CERT-In Vulnerability Note CIVN-2007-125
Apple QuickTime Remote Code Execution Vulnerability
Original Issue Date:
September 22, 2007
Severity Rating:
High
Systems Affected
- Apple QuickTime versions 7.x
- Mozilla Firefox prior to 2.0.0.7
Overview
A vulnerability has been reported in Apple QuickTime which could be exploited by remote attacker to execute arbitrary code on the affected system.
Description
Apple QuickTime is a media player that is available for Microsoft Windows and Apple OS X. Apple QuickTime includes browser plugins for Internet Explorer, Safari, and Netscape-compatible browsers.
A vulnerability has been reported in Apple QuickTime due to design error in processing the "qtnext" parameter in an "embed" tag of a QuickTime Media Link file (.qtl). QuickTime Media-Link files contain a qtnext attribute that could be used on Windows systems to launch the default browser with arbitrary command-line options.
A remote attacker can pass arbitrary parameters to the default browser when a specially crafted file is opened with QuickTime or the QuickTime Plug-In and allows e.g. execution of arbitrary code on a user's system with full privilege.
Note: Proof-of-Concept code is available targeting systems where Mozilla Firefox is the default handler for .HTM files. This is due to Firefox inappropriately allows execution of arbitrary script code in Chrome context via the "-chrome" parameter. Other applications may be affected by this vulnerability.
Workaround
• Proxy servers or intrusion prevention systems may be used to filter QuickTime files for partial mitigation of this vulnerability
For Mozilla Users
• Upgrade to Mozilla Firefox version 2.0.0.7 which may prevent exploitation of this vulnerability by removing Firefox's ability to run arbitrary scripts which are provided by command line arguments.
• Using the NoScript Firefox extension to whitelist web sites that can run scripts and access installed plugins will mitigate this vulnerability.
References
GNUCITIZEN
http://www.gnucitizen.org/blog/0day-quicktime-pwns-firefox
Mozilla
http://www.mozilla.org/security/announce/2007/mfsa2007-28.html
http://blog.mozilla.com/security/2007/09/18/firefox-2.0.0.7-now-available/
Secunia
http://secunia.com/advisories/26881/
CVE Name
CVE-2006-4965
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
