|
|
|
Apple Vulnerability Project Launches with QuickTime Exploit
By: Ryan Naraine
2007-01-01
Article Rating: / 0
There are 0 user comments on this Network Security & Hardware story.
The first flaw in the Apple bug-a-day project is an easy-to-exploit QuickTime issue that puts millions of Mac and Windows users at risk of code execution attacks.An easy-to-exploit security vulnerability in Apple Computers QuickTime media player could put millions of Macintosh and Windows users at risk of code execution attacks.
The QuickTime flaw kicked off the Month of Apple Bugs project, which promises to expose unpatched Mac OS X and Apple application vulnerabilities on a daily basis throughout the month of January.
According to an advisory released Jan. 1, the flaw exists in the way QuickTime handles a specially rigged "rtsp://" URL.
"By supplying a specially crafted string, [an] attacker could overflow a stack-based buffer, using either HTML, Javascript or a QTL file as attack vector, leading to an exploitable remote arbitrary code execution condition," said LMH, one of the mysterious hackers behind the controversial project.
He described exploitation of the issue as "trivial" and warned that stack NX can also be rendered useless.
LMH said the issue was successfully exploited in QuickTime Player Version 7.1.3. Previous versions are likely vulnerable as well. Both Microsoft Windows and Mac OS X versions are affected.
The Cupertino, Calif.-based Apple markets QuickTime as a platform for the handling of video, sound, animation, graphics, text and music. The technology—and media player—is available for Windows and Mac users, making it a lucrative target for malware writers.
"The only potential workaround would be to disable the "rtsp://" URL handler, uninstalling QuickTime or simply live with the feeling of being a potential target," according to the advisory.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Ryan Naraines eWEEK Security Watch blog.
|
|
�������x}kw6�Dى皢HȖĶ<=Z$�!)��
�_zВ��Ͻ݉m��BUP(�#oo�D�0 pE1>=zg{HRso��M#6rJ��9AF#:,t�}w5�k9�9�rM���z=�>�;|�9|@D��%SjNACm3g�{zc_6gڄ2z9o2�f��E63&��6I���E�9�J�~9�K����Q/w,8"a}c�$a��L�BaUw0vK]K[�@SѠ*v�25vn��/�@^���c\ȁBni�=7d9�';���{$�-�,w2M*5f{ȱ�:�9�z�uur<�JDJ�53f�gg�:�Q��ڟm3Hk�կf�O{:$Yz>54�0���V+%%�vdC�u{Br,�Od=h_���پBds#�7���$�cM�|�Ah�2T��c��]v�joX ^YKS�70���3�h�_?]#w���a4F�@L5�&�h�)5?�&F`Ma�b&DJH7�Q��6)`I˪�
TY��&嗋�mQa>�].���Q#w�=^f/\��RD��3�Al8{ØWҽT6wsY�[�|28�?]7Du.*s5-wfxˢ�aZ*;�{<��;mҿ]{>t`Ub}Phv�ZM]�qsuTStTzl:��|�5K�X+WL �F�̶-a[e)u�5~�̆>��:mNQ'm��51l;4�}t>�$>hhƋMriOM�r�Ӈt��u@�.~�{ͣn]?&tno7,AbG��a`Ψ6rj�LP#iAтMx>t�T؎�]6}l2��w�9;-L&w&�zrt�c`���V���PCh�9N@tmS(�r`39;ʹiǀxԘ/.�%w2Z}c%n.G))�$C[�]HPw9�J�
B�!\��0H��V0(VFzzGBJe6Os@PGҹ3qJ\B;7 ˥=*%�nqR%a 934YIjL=?꺾n1!��G�,D`v9J,L��.�Y
O��6jԭe�RpJ
>�Ѥ73� K�b�i]ye�,`b� H[��%\Ew,t�3�Asq=7�c@C�yw;J�`p=Ͱ"̴b֜�u4���dMfB7g
�ƩOI|��B3<
I8M{lz:eR#O>h0k�8-ucy�s347Nm~|��FpIN3_iy:grGֶL/j�@~)&](LuΩ�J�J&��k:HX3�j-y�r�pm
O\XbʁZO%�X�ScX`D~�w�Lzb8uf�m/n$)`�V|�\u��Lg˦zkfTؽ/ 7�r@]�֥�P�
M��2L����Z1��D�4$B]�`}.�e�G�QH�īl�-
I�n�Qy���{8dO1>7l`(`TTȅ))Ka�ՂZ^Ϛe+ �L��
�4��
�TlVCax5�Zz'�As,]O�T�\v�6�*'�l|0ː
;u�m
CM5,��v&Ԕ�fj:Y[���^�|��'��+�ȁUrqXkjpp0vVׅ=%
Υ_8̧ם��i+��@o���LsC�m0�Ǧ�"|Zl"�Os=�)W}B~,+BQQb/`k@Lf��2,rƎe9لA�ٌ��\�}ZJ\<��8�9�7��Qo�>�U�<� ıLb0qqغeoX~?5��Xe�;;pM;~
�6AS-cfD�L�3$!OԞ'JB�Oքk&.}yT���c
D��A#E�.��@��Џ�B(r�DU�X��±U�cKQ0SKm{hA�x-X\>L*�~?DFS}O=ܴ>?CU^of���-"jXUcjx�SC(JzTR*oV
Ls1)' Sf|�)Nb_ޝo�>4F�xP��Jo/!m��^:J[09X>�:�
;21�2&�z@jAbv�6<~0�r��y-0f�E�R�m`n0LѽWK.(6{ �v����j
8��a�w�T�)�ӱ%Jt$�ֹ�B\+bԻ5u���b��H��#�C`J��EW�Fl'8�M�G9�Fi$�]�|;P rfVɍtNd_��&>ϣ��ј+ZN`�f0�38ʃz28c�=
[��|{*z������#U�IV:ƝcMr�� wm~kPow��(*
�Kq3`93"豥mBx�`�AAzE�k-g}X#2␜��OR4SO8�n�6=�BR�ӳ�$R+@�ekrฦm�N7�E)�Zx�hR̚,���ZB�W}X`"-ݸ1u)&!j�خOl�$o�y݊5�g@Zf2U-U�"m-ϼ�\X���5r��&R
j>"Gwi�ŏ�[o(5rnN3G~�T>V�KK�}b*ŪR.$�y�U��rk�Ur�O�,���ش�/6"h ޜ-�c�z�[
e|R/̖�K%�4e3/쌸-9DXP�9��ɷw�f/lCXx|{
`?K�{e, ,"z��дr3.=2��fV,VXō?hhqL��_\}?؇^QkG�P�@�/I6�S.:;Ղ_tMb3axք�-䤔Qԕº}wm��IQeاˁtں>#@�̫�H~x�C:LGp6��ﵲe+Kx�fqïR吔�,j~pxٖ���~t1�}�}LAIP
��4 7="i�k#Oճ�nw/?H�ms:��<�-o�d�D4|7�.�IwO�eGJ:7]w��9"Q!λ�.�Y��F�}99ﴮ��M1��0vhRdA �fJ}X#�s#&�DH݀�()�us͙�㪗B9�I.Dz=d_U�g0YTth#�)coc(
�Bf/�3�b!|FgG<�A(����5 �kNGvZgp=�"�
Bt�X�1tJ10_RJ�MQ6�=#�ijvwLGė"(��_(0�[JӷoHWY�D{_q+
s��z4~&\3Z9n~"�B2�^'68�ϻ}hp)9�H�B�a�]Z�ins
zsHaP;DZ3pu*lhw�%;yRb}�b%&h8W߅M^�<�~xZr�)t'x�k��iW�Y^K=�J^vofܣ�ky~`ѴNx�Ć#^@)s^XL2k#7x/[gY.t0wo�C�d#ޣd=fcL[ ;S.`�Y��=w6����OHE�{��lh�G(V#w-hh*1f�x[4�
2�UCnK�&1qE0pHVa�~��o�[1�(g�|o(o'xj�RS*/9ۯLm�ZS|
� \(\=3q� x�{7d\ڊ�}�fK~~�v/kh4_�q27
~+lF�Y":h(ŒRɇ�&L���+�dXZ84�Mg��~]É3s=|��R]RX=AK<��8L�F�>zԧ3ӆ5eq&�ǣ��u9E˲5F>s�حkgFaI*�#v�94`/x͉ k|ҚQԵ3�{�Uj4j+� �5ğefcJ�)pMXbPN}�76Jj4B,�fX?|���|쁬�{T
,YF��'B@T_)obKL�ب�Aa?KQX41�ᓛD^GNK|2>zs:d(�,R��SH�a'�0Eu҃S8`0n?1cZXN+q�)xLǗ�S-NeH�-IsX�,ʿ�yAԳY-�J�(a@ �e)���V@_^���<3Mx�Xٖ�Ϯ.h�K)\i`.قG�;
&C,xt�͈SXP<�d*J�/-�� [ �lg���+$Փ|*G0lm[-=aEic ��2E܂ue$�smnS��L!�s�0�p,q�hf�rNh�;"h3
^a_^!B�^މ?RAs)t%���}7"�q2� .P&z.>sH*&NУ�DC)��!��Ug#GHon[sw�es�K&q=^1 �%0>aK{m�33v4P\V�,!`��K={(�NBூ^VK(4#xtkW}v[v�T:/a�d�0�51@�LF9����@�a3��)Ax]�XG�odsˊ;HE*�7�K�X)1��+�q7�7�7�7�˺+{.X7='S�K'1LT�=c�m��݁tx!E.X)pHQ^�PY�*nF07Ϣ��~y�ti>-�}-?5�
(%
Z!�KsvO-[u��`h"��c�hYl`�aq �BCUrw�l}/�J�雷�MLAlɘ^�
J7@5&U`~S61W�&�wAע*:)�[O�f�{�&�ܦxu;�q�ģ0J2�JFi{B6\|˱zq" j1�~�_5��6��V�hh6�1XHL`��pXD"!,"`m�[۹1m|$�y�UzmK<'WQ/�}80s>nf@%ϕT=w6�̣/%JQ {JD-pzc��r9�𮋧c�z¢G}ay8G_ɠ]:k�nr}o�o�o�o� kvE{(e��Q�eq�͵ o��ه�!�@B�q��yC`_yh{#ŵmͯ�L��rXYsL>Y�uP�
�R9��$& �� #�ci�agܛ�H>fNU
ROSq�+>�5P�B�J2S@ Uᐧ�#.7wWYv�/Cw�R]R
K� 5>zJy}Rf=ZĚ˾c+xXwɳm �˒#�)�
|<_I�rd7K3���7H3&#v$Es��+rO�'�4v�w�ɴ'�^xH�$|�E{�0in*'�V|� q`i�iH�hiu�38:Mμ4��a|FUL#f�Sj�Νc�o
Palꧯ4^,R��,6k�g�#ȗy�0�Rw2О$AM#}L[\bVd=�-Tw߁^<=G�f!��W@
aWgG8�_"Gxc~{QYǼ0cT<�d���0Y.6ji'�1 m��|3@��|}P�.[��zpҸ Ǿ3��F:`J��4X> *R�/0K{YV^@96Y>lnG$IΜ��D
B
r
9�SRmF��96z_`�yZ^Oa.=_XYrVfݖh�ͬ-+J5!V\Hc4K":;M��f� g٦v� l�A[�4t KuSi�~RBJMT�`W"Y�c6يj
�v
#ZIHx�
J7��KOcSPt`j @>��p#�S CR�,6$Ae�ȃ5T?�0мG
)VۣV7>@2OcD��˦+Djcq2y,tQ:.�(�� o�I�YP�XP؟���@(�~bJ ͍$�u�~;V�K�
�X`�k,2E<�Cez?,�GGA~2?
:�Q����+%~�6t0Q-��pV#ߛ�i�Sg0Y�//غ9�P?@Vʼnt,5]r��ZO- Ӧ?h
J�c~i䪜4}V0��P��";睓�]vrФo%�u[�?C�B�P~�(Ay/�9}
4hw2Ods)4>��2#\~5Ϻ˻\(u3eF9Pys9?π�]"c|.��/�E�|E�}/>���/2��ϋ�D��(?A2/"�2c|/A~.3�2cz^F{z��_?2
x�:?�>�7/P_�3�*�>e )~7P~U�{7MF77�$)c�Vpv%sQ^53\�}~�)�P�u(g�g��~2*Εb�+@~W~ kN+ťW�
7YKxUy%kgF1nv�d}WG{1:�,y&s����^>&c����˼XH{R}tE��I>t�+iDLw<-cENZ).~QJxdR$d�3,F�D�ϼ5�D��4��{HO8ѭ=R\�z[�G4YQ�=�P.�v�:)n7wpK|�*SG0��Î{Z�\ڎvڝGfmzumeDf;�w�oCdx$�ٟC��=G}�xZLԸҨGpoQV"
#�<5 b�
�Vj?f�49x�|fO��vHu>j}谇|(O��
8�
ߜ:S���w�߽,R+|c ,~q)�hعkj�ZrjhN4p�sn �MXȡf�uDAr|$UJZR[TJ=��æ��DD��ݣ(�BUN�-U+zT��,.g
�/(�@#غM{%}C3<8fȳRLq�
u+k�%���@O'ÙZ#g�H�Y&38W
!Z�7c�U�ݡQ�'M <:,`�̀4WЫ\h lJ//ӡx�CK�Q,V��)}0@<�E!�f˝u�'�"FeAWrj�ɱw|!�@0BkNY�M�^��F�`˫yCO^xI{ǻŻsD`a\m�8ʫI�(�q�0AS�փM�Ί+Zq]pz98𰙄i/�[L�i�j�'G[[ZO�,gl`Erl9��Gu�ZCQ�8݈q�d@(we6Lm (~%.,wb9s=s���1nͅ-�~�뚅ӳ֎m(b-]u]ݍ;S7'Հ�&�/�^Jh:X3!?cI�TÓx���`⟐�N"M�aџ"xZf�@\w�u60aN~^��y�
-��fS(p$KGJ��Ǝ�$z�
)sb�{Pd��>x*8�"�2kH�2s�{D�|%Є'.MX�{J�fBM�'K�Y/�Ǧ e4p_ r:'쭰F����|m)b,3�u�'{E5�>~Pq#7��6LD6fܷ��B=XO�t$.�W�~xzA߭Ud#ə
B|��,+-Ŋ]�I\�aTs]q74OJ�{X�|@ăx!$k�/<�>,D*�9"[�o
%�P�@EikI/?H3軉Wd&%�}YQ ��v.ykhFʪv\N^��T~7(H@%Gb9G8]!
MAE�`A�]|e�D$u�Ч�
�;EϨf�S�C��>X�읚f�c.Lc(ŬBCd��=�)O?G[nE�\��<>a�i�)�yc<�9z��nG}��mޢƄJu!A]�=_�v{[=/'R`�Ba2\�X�G�x
ky�f�ŧ3W<2ZP/jdVw@8̝,ӟ�~H϶I�5�"`�:�Vڕ+zYL1e~}=3�ӲG(q2,@P��5`y�+@4�W�
�pSGg�p#��15��B\
(c��to Q!?c=Vqٮ�7GL}Ӱ�QaW���7�n
M�ywT�\7o'nQa=v����s�bCΜ�7 *˗a1 g�{y�{~k�C'>
kwx>YʐL\�,,�L[녗Z']Y!hXj�=�E"ҁ
)Q~9'��f�K#f�E [�Rj`�n�~3�f<�4W�6QĶq��y4}qX0#Er�g#^eu%ӫrX�otl�#�"|f`*�H�]x�
O�0gW�PэX�-f�1%Dv88)ҡCCĚBʄ>eS1#'@n0\|EH
d9[H^م5�3�\j��/�YH~>����\9�9�.@OI"cXM1}aE�|@'W�.r��W���|�N�|]r1^���@:m]t?�Jzfk�`�gg~NX�vQ��JetgLp�-�ͱeRZ`l/Z6?/M)��
|
Network Security & Hardware 
