Security-Protocols

Apple has released security update 2007-07-11 for QuickTime 7.2 which patches a couple flaws I had found about a year ago.

QuickTime
CVE-ID: CVE-2007-2295
Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later,
Windows Vista, XP SP2
Impact: Viewing a maliciously crafted H.264 movie may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in QuickTime’s
handling of H.264 movies. By enticing a user to access a maliciously
crafted H.264 movie, an attacker can trigger the issue which may lead
to an unexpected application termination or arbitrary code execution.
This update addresses the issue by performing additional validation
of QuickTime H.264 movies. Credit to Tom Ferris of
Security-Protocols.com, and Matt Slot of Ambrosia Software, Inc. for
reporting this issue.

Security-Protocols Advisory SP-X35
http://security-protocols.com/sp-x45-advisory.php

QuickTime
CVE-ID: CVE-2007-2296
Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later,
Windows Vista, XP SP2
Impact: Viewing a maliciously crafted .m4v file may lead to an
unexpected application termination or arbitrary code execution
Description: An integer overflow vulnerability exists in QuickTime’s
handling of .m4v files. By enticing a user to access a maliciously
crafted .m4v file, an attacker can trigger the issue which may lead
to an unexpected application termination or arbitrary code execution.
This update addresses the issue by performing additional validation
of .m4v files. Credit to Tom Ferris of Security-Protocols.com for
reporting this issue.

Security-Protocols Advisory SP-X46
http://security-protocols.com/sp-x46-advisory.php

Below is a link to the Apple security updates page:

APPLE-SA-2007-07-11 QuickTime 7.2

Thats really all for now. I am cooking up some Safari 3 advisories which I will be posting within a few weeks.

So as everyone knows Apple has released Safari 3 beta for OS X and Windows, and security researchers are already dropping flaws on it. I believe Apple has just caused the price of Safari 0day to increase about 1000% by releasing it on Windows.

So I had fuzzed Safari 3 beta last night and within the first five minutes I had found ten flaws most if which were within the SVG parsing engine. I was going to release them last night, but I figured it is still in beta and I would rather save them for when Leopard is released. I figure why keep giving Apple all the free security QA in the first place. Either way, Apple should not be shipping a extremely vulnerable beta out to the public.

It will be interesting to see if Apple responds to all of the security bug reports.

If you want to see Safari 3 beta crash see the old advisory link below:

Apple OS X WebKit WebCore::ArrayImpl “ROWSPAN” DoS

Was doing some more research on the RectRgn () QuickTime heap overflow vuln on Vista. Below is a screenshot of the crash triggered on Vista. I love the error message:

Buffer overrun detected!
A buffer overrun has been detected which has corrupted the program’s internal state. The program cannot safely continue execution and must now be terminated.

I was going through some very old OS X 0day tonight, and found two which I had reported to Apple ages ago. Please see the links below for the advisories:

Apple QuickTime .mov “JVTCompEncodeFrame ()” Heap Overflow
Reported on 3/28/2006

Apple QuickTime .mp4 “FlipFileTypeAtom_BtoN” Integer Overflow
Reported on 11/17/2006

Maybe all of the developers are working on the iPhone?

A security researcher by the name of “jamikazu” has released a PoC exploit for the .ANI cursor flaw. This exploit works on a fully patched Windows Vista machine, and also bypasses eEye’s .ANI patch. I think its kind of funny to see Vista get ruined by this cursor flaw which Microsoft has known about for over 5 months. Below is an excerpt from the site:

“Now there is a many thirth patch available for Animated Cursor Handling and with ani checker you can check your system for these patchs. This program checks your system against the (.ANI) vulnerability. It does not do anything harmful to your computer and does not alter any files on it.”

Source: jamikazu.110mb.com