Extreme Vulnerability in Apple Quicktime

Wiz Feinberg · From: Mid-Michigan, USA

Source: http://www.kb.cert.org/vuls/id/442497

Apple QuickTime RTSP buffer overflow

Overview
Apple QuickTime may allow remote arbitrary code to be executed via a long src parameter in RTSP URL strings.

I. Description
A vulnerability exists in the way Apple QuickTime handles specially crafted Real Time Streaming Protocol (RTSP) URL strings. An attacker may be able to craft a QTL file to take advantage of this vulnerability. However, there are other attack vectors that do not involve QTL files. According to MOAB-01-01-2007:

By supplying a specially crafted string (rtsp:// [random] + semicolon + [299 bytes padding + payload]), an attacker could overflow a stack-based buffer, using either HTML, Javascript or a QTL file as attack vector, leading to an exploitable remote arbitrary code execution condition.

Note that since QuickTime is a component of Apple iTunes, iTunes installations are also affected by this vulnerability. We are aware of publicly available proof-of-concept code that exploits this vulnerability.

II. Impact
A remote, unauthenticated attacker may be able to execute arbitrary code or cause a denial of service.

III. Solution
We are unaware of a solution to this problem. Until a solution becomes available the following workarounds are strongly encouraged:

Disable the QuickTime ActiveX controls in Internet Explorer

The vulnerable QuickTime ActiveX controls can be disabled in Internet Explorer by setting the kill bit for the following CLSIDs:

{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}
{4063BE15-3B08-470D-A0D5-B37161CFFD69}

More information about how to set the kill bit is available in Microsoft Support Document 240797. Alternatively, the following text can be saved as a .REG file and imported to set the kill bit for these controls:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{4063BE15-3B08-470D-A0D5-B37161CFFD69}]
"Compatibility Flags"=dword:00000400

Disable the QuickTime plug-in for Mozilla-based browsers

Users of Mozilla-based browsers, such as Firefox can disable the QuickTime plugin, as specified in the PluginDoc article Uninstalling Plugins.

Disable file association for QuickTime files

Disable the file association for QuickTime file types to help prevent windows applications from using Apple QuickTime to open QuickTime files. This can be accomplished by deleting the following registry keys:

HKEY_CLASSES_ROOT\QuickTime.*

This will remove the association for approximately 32 file types that are configured to open with the QuickTime Player software.

Do not access QuickTime files from untrusted sources

Attackers may host malicious QuickTime files on web sites. In order to convince users to visit their sites, those attackers often use a variety of techniques to create misleading links including URL encoding, IP address variations, long URLs, and intentional misspellings. Do not click on unsolicited links received in email, instant messages, web forums, or internet relay chat (IRC) channels. Type URLs directly into the browser to avoid these misleading links. While these are generally good security practices, following these behaviors will not prevent exploitation of this vulnerability in all cases, particularly if a trusted site has been compromised or allows cross-site scripting.

The vulnerability is confirmed in version 7.1.3.100 (Windows version) and reportedly affects both Microsoft Windows and Mac OS X versions.

References

http://www.cert.org/tech_tips/securing_browser/
http://projects.info-pull.com/moab/MOAB-01-01-2007.html
http://secunia.com/advisories/23540/
http://www.securityfocus.com/bid/21829
http://plugindoc.mozdev.org/faqs/uninstall.html
http://support.microsoft.com/kb/240797
_________________
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog

Bill Llewellyn · From: San Jose, CA

Is this an issue for Macs and PCs both?

Wiz Feinberg · From: Mid-Michigan, USA

Both
_________________
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog

Rick Batey · Posted 14 Jan 2007 3:36 am

Wiz, I was under the impression this vulnerability only applies to the latest QuickTime 7.1.3, is that right?

Link to Information Week article

Jack Stoner · From: Kansas City, MO

I only use the Quicktime Alternative program - not the full QT that can be buggy and also a bear to tame on your PC.

Lou[NE] · From: Weston, NE USA

Jack, what is the QT alternative you use? QT works on other PCs in the house, but not on mine. Video and audio are played in fits and starts, with dropouts in between. Other video formats play just fine, but not QuickTime.

Thanks,

Lou

Brint Hannay · From: Maryland, USA

I'm afraid that first post is entirely incomprehensible to me. But maybe something I should be concerned about. Can someone put it in something more like layman's English? I have a PC, Windows XP, and use Firefox as my browser. Audio and video items on websites sometimes play in Quicktime, sometimes in other--what?--formats?--programs? What the heck is "Quicktime"? Sometimes an audio or video item will be preceded by a "Q" logo, and then the "control bar" (I don't know what to call it) will show in the middle of a white screen, with the ball moving left to right, but with no audio or video content showing up, or zipping immediately from left to right with a "whoosh" sound, again with no audio or video content showing up. Sometimes an information window pops up that says "Quick Time is missing such-and-such and is unable to play the file, and unfortunately the such-and-such is not available on the QuickTime server".
Does any of this relate to the problem(s) mentioned? There doesn't ever seem to be any advance information as to whether an item will play in QuickTime or whatever--I only find out after selecting the item. Is QuickTime just bad news in general? Or what steps can be taken to avoid the hazards? If they can be stated in ordinary English.

Jack Stoner · From: Kansas City, MO

Lou, here is the link

http://www.free-codecs.com/download/QuickTime_Alternative.htm

Wiz Feinberg · From: Mid-Michigan, USA

Brint Hannay · From: Maryland, USA

Wiz, I don't recall ever having chosen to have Quicktime, though I may have done so if prompted when I was an absolute novice with the computer a year and a half ago.
At this point my questions would be: Should I uninstall Quicktime, using the uninstall option in my All Programs list? Will that get rid of it? And if so, will I lose the ability to play the stuff that's been playing in Quicktime? Will I need to download some other alternative player that I don't have now, and if so, which is good? (I have Windows Media Player and RealPlayer in some form or other now).
A different but maybe related question: My computer refuses to download video clips that have filenames ending in .avi. (It will play them). How come?
Thanks for your help to a computer dunce.

Wiz Feinberg · From: Mid-Michigan, USA

Brint;
QuickTime Player was probably listed as a required plug-in to play a file embedded in the code of a web page. You probably wanted to view or hear the content and must have given your approval to install the plug-in. You can uninstall it via Control Panel > Add/Remove Programs.

Media Player Classic will play QuickTime and Real Media files, if you also download and install the standard Codecs package. Media Player Classic and the various codec packages are available from http://www.free-codecs.com/ . They also have a QuickTime replacement and a RealMedia replacement, if you only need those. If you download the standard Codecs package you will get both in one player, which is included.
_________________
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog

Brint Hannay · From: Maryland, USA

When I clicked on Change/Remove, I got a box that says "Removing Quick Time system extensions can cause applications to malfunction". It gives me choices to "Click Uninstall to remove the applications that came with Quicktime" or "Click Uninstall Everything to remove the system extensions as well (not recommended)". Which should I do?

Wiz Feinberg · From: Mid-Michigan, USA

Jack Stoner · From: Kansas City, MO

U got a box that says "Removing Quick Time system extensions can cause applications to malfunction".

That's a stock warning that is typical of many programs. When you uninstall it they will issue some type of warning that it may affect other uses, etc. It can be ignored in almost all cases.

In the case of QT, it has it's own proprietary media file formats and you need QT or the QT alternative to play those formats - other than that, and possibly ITunes, it's not needed for any other media format.

I got along fine without QT installed on my PC for 4 years, until I found the QT alternative program. There was very little that I would have needed QT for and even then I really didn't miss anything by not playing the QT media file. The only reason I have the QT alternative installed is so I can listen to Mike Gross' "Swingin West" webcast. They originally had both QT and Windows Media streaming links but then had some software problems and removed the Windows Media link so the only option is QT for this broadcast.

Lou[NE] · From: Weston, NE USA

Jack, thanks for the Qt alternative link. It works great, but I think it was reinstalling the chipset drivers that solved my playback problem.

Lou

Wiz Feinberg · From: Mid-Michigan, USA

Forum Index > Computers		Next oldest topic :: Next newest topic

All times are GMT - 8 Hours	Jump to: