|
|
|
Apple Patches QuickTime Flaw
By: Brian Prince
2007-03-06
Article Rating: / 0
There are 0 user comments on this Network Security & Hardware story.
A new QuickTime release fixes a heap corruption vulnerability that could allow an attacker to execute commands as the current user, Apple says.Apple has addressed a heap corruption vulnerability in its popular QuickTime media player.
The flaw can be exploited remotely, and allows an attacker to execute arbitrary commands as the current user. Security researchers at VeriSigns iDefense Labs confirmed the vulnerability exists in version 7.1.3 of QuickTime on Windows, and previous versions are suspected to be vulnerable as well.
 For advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.
Apple patched the problem in its latest QuickTime release, version 7.1.5.
"This update is recommended for all QuickTime 7 users," the Cupertino, Calif., company advised on its Web site. "QuickTime 7 will disable the QuickTime Pro functionality in prior versions of QuickTime, such as QuickTime 5 or QuickTime 6. If you proceed with this installation, you must purchase a new QuickTime 7 Pro key to regain QuickTime Pro functionality."
Apple was first notified of the flaw in December, according to iDefense researchers, in Sterling, Va.
An Apple vulnerability project kicks off by releasing information about a QuickTime flaw. Click here to read more.
The vulnerability involves QuickTimes handling of Video media atoms. When the Color table ID field in the Video Sample Description is 0, QuickTime expects a color table to be present immediately after the description, iDefense researchers said. A byte swap is performed on the memory following the description—regardless of whether a table is present or not—and heap corruption will occur if the memory following the description is not part of the heap chunk being processed, researchers said.
In order to exploit this vulnerability, a victim must open a media file supplied by the hacker. This could be accomplished by either a direct link or a referral from a Web site under the attackers control. No further interaction is required in the default configuration.
iDefense is currently unaware of any effective workarounds for this vulnerability.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.
|
|
�������x}r*({Ew{)ٖ:-�K3dwKEĘ"yHʗdK|ڗgn�BKg쎧Ɩ�nt7�f;�?;;~$rLȹkmJvg9�[�DZ;;}.GP|gYP�o�2r}͂R �
�tӌ5q�:!�-�����>;|�9|vĠZ��ڒ)&ӰY |+[3}B��F��\�3�Ѣ�b
پ�I�- �6��#%�ޥɏ�ͻ'k[�t�U�N(�T|0tgL'þ�=a�i:M"x<&j2�>wn3
w2`~�|!�k|`Vh�xOFk�MmW8�ؓA
�
�y!l�
�1#osݿ!HݤNoޤ@d`j�Id�@:"8,��#63!p�55\ar�)zXY6�G-#H�1PN$}+AbArxưiH��|6XB�¼Xy�
{N
�<�:tQV�_5yo@בnL|wdoa-�QK� T6'�>6�L)L|HCɤ:�Zdqcٗe,�V4öCCٰo�4RihuE9(ՆRn�8E]`[¥;{c4;??S)J=,�#[wn5u5`*λGW~d@.z:ggQ뚏 H
H7&
LT*jZ*�L�xaBjL��a5�u�P�;%oJQn4E;J
KHs�=
(2�1�,4Y�ln\�:WW~�:GW 7f٘Y�ji�Ud�\�]�o-�U5uw''+r=�>sو&�lXaV|]kU[_��lx?-��k�`c��R^iHj=2�ǽ�Y�$Y.�r:8?#��| ,�-˝�)Tt<�G)L,Y`]����ImdƩ�$|dž�z�N��3ߜb�j}T7oh�2��f4 6mp���a6f�@Lu��&h�)=?�.Fb.L22z)=mZW/��(AK/�
�5|*(if)[�/3 �BD?CC���0!pIva.8
[�&�hfmٜ҅%]WcNMQcL
nCu&N{sL~�?w�,qJ�j�h�X.B2iqHB0pkꛛZHLM*P\?(CC*�EM, �FKP̶#ؠe)u��?�g���6aϨ>�|�鎓z�>:AG�ti�šwhNP7��h`C�ҋ�Lڠ��~�N;ݧn]='tno/*AbG�&
ahh5�Z�LH#AтM���T8n�C`�2��Z�9ܹ
,&��F��V���cX`��V����GPC!]7$>�(��+�9=P�l~[>l0��s�zQ�P|'sZ(L7^`c1�2)%%E2��� 4.gH)AH �=[h���� ]��99|����=�vZ)J��PlzfX�VZjpJa
"@����du1a,�6S˘
R
�W?f,���qٛw��yE"R��7%�+�Ͱ'q_G;oo�zbv����&|U;m97��y_CMUPS7�˕L< +UPM
g2)*hs<8:[�(�/7�\EYbꞦ5�X�ScX`Dn�~b8ug�m/n)`�V|�\v�ΖuV�kͲT];/ 7JeO4�}�VJ{2,F6@1ٖk�,:�+c:*K�_i��hH*E6�@\Z1-c��%>!1Ad�/a:(HpSo{:8!{ja�a�C�+%UV��0F,mk5^�ausv@6�@��@��h��M �TlvCax9�^G�Awm=_T�Z|:��0T�(e!�\o�
)L>Eװ�Dؚ�ZWSg<`}1Jx>hx#�d�6�XbO`��pl`/R=u
R��XO%}T5!C�
�ԑq,�Yr�i�L*wڶ{O�>QȺ@POKs˙@�'g@:"X#�'ѠV���Ē8vYPzP*
�W�G?_]9]F�=3�$�hD�4e6f,4_\0-�J�D%x\Rj'2?CU^oV�S�w,"ZT�jSCjvPVk�ov��9̓☏�)V3G
q��|a_ћz�ř1f�tYi�57A�L}6݂�/\r?09X>>>
'21�2&
z@j9aju�6<|06J%MEd�\@AeX�L˧Fxpg�Ճ)�u;uav�9A�8� �kqA=�c�vq
9�(k
X85
'&
R9!GF�쉳��ɂu�x!�MU���lnp{]�0�X�AG5�h0�qHG��;+�E�68=�c� uW:�jS�~i���h�5���~�Kˣ����lG{icf��MMa�fFž.nJQ/=�7yE؛s1������wxኣ54�cf;G�O�6�Jh)YW!RW�
dę�e�~k�Ѳ��׆gQy�q̤��|9}�@mvf3�V��=_g`��t�mAؙY#CuitMeb`l
"Z`|i�/X`&c1�s*?
.}l�3pٳ.�`Ϙɗb_oT`p1�\FAXnC<>ԍ'�b*r1=�?J}�[Lߴ�@v1`{���=�;#���(4OQ��X9)6eM+v@lkZpw|L2M�:��{G��ɲ\�'��UVj8H3A��y'�
�B�k=Q<��+@&{@w^;.y0�N N�0+ο:�Xa�J/r@`SNjc{.F0�r`R�(; J@�F�䆷�$b2v}WszZ^��+ކa�=;���Fk�)���sн�_>z�{ёңN
z֓ ���*Y>ˁBV�T�1�r ��$خ�)��XAU:ۿ��C�? Y^3/p�LJ��"US
8zL-ӤN)gT�ٖx|i'�gax!wmn?�q4�%3r*w?BxHی,mm�g̑sS��\ AgJ脚f{e5-�eH5NR�MLC]�OC/�D$�;�kB6zs �giMO6}n3ϼ�K����̣7�X;
.VH0_Ӹ\b�tgB XY�+o�x�fXt�a}ki-�jݷΫ^���-�)tG�C����]'EQ,�wгHU�N{3
>#](��-gFo:qE�2UT(sؾ6�}=RvӅc�`�Сw'�;v%st7�#g��ucJ�A95~@ϝπ(i@�S|&��t^�NPD(�ЪY�~4j*�]O}4]��Yv��NA
��>���H� tD3(o�X7۸;�.z|,=}#G&zE>qF.Z��=w;o[Meq$s
CݿvA]iNvt�7p,0Tfᚎx
XJ�Nl"4P$EUՊZƎFr�,WU�$]e��:�ע'�,n9�P2QvIK�Js`̾�qC7跷�b���o�JP����]&
{~W�]ߣPIݣx(оÞ6wYiEU�.J\�-"PnGxZY|:K�%0)7�9b.iq�xw@3 V_�43ˁ}mrb�.GorGO/V̿m+&gT7q
�'a`}�sٮqckb0�
%^�נK\i49i8 9y0�@^�z#YIϟȅO�zЕ�-|W7D)�E��cGP¼ǻVNet=I=X3HSacD]N˭|2�_�0d(',��3C�+X,?&N\=(}dI-ǘN(�`Cl@AWAg)[F-̱ �K�wĎB{sL@%=�r,6|p,uD"d�+��mŹ�Oh'5qXR1f�}StR�ԉd�U+YJD�)Μ˳;e;eOXNh@5�y"0C }(�ȺMph���=gdJ,UV&8\45%z\NW�xYmѤx���$=ڌ,O��JH@
"-蛯;FIU飚M��A/;%Պ���K}h9g{*9DX�;ݟ9W��p> �TD1aM�z���_q�lGX�(�"#�+�_�Ř�s1j�/_H*�x�F�UҴr\{9G�J
Лg�R@�IZ�M�fb*2l �gsw˶umiP��tbw9!�>,���cC#t7DYأ&)
Iml�/?.mT�`K`$�>@�DV��tB�^��
y�ֆ�vL�(�J�!�wȜ7C5Vs5O �K��+pPVTצ_'Gl})UD�:U})�c"KL%�>g;
ח~H�KL�)9�^�6Fn]kj.�IX^\$"a ď�H�* �kT�FX>Y*nr96,{�ߵ3N=\��D1ooooSZzo/W/;g+%;:x�^)i4OKM7d�au⽆ZR%U�N%=37p)(�U� {Ay%B�YlX.`�G�;a-�>"Ad�\0�8���<��s=ZF]ja�;�%AB)�51��7��|^+jB6�"|trfs'Ntu|NLU�tMЭT2^Dyj�4Z�un-u{�뛫u��#�%g;+.�L66Ƕl�ͳva~�D�uv�H)�X�p,P�z�=jX:.#RF¯�^�fFd#nϪ5V�rE��l?z`�V/bF))�o2욶FcˠO�kטPt= @>��'��n�yVmI .�{|�>a�ˏx�RkueA(�Y�!kj��]:ҡ�s;q~ܑufYl�B/��N-&��8E-r�t�'7%eZS[�ٓ[
8��G_
�6a^fGZq)MG6(}o
˫cb2z�ޘ�5�pb�Y��Z`ybLh${�}9b\�-RW�d�b"@��^(�_�aI[�3rѹu�U�=<��i�9k�`�ϳRj��a�(?(��Sc�}&� 'l
I=�RX+�0wMGE����cb^�V�zC8ްn�?Ĉo8gkH�fIC9Ҍ]$1럯.JC)a�#{~�����L-�
Dr"c�)4FJ[!1}s?��~I79tS-i`Kk@���J���!b:Lj��)��0�װ�Þ�1;m{^��Jl�/u��'O%�c��Z|G"�GX#&�3)-�+9F_A(:*
$1XJ!J'8e��E�t�03�7���
c�n
fԒ�
7S�I��o�03�N]<7��Y�e��xp�Ƨ�x�}�ͻ)5l,6�ͬ�S1zy�6t(YS=1U&F����Ǯ+nN���L +�z9I)t#�K/H�zsFimRta~{S�dO (��
@Ka1c�~Po֔J$2
>�*%f�ٕa+�VR/+_{��P�w09D�F+YT(�����I+1{GC�4o)^dG��L؍X\�Sݹ�>`Jgrһ"mrrUr]Y�߾¾V-j=;�u�?�.?t/:WAub�c~/百��,Ǜ,#
rr>0;eNq*gM B*rK��xu�,�/=�%�yx.�Ó(?���XVC�ĸ�~4aa�01S>>Z>Z�NAw��_읎/K_-�fy�P�M��/ǽ��o�j4}V0.8���SL~s4 N�ԼU>�v<)�)�)GmvNy�{9@NN��/?��C?|Oiw}y�9CL"��B~Ng(�ծu3?y��<�><@��9�9y�^ ?唟BiN?�9P~S�{3� ?�9s�w3=�/g=?��/�9q /s_�\O��9��97�Y_�c�}Oyߧ�>�>�ʯʁs��:k$CPΑ%nO�p�s+a�TҮ5rB]7'{'sg#�Q8��a芫m5nk
ǤZuv�ņ^_B��BU$X2�M&7>WP�/<(ѻ#c�h��to$.�rd��&}:#WWv+x._[nNJ>xs\ȜHǣ�Wɴ&Vی �3��D��4k�GHO9}\�~F[<�G4q 3�Pޫ�.�s"G~xwY뚮�V��IA6KֈE>ѻ2So�١Oպ`�*��O�;WY�-K�aaP�$���}�U?a�69x�|fOC vH}6l谇|,O�6Uq<�5RYu8��%� {Y&@Y8'(Nh8+jzGrjhN4pݣ97�w&;��P7ma�I�H5ZUj;�����#O1�Q5YUdN.��jUQ)�&�K��<3
� .3M^et fMȡ^3CX)ḃ�̺5�G� P�� �}:._lD*6,5f!3^��6T<��gu~�o'2Pd �S��eb��bZ;ۈLbT|Jx �q
9^vZ]|LAÆ/Z/XbKZ;�cp��\G;�l�=2 gjy(}dy0\9Kh�m&V=�ȁF=8�J)YF�
L�^:�&23�Mŭ{6o�\| "e.sͅqB`
�j?wKsm�c6Om�5Ul%ʮ&g]hS eErby0�6�0wH�P�ZǬ;TDxa����./ ] }�
\�/&s���8+&-c� m,'
�/y$Y]H}!fI!�39L$^!LL
/}�X�|$Qd�/I'�����#qrh`=E(gQ�/�%/m���T��f\�gȌQ)x�ށ�s7AG�}N垓Wg_5 b gy.�3@p6�+|SD-]�szlo()�u+J9*ن��x[.Hq&V��x��/ē_|
Њ3�/bz`#Yұ�ߙQ
TDOY��"nty9=�|I^[Qؗ�G@1aХ_!:F1^d����\*�KxrHI@>��~�EE~!O'
Ͽa�H�O(���&Iw`R��1��|�j;;�1�Te[QYɶ��y
ZS�>Ծ
lQF%��qm�.�;
;C��bz:vSAW �(9|�d@loM9\1�ue|�n|�?���7ك|2h�ć!Xw#Q%`
|[��3̶_d%�\"d¾�3@WD0;"6�����Ys.�KE|��(Xp^'A֮فz!w>G}�b
ȡ( l}�i.�͜GK@gmҕh_ɬnq7�V0] c/1+$~Il=du�-W�ri`xd+ǔxf�:PEX�MfFHק�k,^��zX�ݿd>�n)ZuA#,c
�ԭ<�P8��_CAc.vjm'nFQXƺi#¶u4m�����ѩ�&�o;ީo^;SQa[O_<.�cb�,LڙF�X�<��>�|pW=?=z��l�3ǿi<>YʐLW\ȏ,l�L[Z']D!hXr���E#O
�q~ m�Y�1+ (��N�R�Qf7�`�N*)As�a'�El���[AV7�.]2�8Lg��3E~2hTf�U9um]SνA3F�E�lR$bB}�AH~Ð!�gh�=5nBM]paif�#3�S{�3�;߂ 4ɴ�j�X�:Z#`*f"�e31#7Dn0BrͱH
d[L_مt�vw�%�S^��b�,/�A-xr&r*]x�_D4;Nb��әd�_yfOɅ�c\YGlp��77�Ygb5�`!'t>}!�M*`F�$-_;Q}BeFB4.�$םY*�?#[7nxa�W�RTFYzhI:N��J]���T᷶ r9̳�ś|`bhPSKfJ܄;;6�6BKklt�6�k6�C-[;��/
'��
|
Network Security & Hardware 
