capability to Java application developers.  Vulnerabilities exist in some of the methods available to developers which use JNI to call into native code.  These methods allow for traditional memory corruption that is not typically possible through Java.

The most likely attack vector would come in the form of a malicious web site hosting a specially crafted QuickTime for Java applet.  We have seen this type of vulnerability leveraged in the past as a malware dropper.

Remediation:

Disabling Java in the browser will prevent the exploitation of this vulnerability.

On Windows systems, renaming QTJavaNative.dll and QTJava.dll in the C:\Program Files\QuickTime\QTSystem\ directory does prevent the attacks from working, but otherwise appears to leave QuickTime unaffected.

Users should be careful not to allow the instatiation of Java applets from untrusted sources.

See References for Apple's patch.

References
XFDB http://xforce.iss.net/xforce/xfdb/33827
Apple http://docs.info.apple.com/article.html?artnum=305446

Revision History
1.0 Initial publication.
1.1 Product coverage
1.2 Corrected Apple link.


About IBM Internet Security Systems
IBM Internet Security Systems is the trusted security advisor to thousands of the world's leading businesses and governments, providing pre-emptive protection for networks, desktops and servers. An established leader in security since 1994, the IBM Proventia® integrated security platform is designed to automatically protect against both known and unknown threats, helping to keep networks up and running and shielding customers from online attacks before they impact business assets. IBM Internet Security Systems products and services are based on the proactive security intelligence of its X-Force® research and development team – the unequivocal world authority in vulnerability and threat research. The Internet Security Systems product line is also complemented by comprehensive Managed Security Services and Professional Security Services. For more information, visit the Internet Security Systems Web site at www.iss.net or call 800-776-2362.