|
n.runs-SA-2008.003 Quicktime - Arbitrary Code Execution Advisory
n.runs AG
http://www.nruns.com
n.runs-SA-2008.003
security(at)nruns.com
16-Jul-2008
* * *
Vendor: Apple Inc.,
http://www.apple.com
Affected Products:
-
QuickTime versions previous to 7.5
- Affected Platforms: Mac OS X v10.3.9, Mac OS X v10.4.9 - v10.4.11,
Mac OS X v10.5 or later, Windows Vista, XP SP2
Vulnerability: Arbitrary Code Execution (remote)
Risk: CRITICAL
Vendor communication:
2008/03/07 initial notification to Apple Inc. that n.runs AG has
found a considerable amount of vulnerabilities in Apple
mound up-to-date default systems and default installed
products both on Mac OS 10.5 (Leopard) and iPhone 1.1.4
and that n.runs AG intends to send them in phases
to Apple Inc.
2008/03/08 Apple Inc. replies to n.runs AG including their public
pgp key and intends to use Apple Inc. RFC instead of
n.runs RFC
2008/03/08 n.runs AG replies that vulnerability reporting will only
happen under n.runs AG RFP
2008/03/11 Apple Inc. communicates to n.runs AG that n.runs AG RFP
is aligned to their RFP so we may continue with further
communication and bug reporting
2008/03/11 n.runs sends PoCs for various issues to Apple Inc.
2008/03/11 Apple Inc. validates the PoCs and informs that it has
some issues reproducing some of them.
2008/03/12 n.runs AG sends more reliable PoCs and the steps to
follow in order to reproduce the issues
2008/03/24 Apple Inc. sends a status report regarding the
vulnerabilities reported by n.runs AG
2008/03/30 n.runs AG thanks Apple Inc. for the status update and
asks for apologies for not being more responsive during
CanSecWest time frame
2008/03/31 Apple Inc. sends a second status update and informs
about the link where the credits will appear
http://support.apple.com/kb/HT1222
2008/04/01 n.runs AG thanks for the update and sends a second pack
of vulnerabilities PoCs based on the good and fluent
communications that n.runs AG is having up to the moment
with Apple Inc.
2008/04/01 Apple Inc. thanks n.runs AG for the new PoC, validates
them and includes a status report where they describe
that some of the issues reported were known to them
and/or discovered internally prior to n.runs AG
reporting, they also inform that they added Sergio's
name and company into their system for tracking credit
information for each of the security issues. Provides
the Radar numbers assigned to each of them. Informs some
reproduction issues.
2008/04/01 n.runs AG thanks for the quick response and also
clarifies that n.runs AG expects, as described in the
RFP, to be credited for all the vulnerabilities reported
to Apple Inc. that affect the most up-to-date products
available to the public, regardless if they are
internally known to Apple Inc.
2008/04/03 Apple Inc. replies: "Yes, that's our policy: all
reporters of security bugs that were not publicly known
get credit."
2008/05/23 n.runs AG reports another vulnerability and requests a
status update for the previously reported
vulnerabilities.
2008/05/29 Apple Inc. sends a status report and asks how n.runs AG
would like to be credited if there is some specific
format.
2008/05/29 n.runs AG thanks and sends the requested information
to Apple Inc.
2008/05/31 Apple Inc. sends the status report for the last issue
reported to them and the Radar number assigned to it.
2008/07/10 n.runs AG requests a status update for the issues
reported to Apple Inc.
2008/07/11 Apple Inc. sends the status report and "informs to
n.runs AG that some of the vulnerabilities had already
been fixed and that the update was released some time
ago and that one of them was found through internal
security testing and was not correlated to n.runs AG's
report, that they would fix that, and requests the
format for the credits that n.runs AG would like
to have."
2008/07/13 n.runs AG replies the following: "As I said and you
agreed in my first mails, before sending any of my
findings, whether you found internally or if somebody
else reported the same bugs that I'm reporting, you
(Apple) have to credit me for my findings for the simple
reason that I'm reporting them to you instead of
releasing them to the public while the bugs are not
fixed. That said, I've checked all the credits given
in "iPhone 2.0 and iPod touch 2.0"
http://support.apple.com/kb/HT2351) and the ones given
in "QuickTime 7.5" http://support.apple.com/kb/HT1991,
and I haven't been credited in any of them. This is a
clear violation of our RFP. If by Monday 14.July.2008
the proper credits are not given to me, I'll release all
the vulnerabilities and bugs that I've reported to you
and also the ones I didn't report yet by
Tuesday 15.July.2008."
2008/07/15 Apple Inc. asks n.runs AG to not make public our
findings and also makes available the credits for one of
the issues reported.
2008/07/16 n.runs AG releases this advisory
Overview:
QuickTime is a multimedia framework developed by Apple Inc., capable of handling various formats of digital video, media clips, sound, text, animation, music and several types of interactive panoramic images. Available for Classic Mac OS, Mac OS X and Microsoft Windows operating systems it provides essential support for software packages including iTunes, QuickTime Player (which can also serve as a helper application for web browsers to play media files that might otherwise fail to open) and Safari.
Description:
A remotely exploitable vulnerability has been found in the files' parsing engine. In detail, the following flaw was determined:
- A sign extension issue in QuickTime's handling of PICT images that leads to a heap buffer overflow.
Impact:
This problem can lead to remote arbitrary code execution if an attacker carefully crafts a file that exploits the aforementioned vulnerability. The vulnerability is present in Apple QuickTime software mentioned bove, in all platforms supported by the affected products and all the products that use the APIs exposed by its library prior to Apple QuickTime version 7.5.
Solution:
The vulnerability was reported on 01.Apr.2008 and Apple QuickTime Version 7.5 has been issued to solve this vulnerability. For detailed information about the fixes follow the link in References [1] section of this document.
Credit:
Bugs found by Sergio Alvarez of n.runs AG.
Unaltered electronic reproduction of this advisory is permitted. For all other reproduction or publication, in printing or otherwise, contact security@nruns.com for permission. Use of the advisory constitutes acceptance for use in an "as is" condition. All warranties are excluded. In no event shall n.runs be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if n.runs has been advised of the possibility of such damages.
Copyright 2008 n.runs AG. All rights reserved. Terms of use apply.
|
