wessman
April 2nd, 2003, 03:58 PM
Holes found in RealPlayer, QuickTime
By Sandeep Junnarkar, Staff Writer, CNET News.com
April 2, 2003, 12:07 PM PT
http://news.com.com/2100-1025-995085.html
Just as streaming video and audio are hitting the mainstream, researchers have sounded the alarm about serious security holes in two popular digital media players.
The vulnerabilities have cropped up in RealNetworks' RealPlayer and Apple Computer's QuickTime. While unrelated, the weak spots could allow an intruder to execute damaging arbitrary code on a victim's computer. In both cases, updates are available to remedy the problem.
Security experts are increasingly concerned about hackers exploiting digital media players, which are designed to accept Web addresses and scripts--a key route for self-propagating, hostile code.
The current vulnerabilities come at a time when streaming content has gained momentum, providing news and entertainment to a growing number of people accessing the Internet via broadband connections.
RealNetworks has issued an advisory, warning that by creating a specifically corrupted Portable Network Graphics file, an attacker could cause "heap corruption." Doing so would allow the attacker to execute code on the victim's machine. The vulnerable software uses an older data-compression library within the RealPix component of the player, leaving the system vulnerable. The company said it has fixed the vulnerability by using an updated version of the data-compression library.
RealNetworks said it had not received any reports of anyone's computer actually being attacked via this exploit.
The vulnerability affected the following popular versions of its digital media players: RealOne Player, RealOne Player v2 for Windows, RealPlayer 8 for Windows, RealPlayer 8 for Mac OS 9, RealOne Player for Mac OS X, RealOne Enterprise Desktop Manager and RealOne Enterprise Desktop
The Helix DNA Client was not affected, RealNetworks noted.
Meanwhile, security firm iDefense warned this week that it has discovered an exploitable buffer overflow vulnerability in Apple's QuickTime Player that could affect computers with Microsoft's Windows but not those with Apple's Macintosh OS.
Buffer overflows occur when an application is flooded with information and as a result cannot handle memory correctly. By causing a buffer overflow, attackers can insert their own code into the execution of the application.
In this case, a URL containing 400 characters will overrun the allocated space on the system, allowing the attacker to assume control of the system, iDefense said. All the attacker needs to do is to convince a Web surfer to click on a specially crafted URL.
iDefense said that QuickTime Player versions 5.x and 6.0 for Windows are vulnerable. Apple recommended downloading its QuickTime 6.1, which addresses this vulnerability.
Copyright ©1995-2003 CNET Networks, Inc. All rights reserved.
iDEFENSE Security Advisory 03.31.03:
Buffer Overflow in Windows QuickTime Player
March 31, 2003
http://www.idefense.com/advisory/03.31.03.txt
I. BACKGROUND
QuickTime Player is a popular media player for both the Microsoft Windows and Apple Mac platforms. More information about the application is available at http://www.apple.com/quicktime/ .
II. DESCRIPTION
An exploitable buffer overflow condition has been discovered in Apple Computer Inc.'s QuickTime Player, allowing for the remote execution of arbitrary code. The vulnerability lies in the processing of long QuickTime URL's (quicktime:// or through the -u switch). When processing a QuickTime URL, the application is launched in the following manner as can be seen from the Windows registry key HKEY_CLASSES_ROOT/quicktime:
%PATH TO QUICKTIME%\QuickTimePlayer.exe -u"%1"
A URL containing 400 characters will overrun the allocated space on the stack overwriting the saved instruction pointer (EIP). This will thereby allow an attacker to redirect the flow of control. An example URL that will cause QuickTime player to crash is:
quicktime://127.0.0.1/AAAA...
Where the character 'A' is repeated 400 times.
III. ANALYSIS
Any remote attacker can compromise a target system if he or she can convince a user to load a specially crafted exploit URL. Upon successful exploitation, arbitrary code can be executed under the privileges of the user who launched QuickTime.
IV. DETECTION
iDEFENSE has confirmed that QuickTime Player versions 5.x and 6.0 for the Microsoft Windows platform are vulnerable. QuickTime for MacOS is not
vulnerable.
V. WORKAROUND
Removing the QuickTime handler from the web browser or removing the registry key HKEY_CLASSES_ROOT/quicktime can prevent automatic exploitation through HTML pages.
VI. VENDOR FIX
Apple has released QuickTime 6.1 which addresses this vulnerability. It is available from http://www.apple.com/quicktime/download/ .
VII. CVE INFORMATION
The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project assigned the identification number CAN-2003-0168 to this issue.
VIII. DISCLOSURE TIMELINE
01/16/2003 Issue disclosed to iDEFENSE
02/24/2003 iDEFENSE notification sent to product-security@apple.com
02/24/2003 Response received from Apple Product Security team
02/24/2003 iDEFENSE clients notified
03/31/2003 Coordinated Public disclosure
IX. CREDIT
Texonet (http://www.texonet.com) is credited with discovering this vulnerability.
By Sandeep Junnarkar, Staff Writer, CNET News.com
April 2, 2003, 12:07 PM PT
http://news.com.com/2100-1025-995085.html
Just as streaming video and audio are hitting the mainstream, researchers have sounded the alarm about serious security holes in two popular digital media players.
The vulnerabilities have cropped up in RealNetworks' RealPlayer and Apple Computer's QuickTime. While unrelated, the weak spots could allow an intruder to execute damaging arbitrary code on a victim's computer. In both cases, updates are available to remedy the problem.
Security experts are increasingly concerned about hackers exploiting digital media players, which are designed to accept Web addresses and scripts--a key route for self-propagating, hostile code.
The current vulnerabilities come at a time when streaming content has gained momentum, providing news and entertainment to a growing number of people accessing the Internet via broadband connections.
RealNetworks has issued an advisory, warning that by creating a specifically corrupted Portable Network Graphics file, an attacker could cause "heap corruption." Doing so would allow the attacker to execute code on the victim's machine. The vulnerable software uses an older data-compression library within the RealPix component of the player, leaving the system vulnerable. The company said it has fixed the vulnerability by using an updated version of the data-compression library.
RealNetworks said it had not received any reports of anyone's computer actually being attacked via this exploit.
The vulnerability affected the following popular versions of its digital media players: RealOne Player, RealOne Player v2 for Windows, RealPlayer 8 for Windows, RealPlayer 8 for Mac OS 9, RealOne Player for Mac OS X, RealOne Enterprise Desktop Manager and RealOne Enterprise Desktop
The Helix DNA Client was not affected, RealNetworks noted.
Meanwhile, security firm iDefense warned this week that it has discovered an exploitable buffer overflow vulnerability in Apple's QuickTime Player that could affect computers with Microsoft's Windows but not those with Apple's Macintosh OS.
Buffer overflows occur when an application is flooded with information and as a result cannot handle memory correctly. By causing a buffer overflow, attackers can insert their own code into the execution of the application.
In this case, a URL containing 400 characters will overrun the allocated space on the system, allowing the attacker to assume control of the system, iDefense said. All the attacker needs to do is to convince a Web surfer to click on a specially crafted URL.
iDefense said that QuickTime Player versions 5.x and 6.0 for Windows are vulnerable. Apple recommended downloading its QuickTime 6.1, which addresses this vulnerability.
Copyright ©1995-2003 CNET Networks, Inc. All rights reserved.
iDEFENSE Security Advisory 03.31.03:
Buffer Overflow in Windows QuickTime Player
March 31, 2003
http://www.idefense.com/advisory/03.31.03.txt
I. BACKGROUND
QuickTime Player is a popular media player for both the Microsoft Windows and Apple Mac platforms. More information about the application is available at http://www.apple.com/quicktime/ .
II. DESCRIPTION
An exploitable buffer overflow condition has been discovered in Apple Computer Inc.'s QuickTime Player, allowing for the remote execution of arbitrary code. The vulnerability lies in the processing of long QuickTime URL's (quicktime:// or through the -u switch). When processing a QuickTime URL, the application is launched in the following manner as can be seen from the Windows registry key HKEY_CLASSES_ROOT/quicktime:
%PATH TO QUICKTIME%\QuickTimePlayer.exe -u"%1"
A URL containing 400 characters will overrun the allocated space on the stack overwriting the saved instruction pointer (EIP). This will thereby allow an attacker to redirect the flow of control. An example URL that will cause QuickTime player to crash is:
quicktime://127.0.0.1/AAAA...
Where the character 'A' is repeated 400 times.
III. ANALYSIS
Any remote attacker can compromise a target system if he or she can convince a user to load a specially crafted exploit URL. Upon successful exploitation, arbitrary code can be executed under the privileges of the user who launched QuickTime.
IV. DETECTION
iDEFENSE has confirmed that QuickTime Player versions 5.x and 6.0 for the Microsoft Windows platform are vulnerable. QuickTime for MacOS is not
vulnerable.
V. WORKAROUND
Removing the QuickTime handler from the web browser or removing the registry key HKEY_CLASSES_ROOT/quicktime can prevent automatic exploitation through HTML pages.
VI. VENDOR FIX
Apple has released QuickTime 6.1 which addresses this vulnerability. It is available from http://www.apple.com/quicktime/download/ .
VII. CVE INFORMATION
The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project assigned the identification number CAN-2003-0168 to this issue.
VIII. DISCLOSURE TIMELINE
01/16/2003 Issue disclosed to iDEFENSE
02/24/2003 iDEFENSE notification sent to product-security@apple.com
02/24/2003 Response received from Apple Product Security team
02/24/2003 iDEFENSE clients notified
03/31/2003 Coordinated Public disclosure
IX. CREDIT
Texonet (http://www.texonet.com) is credited with discovering this vulnerability.