SecurityTracker.com Archives - Apple QuickTime Unspecified Heap Overflow May Let Remote Users Execute Arbitrary Code

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Partners

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Multimedia) > QuickTime

Vendors: Apple Computer

Apple QuickTime Unspecified Heap Overflow May Let Remote Users Execute Arbitrary Code

SecurityTracker Alert ID: 1015356

SecurityTracker URL: http://securitytracker.com/id?1015356

CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)

Date: Dec 14 2005

Impact: Execution of arbitrary code via network, User access via network

Version(s): 7.0.3

Description: A vulnerability was reported in Apple QuickTime. A remote user may be able to execute arbitrary code on the target system.

A user can trigger a heap overflow in the player and potentially execute arbitrary code on the target system. No details were provided pending vendor resolution.

iTunes 6.0.1 is also affected.

The vendor has been notified.

badpack3t of Security-Protocols.com reported this vulnerability.

The original advisory is available at:

http://www.security-protocols.com/modules.php?name=News&file=article&sid=3109

Impact: A remote user may be able to cause arbitrary code to be executed on the target user's system.

Solution: No solution was available at the time of this entry.

Vendor URL: www.apple.com/ (Links to External Site)

Cause: Boundary error

Underlying OS: UNIX (OS X), Windows (Any)

Reported By: Juha-Matti Laurio <juha-matti.laurio@netti.fi>

Message History: None.

Source Message Contents

Date: Wed, 14 Dec 2005 09:30:55 +0200 (EET)
From: Juha-Matti Laurio <juha-matti.laurio@netti.fi>
Subject: Apple QuickTime/iTunes Heap Overflow Vulnerability

 
Description:
>From the "Upcoming Release: Apple Quicktime/iTunes Heap Overflow" report:
"A heap overflow vulnerability exists within Apple Quicktime 7.0.3 and 
iTunes 6.0.1 on OS X and Win32. The vulnerability allows an attacker to 
reliably overwrite heap memory with arbitrary data in order to execute 
arbitrary code on a targeted host. This has been tested on OS X and 
Win32. I have reported this issue to Apple. I will publish more details 
once Apple has released a patch for this issue. Just a side note, this 
was published from my local Apple store. ;-) Here is a screenshot if you 
are interested."
 
Source:
http://www.security-protocols.com/modules.php?name=News&file=article&sid=3109
 
Detailed description:
QuickTime error report in Windows XP from Security-protocols.com:
http://security-protocols.com/upcoming/qt-overflow.png
Reportedly problem in QuickTime is in quicktimeplayer.exe executable.
 
Affected versions:
The vulnerability has been reported in Apple Quicktime 7.0.3 and iTunes 
6.0.1 on OS X and Microsoft Windows.
 
OS:
Microsoft Windows
Apple Mac OS X
 
Vendor:
Apple Computer, Inc.
http://www.apple.com/
 
Product Home Pages:
http://www.apple.com/quicktime/
http://www.apple.com/itunes/
 
Solution status:
Reportedly no updated versions available from the vendor.
 
Reportedly vendor was contacted on December 2nd, 2005 or earlier.
 
References:
http://www.security-protocols.com/modules.php?name=News&file=article&sid=3109
 
CVE information: N/A
 
Credit information:
This vulnerability is researched by Tom Ferris (aka badpack3t).
 
I have no any connections to Security-Protocols.com or Mr. Ferris.
 
 
Best regards,
Juha-Matti Laurio, Networksecurity.fi
Security researcher
Finland
http://www.networksecurity.fi/

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2005, SecurityGlobal.net LLC