Wiki Navigation

QuickTime Vulnerabilities

An important tenet of client-side security is that your client is potentially vulnerable to flaws for each new image/movie/audio or other plugin component it employs (this is on top of the vulnerabilities in it's own code). I'm going to kick off a little stroll down plugin lane by talking about QuickTime.

QuickTime is Apple's video software which happens to encompass various image formats as well. This page seems to say it supports around 55 formats (if I counted correctly and depending on the version); from the lowly and ubiquitous GIF and JPEG up through H.264 HD video. What does this mean for the attacker? It means whether or not you've ever heard of 3GPP2, they can possibly attack you via it, so long as you have your QuickTime plugin installed. (The recent VML Exploit for IE is a perfect example of an obscure format coming back to bite people.)

Now let's talk numbers: I am only going to pick on QuickTime updates for 2006 so that means we're talking about Apple security updates for QuickTime 7.0.4, 7.1, and 7.1.3. First of all, all these problems are cross platform ("Mac OS X v10.3.9 and later, Windows XP/2000"). Further, for all my Mac friends out there please note that every single vulnerability is listed as potentially leading to code execution. (Disclaimer: I am a long time Mac user, which is why this article goes into a little more depth.) Also, almost all of the flaws from the 7.1 and 7.1.3 update are credited to Mike Price of McAfee AVERT Labs. It is very certain that he found all of these flaws by simply fuzzing the file formats (I will try to get a confirmation on that).

Another point of note: 4 file formats (JPEG, H.264, components surrounding .MOV in general, and FlashPix) had vulnerabilities between adjacent patches (i.e. in 7.0.4 and then 7.1 or 7.1 and then 7.1.3). I'm sure I could find many more instances of this but I am only considering this one year, remember? That sort of flaw is potentially a more important metric than just the fact that there were 3 different attacks on the same format within the same patch. This is because Apple's stated fix in basically all the cases is "This update addresses the issue by performing additional validation of *whatever format images/movies*". But that means when they go in to fix the code they should be looking over the code for that image/video handler and checking for other potential errors. That such bugs are found suggests they are not, being comprehensive about their patches. (Indeed, Tom Ferris at one point found that a bug he had submitted which was claimed to be fixed was not, and that another was easily exploited by modifying the original PoC.) The point I'm getting at, is that there are a number of formats which QuickTime supports for which no vulnerabilities have been found yet, and there is evidence that even components which have previously had exploits are not getting patched completely. This is therefore a prime example of how a browser plugin can significantly increase the attack surface for a client.

Here's the list of CVEs for all these vulnerabilities. (7.0.4 was released January 9th 2006 which is why all the CVEs are from 2005)

QuickTime 7.0.4 (8 vulns)
CVE-2005-2340, CVE-2005-3707, CVE-2005-3708, CVE-2005-3709, CVE-2005-3710, CVE-2005-3711, CVE-2005-3713, CVE-2005-4092