From security em unicamp.br Wed Nov 7 10:11:32 2007 From: security em unicamp.br (CSIRT - UNICAMP) Date: Wed, 7 Nov 2007 10:11:32 -0200 Subject: [SECURITY-L] US-CERT Technical Cyber Security Alert TA07-310A -- Apple QuickTime Updates for Multiple Vulnerabilities Message-ID: <20071107121131.GB21316@unicamp.br> ----- Forwarded message from US-CERT Technical Alerts ----- From: US-CERT Technical Alerts Subject: US-CERT Technical Cyber Security Alert TA07-310A -- Apple QuickTime Updates for Multiple Vulnerabilities To: technical-alerts em us-cert.gov Date: Tue, 6 Nov 2007 18:13:21 -0500 Organization: US-CERT - +1 202-205-5266 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA07-310A Apple QuickTime Updates for Multiple Vulnerabilities Original release date: November 06, 2007 Last revised: -- Source: US-CERT Systems Affected Vulnerabilities in Apple QuickTime affect * Apple Mac OS X * Microsoft Windows Overview Apple QuickTime contains multiple vulnerabilities. Exploitation of these vulnerabilities could allow a remote attacker to execute arbitrary code or cause a denial-of-service condition. I. Description Apple QuickTime 7.3 resolves multiple vulnerabilities in the way different types of image and media files are handled. An attacker could exploit these vulnerabilities by convincing a user to access a specially crafted image or media file that could be hosted on a web page. Note that Apple iTunes installs QuickTime, so any system with iTunes is vulnerable. II. Impact These vulnerabilities could allow a remote, unauthenticated attacker to execute arbitrary code or commands and cause a denial-of-service condition. For further information, please see About the security content of QuickTime 7.3. III. Solution Upgrade QuickTime Upgrade to QuickTime 7.3. This and other updates for Mac OS X are available via Apple Update. Secure your web browser To help mitigate these and other vulnerabilities that can be exploited via a web browser, refer to Securing Your Web Browser. References * About the security content of the QuickTime 7.3 Update - * How to tell if Software Update for Windows is working correctly when no updates are available - * Apple QuickTime Download - * Mac OS X: Updating your software - * Securing Your Web Browser - _________________________________________________________________ The most recent version of this document can be found at: _________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to with "TA07-310A Feedback VU#208011" in the subject. _________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit . _________________________________________________________________ Produced 2007 by US-CERT, a government organization. Terms of use: _________________________________________________________________ Revision History November 6, 2007: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRzD0F/RFkHkM87XOAQLSVwf+LsCvcentaE5ATCISYhYd31ionkGNS9cn LeBC+yCyR330ztfQ9iBphoxxp+fYKpa/RRfnFHqJlv80HYYOiJvnunCdOY5IAbo5 ZyS2vou/ArW5WzJqk9Yq+31hClKQOIoLf/+NcUc7iKkfSBUC8/RsspascX31a1U+ dMF217Q/i9imjMhHr+PXZagRT1naUo8ygeDZ+94Vq+3XUB6qZb6rux8vFdVX3nEY yvg02JJTVpHy14Nk0KXfXwEq2Hc9uNTa/KwKknJMVqzev4eCAn+/wb424JxoKhqG lthnzMr/US4Q0NLKpFStcNyETEiKgM9RuZ4v6OWc+nJKVe+QwrDYhQ== =9WUY -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Wed Nov 21 10:18:51 2007 From: security em unicamp.br (CSIRT - UNICAMP) Date: Wed, 21 Nov 2007 10:18:51 -0200 Subject: [SECURITY-L] US-CERT Technical Cyber Security Alert TA07-317A -- Microsoft Updates for Multiple Vulnerabilities Message-ID: <20071121121850.GA69118@unicamp.br> ----- Forwarded message from US-CERT Technical Alerts ----- From: US-CERT Technical Alerts Subject: US-CERT Technical Cyber Security Alert TA07-317A -- Microsoft Updates for Multiple Vulnerabilities To: technical-alerts em us-cert.gov Date: Tue, 13 Nov 2007 14:53:10 -0500 Organization: US-CERT - +1 202-205-5266 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA07-317A Microsoft Updates for Multiple Vulnerabilities Original release date: November 13, 2007 Last revised: -- Source: US-CERT Systems Affected * Microsoft Windows * Microsoft Windows DNS Server Overview Microsoft has released updates that address critical vulnerabilities in Microsoft Windows and Microsoft Windows DNS Server. Exploitation of these vulnerabilities could allow a remote, unauthenticated attacker to execute arbitrary commands or to cause a Windows DNS server to provide incorrect DNS responses. I. Description Microsoft has released updates to address vulnerabilities that affect Microsoft Windows and Microsoft Windows DNS Server as part of the Microsoft Security Bulletin Summary for November 2007. The most severe vulnerabilities could allow a remote, unauthenticated attacker to execute arbitrary commands or cause a Windows DNS server to provide incorrect DNS responses. Further information about the vulnerabilities addressed by these updates is available in the Vulnerability Notes Database. II. Impact A remote, unauthenticated attacker could execute arbitrary commands on a vulnerable system. An attacker may also be able to cause a Windows DNS server to provide incorrect responses to DNS queries. III. Solution Apply updates from Microsoft Microsoft has provided updates for these vulnerabilities in the November 2007 security bulletins. The security bulletins describe any known issues related to the updates. Administrators are encouraged to note any known issues that are described in the bulletins and test for any potentially adverse effects. System administrators should consider using an automated patch distribution system such as Windows Server Update Services (WSUS). IV. References * US-CERT Vulnerability Notes for Microsoft November 2007 updates - * Microsoft Security Bulletin Summary for November 2007 - * Microsoft Update - * Windows Server Update Services - * Securing Your Web Browser - ____________________________________________________________________ The most recent version of this document can be found at: ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to with "TA07-317A Feedback VU#484649" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit . ____________________________________________________________________ Produced 2007 by US-CERT, a government organization. Terms of use: ____________________________________________________________________ Revision History November 13, 2007: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRzn+L/RFkHkM87XOAQIP7wgAmXsO3NefxyFn/eFlaLvWeGpVNLUQKdso VuU2/ktEtMNKQeFgsoZnFMHuKWp2hIMXZPCrelegVHszYHwSmE92QsHvumxVg863 iP3e4wXoL5uYpoYXJuZRl8Ee65GdRlsZBp2HS5bqDm2yWAdKLyEfyVArkmvjJFkM LydRRMVYnyl4aLBGDh/xzowu6jtKmdMRtFQYDac6A/lNdJpAm6lo8OKPG2mY80vh 8acL6ObfFT45UpYkxCFaCvRMn4/Ts24j3cpnQxmNE9/veENVJxumT6sUH56rrkw/ vLZIK1QMWGPXOXOg9rc7UktWqc9iYFsHmTVC8kwB8ksfk26drpmu1w== =24yY -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Wed Nov 21 10:19:24 2007 From: security em unicamp.br (CSIRT - UNICAMP) Date: Wed, 21 Nov 2007 10:19:24 -0200 Subject: [SECURITY-L] CAIS-Alerta: Vulnerabilidade no tratamento de URI no Windows (MS07-061) Message-ID: <20071121121924.GB69118@unicamp.br> ----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca ----- From: Centro de Atendimento a Incidentes de Seguranca Subject: CAIS-Alerta: Vulnerabilidade no tratamento de URI no Windows (MS07-061) To: pop-seg em cais.rnp.br, rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br Date: Wed, 14 Nov 2007 20:46:55 -0200 (BRST) -----BEGIN PGP SIGNED MESSAGE----- Prezados, O CAIS esta' repassando o alerta da Microsoft, intitulado "MS07-061 - Vulnerability in Windows URI Handling Could Allow Remote Code Execution (943460)", que trata de uma vulnerabilidade no tratamento de URI pelo Windows. A vulnerabilidade existe na maneira como o Windows trata certos URIs (Uniform Resource Identifier), enderecos de recursos passados para o shell. Um atacante pode explorar esta vulnerabilidade incluindo um endereco (URI) malicioso em uma aplicacao ou arquivo anexo. Caso um atacante consiga explorar com sucesso esta vulnerabilidade ele podera' executar codigo remotamente. Usuarios que utilizam contas com menos privilegios sofrem um impacto menor do que usuarios que utilizam contas com privilegios de administrador. Esta atualizacao corrige a vulnerabilidade descrita no advisory 943521, lancado em 10 de Outubro de 2007. Sistemas afetados: . Windows XP Service Pack 2 . Windows XP Professional x64 Edition . Windows XP Professional x64 Edition Service Pack 2 . Windows Server 2003 Service Pack 1 . Windows Server 2003 Service Pack 2 . Windows Server 2003 x64 Edition . Windows 2003 Server x64 Edition Service Pack 2 . Windows Server 2003 com SP1 para Sistemas baseados em Itanium . Windows Server 2003 com SP2 para Sistemas baseados em Itanium Correcoes disponiveis: Recomenda-se fazer a atualizacao para as versoes disponiveis em: . Windows XP Service Pack 2 http://www.microsoft.com/downloads/details.aspx?FamilyId=8ba1c2f9-1bde-4e97-b327-21259c5e5104 . Windows XP Professional x64 Edition http://www.microsoft.com/downloads/details.aspx?FamilyId=4ef7fdd7-8887-4c64-a70c-c6ae734d7c5f . Windows XP Professional x64 Edition Service Pack 2 http://www.microsoft.com/downloads/details.aspx?FamilyId=4ef7fdd7-8887-4c64-a70c-c6ae734d7c5f . Windows Server 2003 Service Pack 1 http://www.microsoft.com/downloads/details.aspx?FamilyId=e5d8a866-2c1f-4035-8325-c1be61a75c3b . Windows Server 2003 Service Pack 2 http://www.microsoft.com/downloads/details.aspx?FamilyId=e5d8a866-2c1f-4035-8325-c1be61a75c3b . Windows Server 2003 x64 Edition http://www.microsoft.com/downloads/details.aspx?FamilyId=bf26da08-15b8-4d65-ba12-4cc74c7a1326 . Windows 2003 Server x64 Edition Service Pack 2 http://www.microsoft.com/downloads/details.aspx?FamilyId=bf26da08-15b8-4d65-ba12-4cc74c7a1326 . Windows Server 2003 com SP1 para Sistemas baseados em Itanium http://www.microsoft.com/downloads/details.aspx?FamilyId=1c055f11-3273-4a4c-a33f-bf61ac9ec4c5 . Windows Server 2003 com SP2 para Sistemas baseados em Itanium http://www.microsoft.com/downloads/details.aspx?FamilyId=1c055f11-3273-4a4c-a33f-bf61ac9ec4c5 Mais informacoes: . MS07-061 - Vulnerability in Windows URI Handling Could Allow Remote Code Execution (943460) http://www.microsoft.com/technet/security/Bulletin/MS07-061.mspx . Microsoft Security Advisory (943521) - URL Handling Vulnerability in Windows XP and Windows Server 2003 with Windows Internet Explorer 7 Could Allow Remote Code Execution http://www.microsoft.com/technet/security/advisory/943521.mspx . SANS ISC - november black tuesday overview (2007-11-13) http://isc.sans.org/diary.html?storyid=3642 . Microsoft Brasil Security http://www.microsoft.com/brasil/security . Technet Brasil - Central de Seguranca http://www.technetbrasil.com.br/seguranca . Windows Live OneCare http://safety.live.com/site/pt-BR/default.htm Identificador CVE (http://cve.mitre.org): CVE-2007-3896 O CAIS recomenda que os administradores mantenham seus sistemas e aplicativos sempre atualizados, de acordo com as ultimas versoes e correcoes oferecidas pelos fabricantes. Os Alertas do CAIS tambem sao oferecidos no formato RSS/RDF: http://www.rnp.br/cais/alertas/rss.xml Atenciosamente, ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS) # # Rede Nacional de Ensino e Pesquisa (RNP) # # # # cais em cais.rnp.br http://www.cais.rnp.br # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel http://www.rnp.br/cais/cais-pgp.key # ################################################################ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Made with pgp4pine 1.76 iQCVAwUBRzt68ekli63F4U8VAQGq9gQAk3orLH8rVpDbssfaJ0IvFyV+JwSUivz2 dwJ2iUHLtusC3ksc7y4z3nZthpkpAC/T9IZmEYPbCDNNt55RXPwk7lOZU+Y8DFUX R+sylrSbWLyKOyoHr8ofXes+7mXk3Tw6bDqUHX6ZRuFN4TaVzR4b2VZkCsqZSLOa iqbl8M7g3lA= =gTct -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Wed Nov 21 10:19:54 2007 From: security em unicamp.br (CSIRT - UNICAMP) Date: Wed, 21 Nov 2007 10:19:54 -0200 Subject: [SECURITY-L] CAIS-Alerta: Vulnerabilidade no DNS Server Windows (MS07-062) Message-ID: <20071121121952.GC69118@unicamp.br> ----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca ----- From: Centro de Atendimento a Incidentes de Seguranca Subject: CAIS-Alerta: Vulnerabilidade no DNS Server Windows (MS07-062) To: pop-seg em cais.rnp.br, rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br Date: Wed, 14 Nov 2007 20:49:23 -0200 (BRST) -----BEGIN PGP SIGNED MESSAGE----- Prezados, O CAIS esta' repassando o alerta da Microsoft, intitulado "MS07-062 - Vulnerability in DNS Could Allow Spoofing (941672)", que trata de uma seria vulnerabilidade identificada no DNS Server Windows. A vulnerabilidade permite que sejam enviadas respostas maliciosas a requisicoes de DNS, falsificando o endereco IP da resposta e fazendo com que o trafego seja desviado do destino legitimo. Esta vulnerabilidade auxilia o atacante no sentido de fornecer informacoes sobre os identificadores de transacao (ID) do servidor vulneravel, facilitando o forjamento de respostas validas para requisicoes feitas pelo servidor DNS Windows em questao. Esta atualizacao substitui aquela divulgada no boletim MS07-029. Sistemas afetados: . Microsoft Windows 2000 Server Service Pack 4 . Windows Server 2003 Service Pack 1 . Windows Server 2003 Service Pack 2 . Windows Server 2003 x64 Edition . Windows Server 2003 x64 Edition Service Pack 2 . Windows Server 2003 com SP1 para sistemas baseados em Itanium . Windows Server 2003 com SP2 para sistemas baseados em Itanium Correcoes disponiveis: Recomenda-se fazer a atualizacao para as versoes disponiveis em: . Microsoft Windows 2000 Server Service Pack 4 http://www.microsoft.com/downloads/details.aspx?FamilyId=c80fcd9b-d0f8-44db-96fc-bf2ead054ff4 . Windows Server 2003 Service Pack 1 http://www.microsoft.com/downloads/details.aspx?FamilyId=ed8e2cb4-bcd9-40fc-9ad6-46b364d0656d . Windows Server 2003 Service Pack 2 http://www.microsoft.com/downloads/details.aspx?FamilyId=ed8e2cb4-bcd9-40fc-9ad6-46b364d0656d . Windows Server 2003 x64 Edition http://www.microsoft.com/downloads/details.aspx?FamilyId=d1323e14-ffa7-4d03-a2a7-9240c192a75e . Windows Server 2003 x64 Edition Service Pack 2 http://www.microsoft.com/downloads/details.aspx?FamilyId=d1323e14-ffa7-4d03-a2a7-9240c192a75e . Windows Server 2003 com SP1 para sistemas baseados em Itanium http://www.microsoft.com/downloads/details.aspx?FamilyId=f3ad67de-85ad-452d-a1e0-0af3faf969d6 . Windows Server 2003 com SP2 para sistemas baseados em Itanium http://www.microsoft.com/downloads/details.aspx?FamilyId=f3ad67de-85ad-452d-a1e0-0af3faf969d6 Mais informacoes: . MS07-062 - Vulnerability in DNS Could Allow Spoofing (941672) http://www.microsoft.com/technet/security/Bulletin/MS07-062.mspx . MS07-029 - Vulnerability in Windows DNS RPC Interface Could Allow Remote Code Execution (935966) http://www.microsoft.com/technet/security/bulletin/ms07-029.mspx . SANS ISC - november black tuesday overview (2007-11-13) http://isc.sans.org/diary.html?storyid=3642 . Microsoft Brasil Security http://www.microsoft.com/brasil/security . Technet Brasil - Central de Seguranca http://www.technetbrasil.com.br/seguranca . Windows Live OneCare http://safety.live.com/site/pt-BR/default.htm Identificador CVE (http://cve.mitre.org): CVE-2007-3898 O CAIS recomenda que os administradores mantenham seus sistemas e aplicativos sempre atualizados, de acordo com as ultimas versoes e correcoes oferecidas pelos fabricantes. Os Alertas do CAIS tambem sao oferecidos no formato RSS/RDF: http://www.rnp.br/cais/alertas/rss.xml Atenciosamente, ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS) # # Rede Nacional de Ensino e Pesquisa (RNP) # # # # cais em cais.rnp.br http://www.cais.rnp.br # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel http://www.rnp.br/cais/cais-pgp.key # ################################################################ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Made with pgp4pine 1.76 iQCVAwUBRzt7fekli63F4U8VAQEP6AP/TLbbHIa1zbYYR/sIBZU/UmN+t/qZioA4 wDfPgmFukzBhwYXgKJG0/l9iUWTnLDgXm0Zl4pjMwTg0NOY9yn0m8DZJzyu72wka 9d8VxQqdr55Gx+Crxs9JNIMBpL/Bem2FHXVlz8CQZRUhs4G3E2vlfGDCgeMaYQ+4 oHhp6rL5NnA= =vW0Z -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Wed Nov 21 10:24:43 2007 From: security em unicamp.br (CSIRT - UNICAMP) Date: Wed, 21 Nov 2007 10:24:43 -0200 Subject: [SECURITY-L] US-CERT Technical Cyber Security Alert TA07-319A -- Apple Updates for Multiple Vulnerabilities Message-ID: <20071121122440.GD69118@unicamp.br> ----- Forwarded message from US-CERT Technical Alerts ----- From: US-CERT Technical Alerts Subject: US-CERT Technical Cyber Security Alert TA07-319A -- Apple Updates for Multiple Vulnerabilities To: technical-alerts em us-cert.gov Date: Thu, 15 Nov 2007 13:34:47 -0500 Organization: US-CERT - +1 202-205-5266 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA07-319A Apple Updates for Multiple Vulnerabilities Original release date: November 15, 2007 Last revised: -- Source: US-CERT Systems Affected * Apple Mac OS X version 10.3.x and 10.4.x * Apple Mac OS X Server version 10.3.x and 10.4.x These vulnerabilities affect both Intel-based and PowerPC-based Apple systems. Overview Apple has released Mac OS X 10.4.11 and Security Update 2007-008 to address multiple vulnerabilities affecting Apple Mac OS X and Mac OS X Server. The most serious of these vulnerabilities may allow a remote attacker to execute arbitrary code. Attackers may take advantage of the less serious vulnerabilities to bypass security restrictions or cause a denial of service. I. Description Apple Mac OS X 10.4.11 and Security Update 2007-008 address a number of vulnerabilities affecting Apple Mac OS X and OS X Server. Further details are available in the related vulnerability notes. Several of the fixes included in this update address vulnerabilities in products from other vendors that ship with Apple OS X or OS X Server. These products include * BIND * bzip2 * Adobe Flash * MIT Kerberos Apple Mac OS X 10.4.11 and Security Update 2007-008 address vulnerabilities for versions 10.3.x and 10.4.x. II. Impact The impacts of these vulnerabilities vary. Potential consequences include remote execution of arbitrary code or commands, bypass of security restrictions, and denial of service. III. Solution Install updates from Apple Install Mac OS X 10.4.11 or Apple Security Update 2007-008. This and other updates are available via Apple Update or via Apple Downloads. IV. References * Vulnerability notes for Apple Security Update 2007-008 - * About the security content of Mac OS X 10.4.11 and Security Update 2007-008 - * Mac OS X: Updating your software - * Apple downloads - * ISC BIND - * bzip2 : Home - * Adobe - Adobe Flash Player - * Kerberos: The Network Authentication Protocol - ____________________________________________________________________ The most recent version of this document can be found at: ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to with "TA07-319A Feedback VU#498105" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit . ____________________________________________________________________ Produced 2007 by US-CERT, a government organization. Terms of use: ____________________________________________________________________ Revision History November 15, 2007: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRzx7ZvRFkHkM87XOAQJfIQgAmTZfjJAY/QTweUmvZtOJ9JQ4e/Gj0sE9 OPSrK/SplP92WUL1Ucb8I/VUSQEXXJhNv9dTCMcy7IMpqhx4UxPA6fBKWDJ+nUFi sx/60EOAiIVW+yYK79VdoI1jrSs48E+CNdqEJCQcjUCVi29eGAdW63H2jOZV37/F 4iQBZYRqhiycZ9FS+S+9aRfMhfy8dEOr1UwIElq6X/tSwss1EKFSNrK5ktGifUtB AJ+LJVBt2yZOIApcGhsxC3LYUDrDfhqGLIVM2XBc1yuV7Y2gaH4g9Txe+fWK79X2 LYHvhv2xtgLweR12YC+0hT60wSdrDTM6ZW0//ny25LZ7Y7D46ogSWQ== =AgEr -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Fri Nov 30 16:19:15 2007 From: security em unicamp.br (CSIRT - UNICAMP) Date: Fri, 30 Nov 2007 16:19:15 -0200 Subject: [SECURITY-L] US-CERT Technical Cyber Security Alert TA07-334A -- Apple QuickTime RTSP Buffer Overflow Message-ID: <20071130181915.GA73968@unicamp.br> ----- Forwarded message from US-CERT Technical Alerts ----- From: US-CERT Technical Alerts Subject: US-CERT Technical Cyber Security Alert TA07-334A -- Apple QuickTime RTSP Buffer Overflow To: technical-alerts em us-cert.gov Date: Fri, 30 Nov 2007 10:28:51 -0500 Organization: US-CERT - +1 202-205-5266 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA07-334A Apple QuickTime RTSP Buffer Overflow Original release date: November 30, 2007 Last revised: -- Source: US-CERT Systems Affected A buffer overflow in Apple QuickTime affects: * Apple QuickTime for Windows * Apple QuickTime for Apple Mac OS X Overview Apple QuickTime contains a buffer overflow vulnerability in the way QuickTime processes Real Time Streaming Protocol (RTSP) streams. Exploitation of this vulnerability could allow an attacker to execute arbitrary code. I. Description Apple QuickTime contains a stack buffer overflow vulnerability in the way QuickTime handles the RTSP Content-Type header. Most versions of QuickTime prior to and including 7.3 running on all supported Apple Mac OS X and Microsoft Windows platforms are vulnerable. Since QuickTime is a component of Apple iTunes, iTunes installations are also affected by this vulnerability. An attacker could exploit this vulnerability by convincing a user to access a specially crafted HTML document such as a web page or email message. The HTML document could use a variety of techniques to cause QuickTime to load a specially crafted RTSP stream. Common web browsers, including Microsoft Internet Explorer, Mozilla Firefox, and Apple Safari can be used to pass RTSP streams to QuickTime, exploit the vulnerability, and execute arbitrary code. Exploit code for this vulnerability was first posted publicly on November 25, 2007. II. Impact This vulnerability could allow a remote, unauthenticated attacker to execute arbitrary code or commands and cause a denial-of-service condition. III. Solution As of November 30, 2007, a QuickTime update for this vulnerability is not available. To block attack vectors, consider the following workarounds. Block the rtsp:// protocol Using a proxy or firewall capable of recognizing and blocking RTSP traffic can mitigate this vulnerability. Known public exploit code for this vulnerability uses the default RTSP port 554/tcp, however RTSP can use a variety of ports. Disable file association for QuickTime files Disable the file association for QuickTime file types. This can be accomplished by deleting the following registry keys: HKEY_CLASSES_ROOT\QuickTime.* This will remove the association for approximately 32 file types that are configured to open with QuickTime Player. Disable the QuickTime ActiveX controls in Internet Explorer The QuickTime ActiveX controls can be disabled in Internet Explorer by setting the kill bit for the following CLSIDs: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} {4063BE15-3B08-470D-A0D5-B37161CFFD69} More information about how to set the kill bit is available in Microsoft Knolwedgebase Article 240797. Alternatively, the following text can be saved as a .REG file and imported to set the kill bit for these controls: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}] "Compatibility Flags"=dword:00000400 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{4063BE15-3B08-470D-A0D5-B37161CFFD69}] "Compatibility Flags"=dword:00000400 Disable the QuickTime plug-in for Mozilla-based browsers Users of Mozilla-based browsers, such as Firefox can disable the QuickTime plugin, as specified in the PluginDoc article Uninstalling Plugins. Disable JavaScript For instructions on how to disable JavaScript, please refer to the Securing Your Web Browser document. This can help prevent some attack techniques that use the QuickTime plug-in or ActiveX control. Secure your web browser To help mitigate these and other vulnerabilities that can be exploited via a web browser, refer to Securing Your Web Browser. Do not access QuickTime files from untrusted sources Do not open QuickTime files from any untrusted sources, including unsolicited files or links received in email, instant messages, web forums, or internet relay chat (IRC) channels. References * US-CERT Vulnerability Note VU#659761 - * Securing Your Web Browser - * Mozilla Uninstalling Plugins - * How to stop an ActiveX control from running in Internet Explorer - * IETF RFC 2326 Real Time Streaming Protocol - _________________________________________________________________ The most recent version of this document can be found at: _________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to with "TA07-334A Feedback VU#659761" in the subject. _________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit . _________________________________________________________________ Produced 2007 by US-CERT, a government organization. Terms of use: _________________________________________________________________ Revision History November 30, 2007: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBR1ArKvRFkHkM87XOAQJg7wf/X4wAipFWO2ZJ5MdPzTwzE+x1OUIJxenP cFuLApajAMZ33yAyTTjA0sYhKveYhxSwqQTetEPiAWp5r/KPkJL5ugkeSvtzbAgf U6rsCICcRpjPJ7IjqsW/u6Hk2PBVqWwgip+FhZG5J5mjRPUdRr3JbmKlsEm/XDxi +ENxwrAgcoQHkLn76xn/9+1vTbI3zxi0GoyAR+GIFzs+Fsn+LazMCCrDI4ltPMnS c+Qpa3/qkOC+svz63yyHBjhq6eT2HQBP/X/50syweUOf4SrpDOdexX+mRPr03i6+ 9byGzjid5sObMAbpH1AzCtiDB56ai3zf+G5qV0uK2ziXihvNEn7JKA== =Jc+L -----END PGP SIGNATURE----- ----- End forwarded message -----