Home

Apple QuickTime Code Execution

Notification Type:	IBM Internet Security Systems Protection Advisory
Notification Date:	May 29, 2007
Notification Version:	1.0

Name:	Apple QuickTime Code Execution
Public disclosure/ In the wild date:	May 29, 2007 (vuln disclosure)
CVE:	CVE-2007-2388
Description:	X-Force is currently tracking a vulnerability in Apple QuickTime for Java that could allow a remote attacker to execute arbitrary code on the system. This vulnerability is similar in nature to CVE-2007-2175, but accessed via different methods and was not patched by Apple's Quicktime 7.1.6 Update.
Discoverers	John McDonald, Paul Griswold, and Tom Cross, researchers for IBM ISS X-Force

ISS Coverage

Product	Content Version
Network Sensor 7.0 Proventia A Proventia IPS (G/GX) Server Sensor 7.0 Proventia Multifunction Appliance Proventia Server (Linux)	27.010
Proventia Server (Windows) Proventia Desktop	x.x.x.2020
RealSecure Desktop 7.0	EQH
BlackICE PC Protection 3.6	CQH

Propagation Techniques	ISS Protection	Available
remote exploit	HTTP_QuickTime_Java_Code_Exec	May 8, 2007

Detailed Description

Business Impact:	Apple QuickTime versions 7.1.6 and earlier expose a vulnerability related to Java handling. If Java and Quicktime are enabled in the browser, a remote attacker could create a specially-crafted QuickTime for Java file that could execute arbitrary code on the system. This exploit requires the victim to run a malicious Java application or visit a Web site hosting a specially-crafted applet.
CVSS:	Base Score:		8
		Access Vector:	Remote
		Access Complexity:	High
		Authentication:	Not Required
		Confidentiality Impact:	Complete
		Integrity Impact:	Complete
		Availability Impact:	Complete
		Impact Bias:	Normal
	Adjusted Temporal Score:		5.9
		Exploitability:	Unproven
		Remediation Level:	Workaround
		Report Confidence:	Confirmed
Affected Products:	QuickTime: Any version prior to 7.1.6
Technical Description:	Apple QuickTime for Java extends media handling capability to Java application developers. Vulnerabilities exist in some of the methods available to developers which use JNI to call into native code. These methods allow for traditional memory corruption that is not typically possible through Java. The most likely attack vector would come in the form of a malicious web site hosting a specially-crafted QuickTime for Java applet. We have seen this type of vulnerability leveraged in the past as a malware dropper.
Remediation:	Disabling Java in the browser will prevent the exploitation of this vulnerability. On Windows systems, renaming QTJavaNative.dll and QTJava.dll in the C:\Program Files\QuickTime\QTSystem\ directory does prevent the attacks from working, but otherwise appears to leave QuickTime unaffected. Users should be careful not to allow the instatiation of Java applets from untrusted sources. See References for Apple's patch.

References

XFDB	http://xforce.iss.net/xforce/xfdb/34452
Apple	http://docs.info.apple.com/article.html?artnum=305531

Revision History

1.0	Initial publication.

About IBM Internet Security Systems
IBM Internet Security Systems is the trusted security advisor to thousands of the world's leading businesses and governments, providing pre-emptive protection for networks, desktops and servers. An established leader in security since 1994, the IBM Proventia® integrated security platform is designed to automatically protect against both known and unknown threats, helping to keep networks up and running and shielding customers from online attacks before they impact business assets. IBM Internet Security Systems products and services are based on the proactive security intelligence of its X-Force® research and development team – the unequivocal world authority in vulnerability and threat research. The Internet Security Systems product line is also complemented by comprehensive Managed Security Services and Professional Security Services. For more information, visit the Internet Security Systems Web site at www.iss.net or call 800-776-2362.