-----Original Message----- From: UNIRAS (UK Govt CERT) [mailto:[EMAIL PROTECTED]] Sent: 12 September 2002 11:10 To: [EMAIL PROTECTED] Subject: UNIRAS Brief - 313/02 - @stake - Apple QuickTime ActiveX v5.0.2 Buffer Overrun -----BEGIN PGP SIGNED MESSAGE----- - ------------------------------------------------------------------------------ ---- UNIRAS (UK Govt CERT) Briefing Notice - 313/02 dated 12.09.02 Time: 11:00 UNIRAS is part of NISCC(National Infrastructure Security Co-ordination Centre) - ------------------------------------------------------------------------------ ---- UNIRAS material is also available from its website at www.uniras.gov.uk and Information about NISCC is available from www.niscc.gov.uk - ------------------------------------------------------------------------------ ---- Title ===== @stake Inc Security Advisory: Apple QuickTime ActiveX v5.0.2 Buffer Overrun Detail ====== - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 @stake Inc. www.atstake.com Security Advisory Advisory Name: Apple QuickTime ActiveX v5.0.2 Buffer Overrun Release Date: 09/10/2002 Application: Apple QuickTime ActiveX v5.0.2 Platform: Windows NT4 SP6a, Windows 2000 SP1 Windows XP Severity: There is a buffer overflow condition that can result in execution of arbitrary code. Author: Ollie Whitehouse [[EMAIL PROTECTED]] Contributions: Andreas Junestam [[EMAIL PROTECTED]] Dave Aitel Vendor Status: Vendor has fixed software update CVE Candidate: CAN-2002-0376 Reference: www.atstake.com/research/advisories/2002/a091002-1.txt Overview: Apple QuickTime (http://www.quicktime.com) is the media player used by a large number of distributors for high quality video and audio based media. Version 5.0 has been downloaded over 100,000,000 times. There is a buffer overrun caused by the way that the QuickTime ActiveX component handles the "pluginspage" field when parsed from a malicious remote orlocal HTML page. This can allow the execution of arbitrary computer code on the computer viewing the malicious web page. The QuickTime ActiveX component is commonly used for movie trailers (i.e. those located at http://www.apple.com/trailers/) and other streaming or static media technologies when they are embedded in a web page. Details: To exploit this vulnerability an attacker would need to get his or her target to open a malicious HTML file as an attachment to an email message, as a file on the local or network file system, or as a file via HTTP. Most likely this would be accomplished by embedding a link to a vulnerabile web site in an email message or another web page. If the malicious HTML file is opened it will cause Quicktime to execute the arbitrary computer code contained within the HTML page. Take the following example HTML page: ---- Begin Sample HTML <OBJ7ECT CLASSID="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" WIDTH="480" HEIGHT="376"> <PA7RAM NAME="src" VALUE="test.mov"> <PA7RAM NAME="controller" VALUE="false"> <PA7RAM NAME="target" VALUE="myself"> <PA7RAM NAME="href" VALUE="test.mov"> <PA7RAM NAME="pluginspage" VALUE="insert overly long string here"> <EM7BED WIDTH="480" HEIGHT="376" CONTROLLER="false" TARGET="myself" HREF="test2.mov" SRC="test.mov" BGCOLOR="FFFFFF" BORDER="0" PLUGINSPAGE="insert overly long string here"> </EM7BED> </OB7JECT> ---- End Sample HTML [note: remove the '7's in the tags above to create valid HTML] This sample HTML when, edited to insert an overly long string, will cause an exception that is exploitable. It is possible for an attacker to specify a codebase that will download a vulnerable version of the ActiveX component. This is a good example of why not to trust *ANY* ActiveX components from any unknown source even if the site is considered safe and the ActiveX component is signed on behalf of a trusted organization. Vendor Response: Apple was notified of this issue by @stake on May 13, 2002. Apple has resolved this issue within QuickTime 6 which can be downloaded from http://www.apple.com/quicktime/. Recommendation: If you use Quicktime, upgrade to Quicktime 6. If you are a web site that hosts the qtplugin.cab file you should upgrade to version 6. You should never open attachments/webpages that come from unknown sources no matter how benign they may appear. Be wary of those that come from known sources. You can set the "kill bit" for a known vulnerable ActiveX component by editting the registry. This will keep Internet Explorer from executing the vulnerable component. Directions for setting the kill bit on a are at: http://support.microsoft.com/default.aspx?scid=KB;EN-US;q240797& You should consider the benefits and risks of each attachment file type or ActiveX components that you let into your organization. Attachment file types or ActiveX components that you do not need should be dropped at your perimeter mail gateway or proxy server. Attachments that you choose to forward on into your organization should be scanned for known malicious code using an antivirus product. Common Vulnerabilities and Exposures (CVE) Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. CAN-2002-0376 Apple QuickTime ActiveX v5.0.2 Buffer Overrun @stake Vulnerability Reporting Policy: http://www.atstake.com/research/policy/ @stake Advisory Archive: http://www.atstake.com/research/advisories/ PGP Key: http://www.atstake.com/research/pgp_key.asc Copyright 2002 @stake, Inc. All rights reserved. - -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.3 iQA/AwUBPX5bY0e9kNIfAm4yEQIH+QCdFToXSMrwlO9izwdxGLEyUUkbTWEAoJbj Z9cyqqB498EcNiXqMK/INQN3 =MXuj - -----END PGP SIGNATURE----- - ------------------------------------------------------------------------------ ---- For additional information or assistance, please contact the HELP Desk by telephone or Not Protectively Marked information may be sent via EMail to: [EMAIL PROTECTED] Tel: 020 7821 1330 Ext 4511 Fax: 020 7821 1686 - ------------------------------------------------------------------------------ ---- UNIRAS wishes to acknowledge the contributions of @stake for the information contained in this Briefing. - ------------------------------------------------------------------------------ ---- This Briefing contains the information released by the original author. Some of the information may have changed since it was released. If the vulnerability affects you, it may be prudent to retrieve the advisory from the canonical site to ensure that you receive the most current information concerning that problem. Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by UNIRAS or NISCC. The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. Neither UNIRAS or NISCC shall also accept responsibility for any errors or omissions contained within this briefing notice. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this notice. UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) and has contacts with other international Incident Response Teams (IRTs) in order to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing amongst its members and the community at large. - ------------------------------------------------------------------------------ ---- <End of UNIRAS Briefing> -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQCVAwUBPYBmK4pao72zK539AQEclwQArFHaSz+9MlBVYExGQUMfYMR7SG2kXZpw 1VQhwly67PmYiEz5DjMfafWm2LGd6DpBOISpiQ8/8emqKzDhVYcd8P2zveSZRMaF iy4OWC6R4Q8TOsDZDOYFXan9Ovp+eLMrKKEYKaqWP+t3/fszQ+T+5IWnqACLT6Yf 7UtzJPtdjCk= =xiu2 -----END PGP SIGNATURE----- IWS INFOCON Mailing List @ IWS - The Information Warfare Site http://www.iwar.org.uk