Apple - one update and two new vulnerabilities
Apple has released an update for the vulnerability in QuickTime that was disclosed at the start of January. Using prepared RTSP (Real Time Streaming Protocol) URLs, it was possible to provoke a buffer overflow and exploit this to write malicious code to the stack and execute it. Such a URL could be embedded in a website or e-mail, so that it is opened automatically when visiting or viewing the site. QuickTime for both Windows and Mac OS X was affected.
A proof of concept exploit for this vulnerability was published three weeks ago. To date, however, there are no known cases of a user being infected with malware via this vulnerability. QuickTime 7.1.3 fixes this vulnerability.
In the meantime, two more vulnerabilities in Mac OS X have been disclosed. One of these allows non-privileged users to obtain root privileges. The cause of the problem is the UserNotificationCenter.app application, which runs with wheel group privileges and ensures that all available InputManagers are loaded automatically when an application is launched - including those saved in the user folder ~/Library/InputManagers by the user. These also run with wheel group privileges. This can be used, in combination with, for example, diskutil and a setuid binary which is writable for the wheel group, by a restricted user to obtain root privileges. It is not even necessary to be a member of the admin group. This can be remedied by restricting write privileges to the ~/Library/InputManagers folder to wheel and root. A similar critical error in Mac OS X was disclosed a few days ago.
On top of this, it is possible to provoke a heap overflow in QuickTime using manipulated PICT images. The bug is in the processing of ARGB (alpha RGB) records and can be triggered simply by viewing an image in the browser. The vulnerability apparently allows code to be injected and executed with user privileges. That said, during a test of the demo exploit by the heise Security editorial team using Safari nothing happened - however a locally saved file crashed the preview when opening the image. No patch is available, the only remedy is to detach links to PICT images.
- [ http://docs.info.apple.com/article.html?artnum=304989 About Security Update 2007-001], bug report from Apple
- Apple UserNotificationCenter Privilege Escalation Vulnerability, bug report from LMH and KF
- Apple QuickDraw GetSrcBits32ARGB() Memory Corruption Vulnerability, bug report from LMH and KF