JPCERT-AT-2007-0023
JPCERT/CC
November 30, 2007 (Original release date)
December 14, 2007 (Last revised)
<<< JPCERT/CC Alert 2007-11-30 >>>
Zero-day vulnerability in Apple QuickTime
http://www.jpcert.or.jp/at/2007/at070023.txt
I. Overview
Apple QuickTime contains a vulnerability in Real Time Streaming
Protocol (RTSP) processing which remains unpatched. Exploitation of
this vulnerability could allow a remote attacker to execute arbitrary
code on the user's computer. Now, multiple exploit payloads have been
released on the Internet, and attacks using them are expected to
increase in the future.
Some exploit codes (programs to prove that the vulnerability is
exploitable for attacks) released on the Internet affect QuickTime
running on Windows and Mac OS.
II. Systems Affected
As of November 30, 2007, this vulnerability has been confirmed to
affect the following products:
Products Affected
- QuickTime version 4.0 to 7.3 running on Windows or Mac OS
As QuickTime is included as a component of iTunes music management
software, computers using iTunes may be affected by the vulnerability
in QuickTime. In addition, iTunes is preinstalled on Mac OS.
III. Solution
As of November 30, 2007, Apple has not made a formal announcement
on this vulnerability. It is recommended to apply the following
workarounds until updates are released:
1. Block RTSP traffic using a firewall
RTSP traffic uses TCP/554 by default. Block the traffic using
a firewall, etc.
2. Do not open suspicious QuickTime media files
Do not open files with an extension of .qtl or .mov associated
with QuickTime.
3. Keep your anti-virus definition file up-to-date
4. Disable the QuickTime ActiveX controls in Internet Explorer
Disable the QuickTime ActiveX controls by referring to the
following website:
US-CERT Vulnerability Note VU#659761
http://www.kb.cert.org/vuls/id/659761
5. Disable the QuickTime plugin for Mozilla based browser such
as Firefox
Disable the QuickTime plugin by referring to the following website:
mozdev.org - plugindoc: ja-JP/faqs/uninstall
http://plugindoc.mozdev.org/ja-JP/faqs/uninstall.html
If you are not using QuickTime for your business, you should also
consider uninstalling QuickTime temporarily from your computer used
for business.
Note: JPCERT/CC confirmed that uninstalling QuickTime disables
iTunes.
*** Update: Added on December 14, 2007*******************************
Apple has released updates to address this vulnerability.
Users are recommended to upgrade to the latest version of
QuickTime.
Download Link for Apple QuickTime for Windows:
http://www.apple.com/jp/quicktime/download/win.html
Download Link for Apple QuickTime for Macintosh:
http://www.apple.com/jp/quicktime/download/mac.html
**********************************************************************
IV. Reference Information
Japan Vulnerability Notes JVNVU#659761
Apple QuickTime RTSP Content-Type header stack buffer overflow
vulnerability
http://jvn.jp/cert/JVNVU%23659761/index.html
Apple - QuickTime - Technologies - Streaming
http://www.apple.com/quicktime/technologies/streaming/
*** Update: Added on December 14, 2007*******************************
About the security content of QuickTime 7.3.1
http://docs.info.apple.com/article.html?artnum=307176
*********************************************************************
If you have any information regarding this matter, please contact us.
__________
Revision History
November 30, 2007 Initial release
December 14, 2007 Added information on the release of security
updates for this vulnerability
======================================================================
JPCERT Coordination Center (JPCERT/CC)
MAIL: info@jpcert.or.jp
TEL: 03-3518-4600 FAX: 03-3518-4602
http://www.jpcert.or.jp/
Top