Apple QuickTime fails to properly handle corrupt TGA images

Overview

Apple’s QuickTime is a player for files and streaming media in a variety of different formats. A flaw in QuickTime’s handling of Targa (TGA) image format files could allow a remote attacker to execute arbitrary code on a vulnerable system.

Description

Several types of overflow vulnerabilities exist in the way QuickTime handles files in the Targa (TGA) image file format. A specially crafted TGA image can allow an attacker to execute arbitrary code of their choosing with the privileges of the user running QuickTime or cause a denial of service. Apple’s advisory on this issue states that a buffer overflow, integer overflow, or integer underflow error could be exploited by such a crafted image. Additional details about the underlying cause of these overflows are not known.

Note that this issue affects QuickTime installations on both Apple Mac OS X and Microsoft Windows operating systems.

---

Impact

An attacker with the ability to supply a maliciously crafted TGA file (.tga or .targa) could execute arbitrary code on a vulnerable system or cause a denial of service. The attacker-supplied code would be executed with the privileges of the QuickTime user opening the malicious file. The crafted TGA image may be supplied on a webpage or in email for the victim to select, or by some other means designed to encourage them to invoke QuickTime on the exploit image…

---

Solution

Install an update

Apple has addressed this issue with Quicktime 7.0.4, as specified in Apple Support Document 303101.

---

Vendor Information

115729

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Apple Computer, Inc. __ Affected

Updated: January 11, 2006

Status

Affected

Vendor Statement

`-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2006-01-10 QuickTime 7.0.4

QuickTime 7.0.4 is available and delivers the following security
enhancements:

CVE-ID: CVE-2005-2340
Available for: Mac OS X v10.3.9 and later, Windows XP/2000
Impact: A maliciously-crafted QTIF image may result in arbitrary code
execution
Description: By carefully crafting a corrupt QTIF image, an attacker
can trigger a heap buffer overflow that may result in arbitrary code
execution. This update addresses the issue by performing additional
validation of GIF images. Credit to Varun Uppal of Kanbay for
reporting this issue.

CVE-ID: CVE-2005-3707, CVE-2005-3708, CVE-2005-3709
Available for: Mac OS X v10.3.9 and later, Windows XP/2000
Impact: Viewing a maliciously-crafted TGA image may result in
arbitrary code execution
Description: By carefully crafting a corrupt TGA image, an attacker
can trigger a buffer overflow, integer overflow, or integer underflow
that may result in a denial-of-service or arbitrary code execution.
This update addresses the issue by performing additional validation
of TGA images. Credit to Dejun Meng of Fortinet for reporting this
issue.

CVE-ID: CVE-2005-3710, CVE-2005-3711
Available for: Mac OS X v10.3.9 and later, Windows XP/2000
Impact: Viewing a maliciously-crafted TIFF image may result in
arbitrary code execution
Description: By carefully crafting a corrupt TIFF image, an attacker
can trigger an integer overflow that may result in a
denial-of-service or arbitrary code execution. This update addresses
the issue by performing additional validation of TIFF images. Credit
to Dejun Meng of Fortinet for reporting this issue.

CVE-ID: CVE-2005-3713
Available for: Mac OS X v10.3.9 and later, Windows XP/2000
Impact: A maliciously-crafted GIF image may result in arbitrary code
execution
Description: By carefully crafting a corrupt GIF image, an attacker
can trigger a heap buffer overflow that may result in arbitrary code
execution. This update addresses the issue by performing additional
validation of GIF images. Credit to Karl Lynn of eEye Digital
Security for reporting this issue.

CVE-ID: CVE-2005-4092
Available for: Mac OS X v10.3.9 and later, Windows XP/2000
Impact: A maliciously-crafted media file may result in arbitrary code
execution
Description: By carefully crafting a corrupt media file, an attacker
can trigger a heap buffer overflow that may result in arbitrary code
execution. This update addresses the issue by performing additional
validation of media files. Credit to Karl Lynn of eEye Digital
Security for reporting this issue.

QuickTime 7.0.4 may be obtained from the Software Update pane in
System Preferences, or from the Download tab in the QuickTime site
<http://www.apple.com/quicktime/&gt;

For Mac OS X v10.3.9 or later
The download file is named: “QuickTimeInstallerX.dmg”
Its SHA-1 digest is: a605fc27d85b4c6b59ebbbc84ef553b37aa8fbca

For Windows 2000/XP
The download file is named: “iTunesSetup.exe”
Its SHA-1 digest is: 1f7d1942fec2c3c205079916dc47b254e508de4e

Information will also be posted to the Apple Product Security
web site: <http://docs.info.apple.com/article.html?artnum=61798&gt;

This message is signed with Apple’s Product Security PGP key,
and details are available at:
<http://www.apple.com/support/security/pgp/&gt;

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.4 (Build 4042)

iQEVAwUBQ8QXBYHaV5ucd/HdAQJxEAgAmYODWY0Bi3uyqkrk7iH3jB3HsmjARyqz
YMFag6iFmvkGJ4VAZ943RhbrcBsjk8XQAMtnolRuD4FGSQQHD7a4fzeYdGIRp3qo
V2XZBVW1cMAS8x0KzGNKhbRZsZZQw+0AcXbBq8oJU87XtjxVIM7Oo89k03AtkY1M
bSqM/IshcNrvbtUDqOsxFEufNN2gwPeGD4Hsqto1qd822AF4Ulpdp45E8kgCiqFA
Jm72cj6g1LqXZs8PZZdp6/eD9AazDPDe6N4yC6WhZMXJcfiAaZY6wNSYXsSVceGK
W6+0hr4el+bB3PA2o7stKVrK2FwhuYg0A/FiiyhkM6K25jwf8OgZsw==
=SKXP
-----END PGP SIGNATURE-----
`

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://docs.info.apple.com/article.html?artnum=303101&gt;
• <http://secunia.com/advisories/18370/&gt;

Acknowledgements

Thanks to Apple Product Security for reporting this vulnerability. Apple, in turn, credits Dejun Meng of Fortinet for reporting this issue to them.

This document was written by Chad R Dougherty based on information supplied by Apple.

Other Information

CVE IDs:	CVE-2005-3707
Severity Metric:	3.85 Date Public: