Info

Disclosure

May 30, 2007

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

A buffer overflow exists in QuickTime. QuickTime for Java fails to validate applets resulting in a heap overflow. With a specially crafted applet, a context-dependent attacker can cause arbitrary code execution resulting in a loss of integrity.

Classification

Location: Local Access Required, Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Unknown
Disclosure: OSVDB Verified, Vendor Verified

Solution

Currently, there are no known workarounds or upgrades to correct this issue. However, Apple has released a patch to address this vulnerability.

Products

Apple Computer, Inc.

QuickTime

7.1.6

References

Security Tracker: 1018136
CVE ID: 2007-2388 (see also: NVD)
Bugtraq ID: 24221
Secunia Advisory ID: 25130
Related OSVDB ID: 35575
CERT VU: 995836
VUPEN Advisory: ADV-2007-1974
Vendor Specific Advisory URL: http://docs.info.apple.com/article.html?artnum=305531
Mail List Post: http://lists.apple.com/archives/security-announce/2007/May/msg00005.html
Other Advisory URL: http://secunia.com/secunia_research/2007-52/advisory/
Vendor Specific News/Changelog Entry: http://www.apple.com/support/downloads/securityupdatequicktime716formac.html
http://www.apple.com/support/downloads/securityupdatequicktime716forwindows.html

Credit

John McDonald - PGP Security
Paul Griswold -
Tom Cross - Internet Security Systems
Dyon Balding - Secunia

Direct URL: http://osvdb.org/35576