|
|
| |
Credit:
The information has been provided by iDefense Labs Security Advisories.
The original article can be found at: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=744
|
| |
Vulnerable Systems:
* Apple Inc.'s QuickTime version 7.4.5
* Apple Inc.'s QuickTime version 7.4
Immune Systems:
* Apple Inc.'s QuickTime version 7.5.5
QuickTime is vulnerable to an integer overflow vulnerability when handling malformed PICT files. This issue results in heap corruption which can lead to arbitrary code execution.
Analysis:
Exploitation of this issue results in arbitrary code execution in the security context of the current user. An attacker would need to host a web page containing a malformed PICT file. Upon visiting the malicious web page exploitation would occur. Alternatively a malicious PICT file could be attached to an e-mail.
Workaround:
iDefense recommends disabling the QuickTime Plug-in and altering the .pic and .pict file type associations within the registry. Disabling the plug-in will prevent web browsers from utilizing QuickTime Player to view associated media files. Removing the file type associations within the registry will prevent QuickTime Player and Picture Viewer from opening .pic and .pict files.
Vendor response:
Apple has released QuickTime 7.5.5 which resolves this issue. More information is available via Apple's QuickTime Security Update page at the URL shown below: http://support.apple.com/kb/HT3027
CVE Information:
CVE-2008-3614
Disclosure timeline:
05/13/2008 - Initial vendor notification
05/22/2008 - Initial vendor response
09/09/2008 - Coordinated public disclosure
|
|
|
