Sunday, December 16, 2007

QuickTime Vulnerability - Get Patched (if you can)

QuickTime Vulnerability Found

Earlier this week I began to see mention in my security site feeds that a vulnerability in Apple's QuickTime player had been discovered.

ISC-SANS has some info on it:

Secunia also has a good description of the issue: Secunia advisory SA27755

Description:

h07 has discovered a vulnerability in Apple QuickTime, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a boundary error when processing RTSP replies and can be exploited to cause a stack-based buffer overflow via a specially crafted RTSP reply containing an overly long "Content-Type" header.

Successful exploitation allows execution of arbitrary code and requires that the user is e.g. tricked into opening a malicious QTL file or visiting a malicious web site.
The vulnerability is confirmed in version 7.3. Other versions may also be affected.

NOTE: A working exploit is publicly available.

That may not sound really scary, I mean, how many people would be impacted by processing RTSP replies? Right?

Well, RTSP stands for Real Time Streaming Protocol. That means that if you happen across a web page and click the video that happens to have been seeded with the exploit, your system could be compromised. And we all know how popular Real Time streaming videos can be.

I can't say how common the exploit is to most users, however it is pretty amazing that the weakness is reported to be exploitable on Vista, XP, IE6, IE7, Safari 3.0 on Windows, Firefox, and even affects OSX systems.

Get your Updates! (If you can find them!)

Like a faithful user, I started hitting my Apple Software Updater application daily, looking for the patch. This is software that can be optionally installed along with iTunes and QuickTime. Amazingly, no updates were reported. As of the time of this posting, it still isn't offering any updates.

Today when I launched QuickTime, I allowed it to go to the web to look for updates.

It did find an update available to bring the software up to version 7.3.1. (Officially it is version 17.3.1.70.) Be very careful. If you decline to update when offered (as I did on one of my XP systems) subsequent attempts to get the update when re-running the QuickTime update tool will result in a strange phenomenon: it will report that no updates are available again. Leading you to think your QT is fully patched. Not cool!

Additionally, even though you can find the update via the Apple QuickTime application updater process, the Apple Software Updater tool still won't find or offer them! Bizarre!

It seems that one-branch of the Apple tree doesn't know that the other branch has a bug problem!

For even more attitude and details about these Apple/QuickTime issues check out these Register articles: Apple keeps critical security fixes to itself and Latest QuickTime Exploit targets both Macs and PCs

Secunia Software's free on-line Software Scanner is now picking up this vulnerable version of QuickTime in its scans on systems that have it.

QuickTime Update - Dependable Source Found!

Secunia's results detail (and this ISC-SANS link) will point you to the Apple web page that contains the updated QuickTime version.

Update Instructions:
Update to version 7.3.1 or later.
http://www.apple.com/quicktime/download/
NOTE: This version is not supported on Windows 2000.

BTW: This isn't a patch, but a full version software application "upgrade".

Thoughts

If you have QuickTime...go get the updated version and apply it to your system. Do it now. Don't put it off.

I'm not complaining one bit that Apple's QuickTime has a flaw. That's the nature of the beast. What does amaze me is how hard it is to find and download the updated version using Apple's own updating software! And if I decline to install an update via QuickTime, it shouldn't then stop offering me the update! Finding and patching software shouldn't be this hard, guys and ladies....

If you don't use iTunes, but do want to view QuickTime files, you can always just skip Apple's QuickTime player and go with this free-alternative: QuickTime Alternative 2.2.0 - via filehippo.com.

Excuse me now while I go get another apple to bite into....Pink Ladies are back in season!

Yummy Good and guaranteed to be exploit-free.

--Claus

No comments: