Apple and Adobe have warned that attackers could exploit serious
security holes in QuickTime and Flash Player to run malicious code
on targeted machines. But the vendors have updated the popular
multimedia applications to fix the flaws.
Apple said in an
advisory that QuickTime versions prior to 7.1.3
are susceptible to multiple flaws caused by the application's
failure to properly bounds check and sanitise user-supplied
data.
Specifically, the problems are that:
- An integer or buffer overflow may be triggered by malicious
H.264 movie files.
- An integer or buffer overflow may be triggered by malicious
QuickTime movie files.
- A heap-based buffer overflow may be triggered by malicious FLC
movie files. (This issue affects the 'COLOR64' chunk in FLIC format
files.)
- An integer or buffer overflow may be triggered by malicious
FlashPix files.
- An exception can occur that can leave an uninitialised object
when handling malicious FlashPix files.
- A buffer overflow may be triggered by a malicious SGI image
file.
"An attacker can exploit these issues to execute arbitrary code
in the context of the victim user running the vulnerable
application," Apple said in its advisory. "Successful exploits may
facilitate a remote compromise of affected computers."
One reason the threat is serious is that proof-of-concept
exploit code is available for the FLC file heap-based buffer
overflow flaw, Symantec said in an email to customers of its
DeepSight Threat Management Service.
Apple has released
QuickTime version 7.1.3 to address the
vulnerabilities.
Meanwhile, Adobe said in an
advisory that Flash Player is susceptible to
multiple remote code execution vulnerabilities because the
application "fails to properly bounds check user-supplied input
before copying it into insufficiently-sized memory buffers."
Adobe said attackers could exploit the problem by creating a
media file with large, dynamically-generated string data and
submitting it to be processed by the media player. "This will cause
the application to overwrite system memory at an explicit
location," Adobe said in its advisory. "Because of this, race
conditions, heap overflow and stack overflow vulnerabilities may be
possible [and would] allow remote attackers to execute arbitrary
machine code in the context of the user running the
application."
The flaws affect Flash Player 8.0.24.0 and prior, Adobe Flash
Professional 8, Flash Basic, Adobe Flash MX and 2004 Adobe Flex
1.5. Adobe recommends users upgrade to version 9.0.16.0.