__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ Information Bulletin Apple QuickTime ActiveX Buffer Overrun [Apple Security Advisory APPLE-SA-2002-09-19] September 26, 2002 19:00 GMT Number M-128 ______________________________________________________________________________ PROBLEM: The ActiveX control for QuickTime for Windows 5.0.2 has a buffer overflow vulnerability triggered by insufficient input validation when parsing the "pluginspage" parameter. PLATFORM: Windows with ActiveX enabled or Quicktime installed. Windows NT4 SP6a Windows 2000 SP1 Windows XP DAMAGE: Exploiting the buffer overrun could allow an attacker to run arbitrary code. SOLUTION: Upgrade to the new version of the ActiveX control. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. This vulnerability can be exploited by a ASSESSMENT: remote attacker who can induce a victim to visit any web site with malicious code offering the vulnerable code or executing a control already present on the victim's computer. Also affected are users who open HTML messages in Windows mail clients that use Internet Explorer to render HTML and load ActiveX controls (e.g., Outlook, Outlook Express, Eudora, etc). ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/m-128.shtml UPGRADES: http://www.apple.com/quicktime/download/qtcheck/ http://www.apple.com/QuickTime/download/ ______________________________________________________________________________ [***** Start Apple Security Advisory APPLE-SA-2002-09-19 *****] -----BEGIN PGP SIGNED MESSAGE----- Apple Security Advisory APPLE-SA-2002-09-19 Overview A buffer overflow exists in the ActiveX control distributed in Apple QuickTime for Windows Version 5.0.2. Any user who opens this control in Microsoft Windows Internet Explorer or other affected Windows mail clients is vulnerable to attack. QuickTime versions for Mac OS X or Mac OS 9 are not vulnerable. Recommendation Users and web site administrators running the Windows operating system should upgrade to the new version of the ActiveX control as soon as possible. This can be done by either downloading a new ActiveX control, or updating to QuickTime 6 which contains a fixed version of the ActiveX control. ActiveX control only: http://www.apple.com/quicktime/download/qtcheck/ This control will work with QuickTime version 3.0 and later. QuickTime 6 (free update): http://www.apple.com/QuickTime/download/ Common Vulnerabilities and Exposures (CVE) Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following identification to this issue. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. CAN-2002-0376 Apple QuickTime ActiveX v5.0.2 Buffer Overrun Description QuickTime for Windows version 5.0.2 is distributed with an ActiveX control to allow QuickTime movies to be played on versions on Microsoft Windows Internet Explorer. The ActiveX control for QuickTime for Windows 5.0.2 has a buffer overflow vulnerability triggered by insufficient input validation when parsing the "pluginspage" parameter. This vulnerability can be exploited by a remote attacker who can induce a victim to visit any web site with malicious code offering the vulnerable code or executing a control already present on the victim's computer. Also affected are users who open HTML messages in Windows mail clients that use Internet Explorer to render HTML and load ActiveX controls (e.g., Outlook, Outlook Express, Eudora, etc). Note that an email attack would be rendered harmless if the end user email client handled HTML mail in Internet Explorer's Restricted Sites Zone (say by having applied the Outlook Email Security Update distributed by Microsoft; Outlook Express 6 and Outlook 2002 handle mail in the Restricted Site Zone by default). Mail clients unable to render HTML or that do not invoke Internet Explorer are unaffected. All web content managers who support QuickTime technology and all Windows users of Microsoft Internet Explorer are encouraged to upgrade to the new ActiveX control or QuickTime Version 6.0 as soon as possible. Solution Either download the new ActiveX control by itself, or update to QuickTime 6: ActiveX control only: http://www.apple.com/quicktime/download/qtcheck/ This control will work with QuickTime version 3.0 and later. QuickTime 6 (free update): http://www.apple.com/QuickTime/download/ Mitigating factors * In the case of the web-based attack, an attacker would need to force a user to visit the attackers Web site. Users who exercise caution in visiting web sites could minimize their risk. * In the web based attack, If ActiveX controls have been disabled in the zone in which the page were viewed, the vulnerability could not be exploited. Users who place untrusted sites in the Restricted Sites zone, which disables ActiveX by default, or have disabled ActiveX controls in the Internet zone could minimize their risk. * In the case of HTML email based attacks, customers who read email in the Restricted Sites zone would be protected against attempts to exploit this vulnerability. Customers using Outlook 2002 and Outlook Express 6.0, as well as Outlook 2000 and Outlook 98 customers who have applied the Outlook Email Security Update would thus be protected by default. Also, Outlook Express 5.0 customers who have chosen to read mail in the Restricted Sites zone would be protected by default. * In the HTML email based attack, Outlook 2002 customers who have enabled the "Read as Plain Text" option available in SP1 or later would also be protected. Further information Are there any caveats associated with the patch? Yes. Customers should be aware that although the vulnerabilities here involve an ActiveX control, the patch does not set the Kill Bit. Whats an ActiveX control? ActiveX controls are small, single-purpose programs that can be called by programs and web pages. ActiveX allows a programmer to write a piece of software one time, and make its functionality available to other programs that may need it. Whats the "Kill Bit"? The Kill Bit is a method by which an ActiveX control can be prevented from ever being invoked via Internet Explorer, even if its present on the system. (More information on the Kill Bit is available in Microsoft Knowledge Base article Q240797). Typically, when a security vulnerability involves an ActiveX control, the patch delivers a new control and sets the Kill Bit on the vulnerable control. However, it isnt feasible to do so in this case. Why isnt it feasible to set the Kill Bit in this case? The Kill bit is currently implemented in Windows as an "all or nothing" switch. Setting the Kill bit will totally disable your ability to use QuickTime in media which invokes it via the ActiveX control. This includes millions of web pages, along with many CDs and DVDs. By design, the Web pages, CDs and DVDs contain hard-coded references to the ActiveX control to load QuickTime. The QuickTime content on these web pages, CDs and DVDs would no longer be accessible. As a result, a new ActiveX control is provided to remove the vulnerabilities, but the Kill Bit is not set on the old one. Will the Kill Bit on this control be eventually set? Yes. Microsoft is developing a new technology that will enable it to set the Kill Bit on the vulnerable version of the control without forcing users to re-author web pages containing references to these controls. When the new technology is available, we'll provide a QuickTime update that makes use of it. References http://www.apple.com/QuickTime/download/ http://www.apple.com/quicktime/download/qtcheck/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0376 http://support.microsoft.com/directory/article.asp?ID=KB;EN-US;Q240797 http://support.microsoft.com/default.aspx?scid=kb;en-us;Q154850&FR=1 -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.3 iQEVAwUBPZHqmSFlYNdE6F9oAQFOwAf/Ywf+cZZVp9Q4N3xJnP5x8HQ6HYh8je9E jGCVB4jlTAaJp49dY9K/4JXaOIp358uqvDMzOcJPlXyTwRJb3aDytFzXs0sek3vK aAK0ltFUjEYM3fNwBv8KJoBpdxToe9C+dzswitootZWUTZK4CnisG61GrVcHpIGc 7hPkBDUepSwscnci8PmzYxCo6kWXvL4rMhVcUDA4dfQLslwnLlASXtN1sAeyOPus jpUT7Vj6lTrdbFSMrbBJbQXajXKBm0coF4g/c+JzYm/uV8GnQ4FD1LwN8oLkBC4c ogLSm52By9VREUHOaKIgg6Txp0nJVQbuQE68536yUDNe6qgJSCQZPQ== =JSPS -----END PGP SIGNATURE----- [***** End Apple Security Advisory APPLE-SA-2002-09-19 *****] CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) M-118: HP Tru64 Unix Multiple Vulnerabilities M-119: Cisco VPN Concentrator Multiple Vulnerabilities M-120: Microsoft Visual FoxPro 6.0 Vulnerability M-121: Microsoft Certificate Validation Vulnerability M-122: Remotely Exploitable Buffer Overflow in PGP M-123: Polycom Videoconferencing Remote Vulnerabilities M-124: Konqueror Secure Cookie Vulnerability M-125: Apache/mod_ssl Worm M-126: MS VM JDBC Classes Vulnerabilities M-127: Microsoft Office Documents Expose ODBC Passwords