n.runs AG http://www.nruns.com/ security(at)nruns.com n.runs-SA-2008.003 16-Jul-2008 _________________________ Vendor: Apple Inc., http://www.apple.com Affected Products: QuickTime versions previous to 7.5 http://www.apple.com/quicktime Affected Platforms: Mac OS X v10.3.9, Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2 Vulnerability: Arbitrary Code Execution (remote) Risk: CRITICAL _________________________ Vendor communication: 2008/03/07 initial notification to Apple Inc. that n.runs AG has found a considerable amount of vulnerabilities in Apple mound up-to-date default systems and default installed products both on Mac OS 10.5 (Leopard) and iPhone 1.1.4 and that n.runs AG intends to send them in phases to Apple Inc. 2008/03/08 Apple Inc. replies to n.runs AG including their public pgp key and intends to use Apple Inc. RFC instead of n.runs RFC 2008/03/08 n.runs AG replies that vulnerability reporting will only happen under n.runs AG RFP 2008/03/11 Apple Inc. communicates to n.runs AG that n.runs AG RFP is aligned to their RFP so we may continue with further communication and bug reporting 2008/03/11 n.runs sends PoCs for various issues to Apple Inc. 2008/03/11 Apple Inc. validates the PoCs and informs that it has some issues reproducing some of them. 2008/03/12 n.runs AG sends more reliable PoCs and the steps to follow in order to reproduce the issues 2008/03/24 Apple Inc. sends a status report regarding the vulnerabilities reported by n.runs AG 2008/03/30 n.runs AG thanks Apple Inc. for the status update and asks for apologies for not being more responsive during CanSecWest time frame. 2008/03/31 Apple Inc. sends a second status update and informs about the link where the credits will appear http://support.apple.com/kb/HT1222 2008/04/01 n.runs AG thanks for the update and sends a second pack of vulnerabilities PoCs based on the good and fluent communications that n.runs AG is having up to the moment with Apple Inc. 2008/04/01 Apple Inc. thanks n.runs AG for the new PoC, validates them and includes a status report where they describe that some of the issues reported were known to them and/or discovered internally prior to n.runs AG reporting, they also inform that they added Sergio's name and company into their system for tracking credit information for each of the security issues. Provides the Radar numbers assigned to each of them. Informs some reproduction issues. 2008/04/01 n.runs AG thanks for the quick response and also clarifies that n.runs AG expects, as described in the RFP, to be credited for all the vulnerabilities reported to Apple Inc. that affect the most up-to-date products available to the public, regardless if they are internally known to Apple Inc. 2008/04/03 Apple Inc. replies: "Yes, that's our policy: all reporters of security bugs that were not publicly known get credit." 2008/05/23 n.runs AG reports another vulnerability and requests a status update for the previously reported vulnerabilities. 2008/05/29 Apple Inc. sends a status report and asks how n.runs AG would like to be credited if there is some specific format. 2008/05/29 n.runs AG thanks and sends the requested information to Apple Inc. 2008/05/31 Apple Inc. sends the status report for the last issue reported to them and the Radar number assigned to it. 2008/07/10 n.runs AG requests a status update for the issues reported to Apple Inc. 2008/07/11 Apple Inc. sends the status report and "informs to n.runs AG that some of the vulnerabilities had already been fixed and that the update was released some time ago and that one of them was found through internal security testing and was not correlated to n.runs AG's report, that they would fix that, and requests the format for the credits that n.runs AG would like to have." 2008/07/13 n.runs AG replies the following: "As I said and you agreed in my first mails, before sending any of my findings, whether you found internally or if somebody else reported the same bugs that I'm reporting, you (Apple) have to credit me for my findings for the simple reason that I'm reporting them to you instead of releasing them to the public while the bugs are not fixed. That said, I've checked all the credits given in "iPhone 2.0 and iPod touch 2.0" http://support.apple.com/kb/HT2351) and the ones given in "QuickTime 7.5" http://support.apple.com/kb/HT1991, and I haven't been credited in any of them. This is a clear violation of our RFP. If by Monday 14.July.2008 the proper credits are not given to me, I'll release all the vulnerabilities and bugs that I've reported to you and also the ones I didn't report yet by Tuesday 15.July.2008." 2008/07/15 Apple Inc. asks n.runs AG to not make public our findings and also makes available the credits for one of the issues reported. 2008/07/16 n.runs AG releases this advisory _________________________ Overview: QuickTime is a multimedia framework developed by Apple Inc., capable of handling various formats of digital video, media clips, sound, text, animation, music and several types of interactive panoramic images. Available for Classic Mac OS, Mac OS X and Microsoft Windows operating systems it provides essential support for software packages including iTunes, QuickTime Player (which can also serve as a helper application for web browsers to play media files that might otherwise fail to open) and Safari. Description: A remotely exploitable vulnerability has been found in the files' parsing engine. In detail, the following flaw was determined: - A sign extension issue in QuickTime's handling of PICT images that leads to a heap buffer overflow. Impact: This problem can lead to remote arbitrary code execution if an attacker carefully crafts a file that exploits the aforementioned vulnerability. The vulnerability is present in Apple QuickTime software mentioned bove, in all platforms supported by the affected products and all the products that use the APIs exposed by its library prior to Apple QuickTime version 7.5. Solution: The vulnerability was reported on 01.Apr.2008 and Apple QuickTime Version 7.5 has been issued to solve this vulnerability. For detailed information about the fixes follow the link in References [1] section of this document. _________________________ Credit: Bugs found by Sergio Alvarez of n.runs AG. _________________________ References: http://support.apple.com/kb/HT1991 [1] This Advisory and Upcoming Advisories: http://www.nruns.com/security_advisory.php _________________________About n.runs: n.runs AG is a vendor-independent consulting company specialising in the areas of: IT Infrastructure, IT Security and IT Business Consulting. In 2007, n.runs expanded its core business area, which until then had been project based consulting, to include the development of high-end security solutions. Application Protection System - Anti Virus (aps-AV) is the first high-end security solution that n.runs is bringing to the market. Copyright Notice: Unaltered electronic reproduction of this advisory is permitted. For all other reproduction or publication, in printing or otherwise, contact security_at_nruns.com for permission. Use of the advisory constitutes acceptance for use in an "as is" condition. All warranties are excluded. In no event shall n.runs be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if n.runs has been advised of the possibility of such damages. Copyright 2008 n.runs AG. All rights reserved. Terms of use apply.