-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Advisory: Apple QuickTime STSD Heap Overflow Vulnerability Advisory ID: TKADV2007-002 Revision: 1.0 Release Date: 2007/11/06 Last Modified: 2007/11/06 Date Reported: 2007/05/15 Author: Tobias Klein (tk at trapkit.de) Affected Software: Apple QuickTime < 7.3 Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5, Windows Vista, Windows XP SP2 Remotely Exploitable: Yes Locally Exploitable: No Vendor URL: http://www.apple.com Vendor Status: Vendor has released an updated version CVE-ID: CVE-2007-3750 Patch development time: 175 days ====================== Vulnerability details: ====================== QuickTime contains a heap overflow vulnerability while parsing malformed Sample Table Sample Descriptor (STSD) atoms. Exploitation of this vulnerability results in an application crash and may also lead to arbitrary code execution with the privileges of the user. The vulnerability can be triggered by specifying a malicious QuickTime movie STSD atom size. This vulnerability can be successfully exploited via QuickTime Player or an embedded QuickTime media player in an HTML page, Email, HTML link, etc. ================= Proof of Concept: ================= Due to the severity of this issue no detailed technical description or proof of concept exploit code will be released. ========= Solution: ========= Upgrade to QuickTime 7.3 or newer. http://www.apple.com/support/downloads/ ======== History: ======== 2007/05/15 - Vendor notified 2007/05/17 - Reply from vendor 2007/05/22 - Status update request 2007/05/22 - Vendor confirms the vulnerability 2007/11/05 - Vendor releases new QuickTime version that fixes the vulnerability 2007/11/06 - Release of this security advisory ======== Credits: ======== Vulnerability found and advisory written by Tobias Klein. =========== References: =========== There are two other security advisories regarding vulnerabilities in STSD atoms that I'm aware of (see [1], [2]). The issues described in these advisories are already fixed by Apple Inc. The vulnerability described in this advisory deals with a different issue. [1] http://research.eeye.com/html/advisories/published/ AD20060111a.html [2] http://dvlabs.tippingpoint.com/advisory/TPTI-07-07 [3] http://docs.info.apple.com/article.html?artnum=306896 [4] http://www.trapkit.de/advisories/TKADV2007-002.txt ======== Changes: ======== Revision 0.1 - Initial draft release to the vendor Revision 1.0 - Public release =========== Disclaimer: =========== The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. ================== PGP Signature Key: ================== http://www.trapkit.de/advisories/tk-advisories-signature-key.asc Copyright 2007 Tobias Klein. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQA/AwUBRzDXXJF8YHACG4RBEQJNNACg0Wtm9pC+XBZdD3Q7uvlZzVDe0j4AoKkj vb3uVSZaltIyoC343uEvbSl1 =2xV9 -----END PGP SIGNATURE-----