CERT-In Advisory CIAD-2007-30
Multiple vulnerabilities in Apple QuickTime Java Extension
Original issue date:
May 31, 2007
Severity Rating: High
Systems Affected
Overview
Multiple vulnerabilities have been reported in Apple QuickTime Java Extension
which could be exploited by remote/local attackers to execute arbitrary code on the affected system and potentially compromise a vulnerable system.
Description
1. Apple QuickTime for Java security bypass vulnerability ( CVE-2007-2388 )
A vulnerability has been reported in Apple QuickTime for Java, which may allow instantiation or manipulation of QTobjects outside the bounds of the allocated heap. By enticing a user to visit a web page containing a maliciously crafted Java applet, an attacker can trigger the issue which may lead to arbitrary code execution. This update addresses the issue by performing additional validation of Java applets.
2. Apple QuickTime for Java information disclosure vulnerability ( CVE-2007-2389 )
A vulnerability has been reported in Apple QuickTime for Java, which may allow a web browser's memory to be read by a Java applet. By enticing a user to visit a web page containing a maliciously crafted Java applet, an attacker can trigger the issue which may lead to the disclosure of sensitive information. This update addresses the issue by clearing memory before allowing it to be used by untrusted Java applets.
Solution
Upgrade to the latest Apple QuickTime
http://www.apple.com/support/downloads/
Vendor Information
Apple
http://docs.info.apple.com/article.html?artnum=305531
References
FrSIRT
http://www.frsirt.com/bulletins/10537
Secunia
http://secunia.com/advisories/25130/
Security Tracker
http://securitytracker.com/alerts/2007/May/1018136.html
US-CERT
http://www.kb.cert.org/vuls/id/995836
http://www.kb.cert.org/vuls/id/434748
CVE Name
CVE-2007-2388
CVE-2007-2389
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
