QuickTime Movie Handling Vulnerability Only Affects Windows Users

Severity: Medium

13 August, 2010

Summary:

• These vulnerabilities affect: QuickTime 7.6.6 and earlier for Windows (Mac version is unaffected)
• How an attacker exploits them: By enticing your user into viewing a maliciously crafted movie
• Impact: An attacker could execute code on your user’s computer, potentially gaining control of it
• What to do: Download and install QuickTime 7.6.7 for Windows or let Apple’s Software Update tool do it for you at your earliest convenience

Exposure:

Late Yesterday, Apple released a security update to fix a single vulnerability in the Windows version of QuickTime, their popular media player. According to Apple, the error logging component in QuickTime suffers from a buffer overflow vulnerability. By luring one of your users into viewing a maliciously crafted movie, an attacker can exploit this buffer overflow to execute code on that user’s computer, with that user’s privileges. Since most Windows users have local administrative privileges, attackers could often leverage this flaw to gain complete control of Windows machines.

Though Apple’s QuickTime update only fixes one security flaw, it is a fairly risky one. If you use QuickTime in your network, we recommend you update it at your earliest convenience

Solution Path:

Apple has released QuickTime 7.6.7 to fix this security issue. Windows administrators who allow QuickTime in their network should download, test, and deploy the updated version at your earliest convenience. By default, Apple’s download bundles iTunes with QuickTime, but because iTunes often has security issues of its own, we recommend that you select the option of downloading QuickTime alone.

For WatchGuard Users:

You can mitigate the risk of this flaw by blocking .mov files with your WatchGuard appliance. QuickTime is primarily used to play .mov files, which is likely the type of movie file an attacker would leverage to exploit this flaw. You can use the HTTP, SMTP, and FTP proxy on some WatchGuard appliances to block files by their extension. If you want to block QuickTime movie files, the links below contain video instructions showing how to block them by extension (.mov). Keep in mind, this technique also blocks legitimate movies as well.

• Firebox X Edge running 10.x
  • How do I block files with the FTP proxy?
  • How do I block files with the HTTP proxy?
  • How do I block files with the POP3 proxy?
  • How do I block files with the SMTP proxy
• Firebox X Core and X Peak running Fireware 10.x or Fireware XTM
  • How do I block files with the FTP proxy?
  • How do I block files with the HTTP proxy?
  • How do I block files with the POP3 proxy?
  • How do I block files with the SMTP proxy?

Status:

Apple has released updates to fix these issues.

References:

• Apple’s August QuickTime advisory

This alert was researched and written by Corey Nachreiner, CISSP.