iTune and Quicktime virusFollow

HEAP BUFFER OVERFLOW IN QUICKTIME AND iTUNES
SEVERITY: MEDIUM
3 May, 2004

---------------------------------------------------------------

For an easier-to-read HTML version of this article, go to:

https://www.watchguard.com/archive/showhtml.asp?pack=11049

---------------------------------------------------------------

SUMMARY

In a post to the FullDisclosure security mailing list dated Sunday,
eEye Digital Security released an advisory warning of a critical
buffer overflow vulnerability affecting Quicktime 6.5 and iTunes
4.2.0.72. By enticing one of your users to play a specially
malformed Quicktime movie file, a hacker can exploit this
vulnerability to execute code with full SYSTEM privileges, thereby
gaining control of your user's computer. If you allow (or suspect
that users in your network have installed) Quicktime or iTunes, you
should recommend users either remove the applications or upgrade to
the latest versions.

EXPOSURE:

Apple's QuickTime is a very popular media player most often used for
playing video. For example, if you've ever watched a movie trailer
on a Web site, it probably played using QuickTime. In fact,
WatchGuard's new "Security Challenge" video

http://www.watchguard.com/SecurityChallenge

was released in Quicktime format, so you may have installed it
recently to watch our video.
In a post to the FullDisclosure security mailing-list, eEye Digitial
Security released an advisory detailing a critical heap buffer
overflow

http://www.watchguard.com/glossary/b.asp#buffer_overflow

vulnerability in Quicktime 6.5 and iTunes 4.2.0.72 (and possibly
earlier versions). By enticing one of your users to open a specially
malformed Quicktime movie, a hacker can exploit this buffer overflow
to execute code on that user's computer with SYSTEM privileges (the
highest level account on a Windows PC). In short: if your user
watches the hacker's movie, the hacker gains full control of the
user's PC.

eEye doesn't confirm whether this vulnerability affects Quicktime
and iTunes on a Mac, PC, or both. However, based on their
description of the Windows SYSTEM account, we suspect that this
vulnerability affects Windows only.

SOLUTION PATH:

Apple has released updated versions of Quicktime (6.5.1) and iTunes
(4.5) that correct this vulnerability. If you sanction Quicktime and
iTunes in your network, you should require your users to download
and install the latest versions of these applications. Otherwise,
you should remind your users that they should not have these
applications installed and if they do, they must remove them.

* Quicktime Download
http://www.apple.com/quicktime/download
* iTunes 4.5 Download
http://www.apple.com/itunes/download

-- For WatchGuard Firebox SOHO, II / III / X, and Vclass Users:
Although many of WatchGuard's firewalls can be configured to block
Quicktime movies from being downloaded via HTTP or email, network
administrators who deploy Quicktime probably want to allow Quicktime
media. Therefore the updates above are your primary recourse.
STATUS:
Upgrades that fix the issue are available.

REFERENCES:

eEye Digital Security Advisory

http://www.eeye.com/html/Research/Advisories/AD20040502.html

This alert was researched and written by Corey Nachreiner.

Edited, Mon May 3 15:47:55 2004 by Singdall