|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Marc Bejarano (beej_at_ALUM.MIT.EDU)
Date: Wed Sep 25 2002 - 16:51:17 CDT
update your QuickTime for Windows ActiveX control ASAP.
marc
=====
From: "
stake Advisories" <advisoriesatstake.com>
To: <bugtraqsecurityfocus.com>
Subject: Apple QuickTime ActiveX v5.0.2 Buffer Overrun (a091002-1)
Date: Tue, 10 Sep 2002 16:57:25 -0400
Message-ID: <002301c2590c$abafa5d0$b208010amonkey>
MIME-Version: 1.0
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
stake Inc.
www.atstake.com
Security Advisory
Advisory Name: Apple QuickTime ActiveX v5.0.2 Buffer Overrun
Release Date: 09/10/2002
Application: Apple QuickTime ActiveX v5.0.2
Platform: Windows NT4 SP6a, Windows 2000 SP1
Windows XP
Severity: There is a buffer overflow condition that
can result in execution of arbitrary
code.
Author: Ollie Whitehouse [ollieatstake.com]
Contributions: Andreas Junestam [andreasatstake.com]
Dave Aitel
Vendor Status: Vendor has fixed software update
CVE Candidate: CAN-2002-0376
Reference: www.atstake.com/research/advisories/2002/a091002-1.txt
Overview:
Apple QuickTime (http://www.quicktime.com) is the media player
used by a large number of distributors for high quality video and
audio based media. Version 5.0 has been downloaded over 100,000,000
times. There is a buffer overrun caused by the way that the QuickTime
ActiveX component handles the "pluginspage" field when parsed from a
malicious remote orlocal HTML page. This can allow the execution of
arbitrary computer code on the computer viewing the malicious web
page. The QuickTime ActiveX component is commonly used for movie
trailers (i.e. those located at http://www.apple.com/trailers/) and
other streaming or static media technologies when they are embedded
in a web page.
Details:
To exploit this vulnerability an attacker would need to get his or
her target to open a malicious HTML file as an attachment to an
email message, as a file on the local or network file system, or as
a file via HTTP. Most likely this would be accomplished by embedding
a link to a vulnerabile web site in an email message or another web
page. If the malicious HTML file is opened it will cause Quicktime to
execute the arbitrary computer code contained within the HTML page.
Take the following example HTML page:
---- Begin Sample HTML
<OBJ7ECT CLASSID="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B"
WIDTH="480" HEIGHT="376">
<PA7RAM NAME="src" VALUE="test.mov">
<PA7RAM NAME="controller" VALUE="false">
<PA7RAM NAME="target" VALUE="myself">
<PA7RAM NAME="href" VALUE="test.mov">
<PA7RAM NAME="pluginspage" VALUE="insert overly long
string here">
<EM7BED WIDTH="480" HEIGHT="376" CONTROLLER="false"
TARGET="myself" HREF="test2.mov"
SRC="test.mov"
BGCOLOR="FFFFFF"
BORDER="0"
PLUGINSPAGE="insert overly long string here">
</EM7BED>
</OB7JECT>
---- End Sample HTML
[note: remove the '7's in the tags above to create valid HTML]
This sample HTML when, edited to insert an overly long string, will
cause an exception that is exploitable.
It is possible for an attacker to specify a codebase that will
download a vulnerable version of the ActiveX component.
This is a good example of why not to trust *ANY* ActiveX components
from any unknown source even if the site is considered safe and the
ActiveX component is signed on behalf of a trusted organization.
Vendor Response:
Apple was notified of this issue by stake on May 13, 2002.
Apple has resolved this issue within QuickTime 6 which can be
downloaded from http://www.apple.com/quicktime/.
Recommendation:
If you use Quicktime, upgrade to Quicktime 6. If you are a web
site that hosts the qtplugin.cab file you should upgrade to
version 6.
You should never open attachments/webpages that come from
unknown sources no matter how benign they may appear. Be wary of
those that come from known sources.
You can set the "kill bit" for a known vulnerable ActiveX component
by editting the registry. This will keep Internet Explorer from
executing the vulnerable component. Directions for setting the kill
bit on a are at:
http://support.microsoft.com/default.aspx?scid=KB;EN-US;q240797&
You should consider the benefits and risks of each attachment file
type or ActiveX components that you let into your organization.
Attachment file types or ActiveX components that you do not need
should be dropped at your perimeter mail gateway or proxy server.
Attachments that you choose to forward on into your organization
should be scanned for known malicious code using an antivirus product.
Common Vulnerabilities and Exposures (CVE) Information:
The Common Vulnerabilities and Exposures (CVE) project has
assigned the following names to these issues. These are candidates
for inclusion in the CVE list (http://cve.mitre.org), which
standardizes names for security problems.
CAN-2002-0376 Apple QuickTime ActiveX v5.0.2 Buffer Overrun
stake Vulnerability Reporting Policy:
http://www.atstake.com/research/policy/
stake Advisory Archive:
http://www.atstake.com/research/advisories/
PGP Key:
http://www.atstake.com/research/pgp_key.asc
Copyright 2002 stake, Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.3
iQA/AwUBPX5bY0e9kNIfAm4yEQIH+QCdFToXSMrwlO9izwdxGLEyUUkbTWEAoJbj
Z9cyqqB498EcNiXqMK/INQN3
=MXuj
-----END PGP SIGNATURE-----
=====
Date: Wed, 25 Sep 2002 09:59:46 -0700
Subject: QuickTime for Windows ActiveX security advisory
From: Ron Dumont <rondapple.com>
To: security-announcelists.apple.com
-----BEGIN PGP SIGNED MESSAGE-----
Apple Security Advisory APPLE-SA-2002-09-19
Overview
A buffer overflow exists in the ActiveX control distributed in Apple
QuickTime for Windows Version 5.0.2. Any user who opens this control in
Microsoft Windows Internet Explorer or other affected Windows mail
clients is vulnerable to attack.
QuickTime versions for Mac OS X or Mac OS 9 are not vulnerable.
Recommendation
Users and web site administrators running the Windows operating system
should upgrade to the new version of the ActiveX control as soon as
possible. This can be done by either downloading a new ActiveX control,
or updating to QuickTime 6 which contains a fixed version of the ActiveX
control.
ActiveX control only:
http://www.apple.com/quicktime/download/qtcheck/
This control will work with QuickTime version 3.0 and later.
QuickTime 6 (free update): http://www.apple.com/QuickTime/download/
Common Vulnerabilities and Exposures (CVE) Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned the
following identification to this issue. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.
CAN-2002-0376 Apple QuickTime ActiveX v5.0.2 Buffer Overrun
Description
QuickTime for Windows version 5.0.2 is distributed with an ActiveX
control to allow QuickTime movies to be played on versions on Microsoft
Windows Internet Explorer. The ActiveX control for QuickTime for
Windows 5.0.2 has a buffer overflow vulnerability triggered by
insufficient input validation when parsing the "pluginspage" parameter.
This vulnerability can be exploited by a remote attacker who can induce
a victim to visit any web site with malicious code offering the
vulnerable code or executing a control already present on the victim's
computer. Also affected are users who open HTML messages in Windows
mail clients that use Internet Explorer to render HTML and load ActiveX
controls (e.g., Outlook, Outlook Express, Eudora, etc). Note that an
email attack would be rendered harmless if the end user email client
handled HTML mail in Internet Explorer's Restricted Sites Zone (say by
having applied the Outlook Email Security Update distributed by
Microsoft; Outlook Express 6 and Outlook 2002 handle mail in the
Restricted Site Zone by default). Mail clients unable to render HTML or
that do not invoke Internet Explorer are unaffected.
All web content managers who support QuickTime technology and all
Windows users of Microsoft Internet Explorer are encouraged to upgrade
to the new ActiveX control or QuickTime Version 6.0 as soon as possible.
Solution
Either download the new ActiveX control by itself, or update to
QuickTime 6:
ActiveX control only:
http://www.apple.com/quicktime/download/qtcheck/
This control will work with QuickTime version 3.0 and later.
QuickTime 6 (free update): http://www.apple.com/QuickTime/download/
Mitigating factors
* In the case of the web-based attack, an attacker would need to force a
user to visit the attackers Web site. Users who exercise caution in
visiting web sites could minimize their risk.
* In the web based attack, If ActiveX controls have been disabled in the
zone in which the page were viewed, the vulnerability could not be
exploited. Users who place untrusted sites in the Restricted Sites zone,
which disables ActiveX by default, or have disabled ActiveX controls in
the Internet zone could minimize their risk.
* In the case of HTML email based attacks, customers who read email in
the Restricted Sites zone would be protected against attempts to exploit
this vulnerability. Customers using Outlook 2002 and Outlook Express
6.0, as well as Outlook 2000 and Outlook 98 customers who have applied
the Outlook Email Security Update would thus be protected by default.
Also, Outlook Express 5.0 customers who have chosen to read mail in the
Restricted Sites zone would be protected by default.
* In the HTML email based attack, Outlook 2002 customers who have
enabled the "Read as Plain Text" option available in SP1 or later would
also be protected.
Further information
Are there any caveats associated with the patch?
Yes. Customers should be aware that although the vulnerabilities here
involve an ActiveX control, the patch does not set the Kill Bit.
Whats an ActiveX control?
ActiveX controls are small, single-purpose programs that can be called
by programs and web pages. ActiveX allows a programmer to write a piece
of software one time, and make its functionality available to other
programs that may need it.
Whats the "Kill Bit"?
The Kill Bit is a method by which an ActiveX control can be prevented
from ever being invoked via Internet Explorer, even if its present on
the system. (More information on the Kill Bit is available in Microsoft
Knowledge Base article Q240797). Typically, when a security
vulnerability involves an ActiveX control, the patch delivers a new
control and sets the Kill Bit on the vulnerable control. However, it
isnt feasible to do so in this case.
Why isnt it feasible to set the Kill Bit in this case?
The Kill bit is currently implemented in Windows as an "all or nothing"
switch. Setting the Kill bit will totally disable your ability to use
QuickTime in media which invokes it via the ActiveX control. This
includes millions of web pages, along with many CDs and DVDs. By
design, the Web pages, CDs and DVDs contain hard-coded references to the
ActiveX control to load QuickTime. The QuickTime content on these web
pages, CDs and DVDs would no longer be accessible. As a result, a new
ActiveX control is provided to remove the vulnerabilities, but the Kill
Bit is not set on the old one.
Will the Kill Bit on this control be eventually set?
Yes. Microsoft is developing a new technology that will enable it to set
the Kill Bit on the vulnerable version of the control without forcing
users to re-author web pages containing references to these controls.
When the new technology is available, we'll provide a QuickTime update
that makes use of it.
References
http://www.apple.com/QuickTime/download/
http://www.apple.com/quicktime/download/qtcheck/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0376
http://support.microsoft.com/directory/article.asp?ID=KB;EN-US;Q240797
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q154850&FR=1
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.3
iQEVAwUBPZHqmSFlYNdE6F9oAQFOwAf/Ywf+cZZVp9Q4N3xJnP5x8HQ6HYh8je9E
jGCVB4jlTAaJp49dY9K/4JXaOIp358uqvDMzOcJPlXyTwRJb3aDytFzXs0sek3vK
aAK0ltFUjEYM3fNwBv8KJoBpdxToe9C+dzswitootZWUTZK4CnisG61GrVcHpIGc
7hPkBDUepSwscnci8PmzYxCo6kWXvL4rMhVcUDA4dfQLslwnLlASXtN1sAeyOPus
jpUT7Vj6lTrdbFSMrbBJbQXajXKBm0coF4g/c+JzYm/uV8GnQ4FD1LwN8oLkBC4c
ogLSm52By9VREUHOaKIgg6Txp0nJVQbuQE68536yUDNe6qgJSCQZPQ==
=JSPS
-----END PGP SIGNATURE-----
_______________________________________________
security-announce mailing list | security-announcelists.apple.com
Help/Unsubscribe/Archives:
http://www.lists.apple.com/mailman/listinfo/security-announce
Do not post admin requests to the list. They will be ignored.
=====
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]