Malicious Media Files Usurp QuickTime and iTunes

Summary:

• These vulnerabilities affect: QuickTime 7.6.x and iTunes 9.x running on any platform
• How an attacker exploits them: Multiple vectors of attack, including enticing your user to view maliciously crafted images or videos, or to visit a malicious website
• Impact: In the worst case, an attacker could execute code on your user’s computer, potentially gaining complete control of it
• What to do: Install QuickTime 7.6.6 and iTunes 9.1 for Windows or OS X

Exposure:

Today, Apple released two security updates [ QuickTime / iTunes ] to fix several vulnerabilities in QuickTime 7.6.x and iTunes 9.x running on Windows or OS X computers.

The QuickTime update fixes sixteen security issues (number based on CVE-IDs) involving how QuickTime handles certain image and video files. While the vulnerabilities differ technically, they share the same basic scope and impact. If an attacker can trick one of your users into viewing a maliciously crafted image or video in QuickTime, he could exploit any of these flaws to execute code on that user’s computer, with that user’s privileges. In Windows environments, users typically have local administrator access on their computers, meaning the attacker could leverage these vulnerabilities to gain complete control of their machines. However, OS X separates user accounts from the root account. So attackers can only exploit these flaws to gain user-level privileges on OS X machines.

Apple’s iTunes update corrects seven security issues (number based on CVE-IDs), the worst of which have to do with how iTunes handles certain image and media files. Like the QuickTime flaws above, if an attacker can trick one of your users into viewing a maliciously crafted image or media file in iTunes, the worst of these flaws could be exploited to execute code on that user’s computer, with that user’s privileges. In Windows, this often means the attacker gains control of your user’s computer. On a Mac, the attacker only gains user-level privileges. However, another of the iTunes vulnerabilities can allow local users to gain system privileges, so an attacker could leverage a combination of these vulnerabilities to gain complete control of a Mac as well.

If you allow the use of QuickTime or iTunes in your network, we recommend you download and install the latest versions as soon as possible. Keep in mind, iTunes now ships with QuickTime. If you have iTunes, you’ll likely need both updates.

Solution Path:

Apple has released QuickTime 7.6.6 and iTunes 9.1 to fix these security issues. Windows and OS X administrators should download, test, and deploy the appropriate updates as soon as possible.

• QuickTime 7.6.6 for Windows
• QuickTime 7.6.6 for OS X Leopard
• iTunes 9.1 for Windows or Mac

For All Users:

Because these QuickTime flaws involve so many different media types (many of which are essential for doing business), trying to block exploitable file types using your firewall may not be the best way to support your organization’s mission. Instead, your best solution is to download and install Apple’s fixes.

Status:

Apple has released updates to fix these issues.

References:

• Apple’s March 2010 QuickTime advisory
• Apple’s March 2010 iTunes advisory

This alert was researched and written by Corey Nachreiner, CISSP.