The InternalUnpackBits function in Apple QuickDraw, as used by Quicktime 7.1.3 and other applications on Mac OS X 10.4.8 and earlier, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted PICT file that triggers memory corruption in the _GetSrcBits32ARGB function. NOTE: this issue might overlap CVE-2007-0462.
{"securityvulns": [{"lastseen": "2021-06-08T19:03:06", "description": "Memory corruption on maleformed PICT image ARGB record.", "cvss3": {}, "published": "2007-01-24T00:00:00", "type": "securityvulns", "title": "Apple QuickDraw libraries memory corruption", "bulletinFamily": "software", "hackapp": {}, "cvss2": {}, "cvelist": ["CVE-2007-0462", "CVE-2007-0588"], "modified": "2007-01-24T00:00:00", "id": "SECURITYVULNS:VULN:7102", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:7102", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cert": [{"lastseen": "2023-05-31T14:41:36", "description": "### Overview\n\nApple QuickDraw contains a heap buffer overflow vulnerability. This vulnerability may allow an attacker to execute arbitrary code or create a denial-of-service condition.\n\n### Description\n\n[PICT](<http://en.wikipedia.org/wiki/PICT>) is a graphics file format that was used by Apple Macintosh systems prior to Mac OS X as their standard metafile format. OS X systems can open and display PICT files. Apple [QuickDraw](<http://en.wikipedia.org/wiki/QuickDraw>) is a two dimensional graphics library that has been deprecated in Mac OS version 10.4. \n\nApple QuickDraw contains a heap buffer overflow vulnerability. This vulnerability may allow an attacker to execute arbitrary code. By convincing a user to open a specially crafted PICT[](<http://en.wikipedia.org/wiki/Musical_Instrument_Digital_Interface>) file with an application that uses the QuickDraw libraries, an attacker can trigger the overflow. \n \nNote that since OS 10.4 contains limited support for QuickDraw, this vulnerability does affect recent versions of OS X. Versions of Mac prior to OS X may also be affected. \n \n--- \n \n### Impact\n\nA remote unauthenticated attacker may be able to execute arbitrary code or create a denial-of-service condition. The specially crafted PICT file used to exploit this vulnerability may be supplied on a web page, in an email for the victim to select, or by some other means designed to encourage them to process the file with a vulnerable application. \n \n--- \n \n### Solution\n\n**Upgrade** \n \nApple has published Mac OS X 10.4.9 for Mac OS X 10.4 (Tiger) systems and Security Update 2007-003 for Mac OS X 10.3 (Panther) systems in response to this issue. Users are encouraged to review Apple Support Article ID [305214](<http://docs.info.apple.com/article.html?artnum=305214>) and apply the appropriate update for their system. \n \n--- \n \n### Vendor Information\n\n396820\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Apple Computer, Inc. __ Affected\n\nUpdated: March 14, 2007 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nSee <http://docs.info.apple.com/article.html?artnum=305214> for more details.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23396820 Feedback>).\n\n \n\n\n### CVSS Metrics\n\nGroup | Score | Vector \n---|---|--- \nBase | | \nTemporal | | \nEnvironmental | | \n \n \n\n\n### References\n\n * <http://docs.info.apple.com/article.html?artnum=305214>\n * <http://secunia.com/advisories/24479/>\n * <http://en.wikipedia.org/wiki/PICT>\n * <http://en.wikipedia.org/wiki/QuickDraw>\n * <http://securitytracker.com/alerts/2007/Mar/1017760.html>\n * <http://www.securityfocus.com/bid/22228>\n * [http://www.sans.org/newsletters/risk/display.php?v=6&i=5#widely6](<http://www.sans.org/newsletters/risk/display.php?v=6&i=5#widely6>)\n\n### Acknowledgements\n\nApple credits to Tom Ferris of Security-Protocols and Mike Price of McAfee AVERT Labs for reporting this issue.\n\nThis document was written by Ryan Giobbi.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2007-0588](<http://web.nvd.nist.gov/vuln/detail/CVE-2007-0588>) \n---|--- \n**Severity Metric:** | 5.10 \n**Date Public:** | 2007-03-13 \n**Date First Published:** | 2007-03-14 \n**Date Last Updated: ** | 2007-03-20 16:04 UTC \n**Document Revision: ** | 15 \n", "cvss3": {}, "published": "2007-03-14T00:00:00", "type": "cert", "title": "Apple QuickDraw Manager heap buffer overflow vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.1, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2007-0588"], "modified": "2007-03-20T16:04:00", "id": "VU:396820", "href": "https://www.kb.cert.org/vuls/id/396820", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}], "checkpoint_advisories": [{"lastseen": "2021-12-17T12:34:08", "description": "QuickDraw is the 2-dimension graphic library, a core part of the legacy Apple Macintosh operating system. The product has been largely superseded in the latest Mac OS X operating system but still exists as part of the system libraries. There exists a memory corruption vulnerability in the Apple QuickDraw product. The flaw is due to improper handling of PICT image files. This vulnerability can be exploited by a malicious PICT image on the target host using an affected product which leads to a denial of service condition and possibly execution of arbitrary code. In an attack case where code injection is not successful, the affected application that is parsing the malicious PICT file may terminate abnormally. In a more sophisticated attack where code injection is successful, the behavior of the target host is entirely dependent on the intended function of the injected code. The code in such a case would execute within the security context of the currently logged in user.", "cvss3": {}, "published": "2010-02-17T00:00:00", "type": "checkpoint_advisories", "title": "Apple QuickDraw PICT Images ARGB Records Handling Memory Corruption (CVE-2007-0462)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2007-0462"], "modified": "2016-02-14T00:00:00", "id": "CPAI-2007-227", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-11-28T06:42:04", "description": "A memory corruption vulnerability has been reported in QuickDraw. The vulnerability is due to improper handling of PICT image files. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {}, "published": "2014-04-16T00:00:00", "type": "checkpoint_advisories", "title": "Apple QuickDraw PICT Images ARGB Records Handling Memory Corruption - Ver2 (CVE-2007-0462)", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2007-0462"], "modified": "2014-04-16T00:00:00", "id": "CPAI-2014-1449", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-11-05T00:12:59", "description": "Several vulnerabilities have been identified within various versions of Apple QuickTime and Apple QuickDraw that, if exploited, would allow a remote attacker to execute arbitrary code on a vulnerable system.", "cvss3": {}, "published": "2008-02-26T00:00:00", "type": "checkpoint_advisories", "title": "Update IPS-1 with a Protection against Apple QuickTime and Apple QuickDraw Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2007-0462", "CVE-2007-2296", "CVE-2007-4672", "CVE-2007-4676"], "modified": "2008-01-01T00:00:00", "id": "CPAI-2008-204", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2023-09-28T17:42:15", "description": "The _GetSrcBits32ARGB function in Apple QuickDraw, as used by Quicktime 7.1.3 and other applications on Mac OS X 10.4.8 and earlier, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted PICT image with a malformed Alpha RGB (ARGB) record, which triggers memory corruption.", "cvss3": {}, "published": "2007-01-26T01:28:00", "type": "cve", "title": "CVE-2007-0462", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2007-0462"], "modified": "2017-07-29T01:30:00", "cpe": ["cpe:/o:apple:mac_os_x:10.4.8", "cpe:/a:apple:quicktime:7.1.3"], "id": "CVE-2007-0462", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0462", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:apple:mac_os_x:10.4.8:*:*:*:*:*:*:*", "cpe:2.3:a:apple:quicktime:7.1.3:*:*:*:*:*:*:*"]}], "nessus": [{"lastseen": "2023-05-18T14:58:45", "description": "The remote host is running a version of Mac OS X 10.4 which is older than version 10.4.9 or a version of Mac OS X 10.3 which does not have Security Update 2007-003 applied.\n\nThis update contains several security fixes for the following programs :\n\n - ColorSync\n - CoreGraphics\n - Crash Reporter\n - CUPS\n - Disk Images\n - DS Plugins\n - Flash Player\n - GNU Tar\n - HFS\n - HID Family\n - ImageIO\n - Kernel\n - MySQL server\n - Networking\n - OpenSSH\n - Printing\n - QuickDraw Manager\n - servermgrd\n - SMB File Server\n - Software Update\n - sudo \n - WebLog", "cvss3": {}, "published": "2007-03-13T00:00:00", "type": "nessus", "title": "Mac OS X < 10.4.9 Multiple Vulnerabilities (Security Update 2007-003)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2005-2959", "CVE-2006-0225", "CVE-2006-0300", "CVE-2006-1516", "CVE-2006-1517", "CVE-2006-2753", "CVE-2006-3081", "CVE-2006-3469", "CVE-2006-4031", "CVE-2006-4226", "CVE-2006-4829", "CVE-2006-4924", "CVE-2006-5051", "CVE-2006-5052", "CVE-2006-5330", "CVE-2006-5679", "CVE-2006-5836", "CVE-2006-6061", "CVE-2006-6062", "CVE-2006-6097", "CVE-2006-6129", "CVE-2006-6130", "CVE-2006-6173", "CVE-2007-0229", "CVE-2007-0236", "CVE-2007-0267", "CVE-2007-0299", "CVE-2007-0318", "CVE-2007-0463", "CVE-2007-0467", "CVE-2007-0588", "CVE-2007-0719", "CVE-2007-0720", "CVE-2007-0721", "CVE-2007-0722", "CVE-2007-0723", "CVE-2007-0724", "CVE-2007-0726", "CVE-2007-0728", "CVE-2007-0730", "CVE-2007-0731", "CVE-2007-0733", "CVE-2007-1071"], "modified": "2018-07-14T00:00:00", "cpe": ["cpe:/o:apple:mac_os_x"], "id": "MACOSX_10_4_9.NASL", "href": "https://www.tenable.com/plugins/nessus/24811", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\nif ( ! defined_func(\"bn_random\") ) exit(0);\nif ( NASL_LEVEL < 3004 ) exit(0);\n\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(24811);\n script_version (\"1.29\");\n\n script_cve_id(\"CVE-2007-0719\", \"CVE-2007-0467\", \"CVE-2007-0720\", \n \"CVE-2007-0721\", \"CVE-2007-0722\", \"CVE-2006-6061\", \n \"CVE-2006-6062\", \"CVE-2006-5679\", \"CVE-2007-0229\", \n \"CVE-2007-0267\", \"CVE-2007-0299\", \"CVE-2007-0723\", \n \"CVE-2006-5330\", \"CVE-2006-0300\", \"CVE-2006-6097\", \n \"CVE-2007-0318\", \"CVE-2007-0724\", \"CVE-2007-1071\", \n \"CVE-2007-0733\", \"CVE-2006-5836\", \"CVE-2006-6129\", \n \"CVE-2006-6173\", \"CVE-2006-1516\", \"CVE-2006-1517\", \n \"CVE-2006-2753\", \"CVE-2006-3081\", \"CVE-2006-4031\", \n \"CVE-2006-4226\", \"CVE-2006-3469\", \"CVE-2006-6130\", \n \"CVE-2007-0236\", \"CVE-2007-0726\", \"CVE-2006-0225\", \n \"CVE-2006-4924\", \"CVE-2006-5051\", \"CVE-2006-5052\", \n \"CVE-2007-0728\", \"CVE-2007-0588\", \"CVE-2007-0730\", \n \"CVE-2007-0731\", \"CVE-2007-0463\", \"CVE-2005-2959\", \n \"CVE-2006-4829\");\n script_bugtraq_id(20982, 21236, 21291, 21349, 22041, 22948);\n\n script_name(english:\"Mac OS X < 10.4.9 Multiple Vulnerabilities (Security Update 2007-003)\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a Mac OS X update which fixes a security\nissue.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of Mac OS X 10.4 which is older than\nversion 10.4.9 or a version of Mac OS X 10.3 which does not have \nSecurity Update 2007-003 applied.\n\nThis update contains several security fixes for the following programs :\n\n - ColorSync\n - CoreGraphics\n - Crash Reporter\n - CUPS\n - Disk Images\n - DS Plugins\n - Flash Player\n - GNU Tar\n - HFS\n - HID Family\n - ImageIO\n - Kernel\n - MySQL server\n - Networking\n - OpenSSH\n - Printing\n - QuickDraw Manager\n - servermgrd\n - SMB File Server\n - Software Update\n - sudo \n - WebLog\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://docs.info.apple.com/article.html?artnum=305214\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Mac OS X 10.4 : Upgrade to Mac OS X 10.4.9 :\n\nhttp://www.apple.com/support/downloads/macosxserver1049updateppc.html\nhttp://www.apple.com/support/downloads/macosx1049updateintel.html\nhttp://www.apple.com/support/downloads/macosxserver1049updateuniversal.html\n\nMac OS X 10.3 : Apply Security Update 2007-003 :\n\nhttp://www.apple.com/support/downloads/securityupdate20070031039client.html\nhttp://www.apple.com/support/downloads/securityupdate20070031039server.html\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(79, 119, 362, 399);\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2007/03/13\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2005/09/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value: \"2007/03/13\");\n script_cvs_date(\"Date: 2018/07/14 1:59:35\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"combined\");\nscript_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:mac_os_x\");\nscript_end_attributes();\n\n script_summary(english:\"Check for the version of Mac OS X\");\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.\");\n script_family(english:\"MacOS X Local Security Checks\");\n script_dependencies(\"ssh_get_info.nasl\", \"os_fingerprint.nasl\");\n exit(0);\n}\n\n\nos = get_kb_item(\"Host/MacOSX/Version\");\nif ( ! os ) {\n\t os = get_kb_item(\"Host/OS\");\n\t confidence = get_kb_item(\"Host/OS/Confidence\");\n\t if ( confidence <= 90 ) exit(0);\n\t}\nif ( ! os ) exit(0);\nif ( ereg(pattern:\"Mac OS X 10\\.4($|\\.[1-8]([^0-9]|$))\", string:os)) security_hole(0);\nelse if ( ereg(pattern:\"Mac OS X 10\\.3\\.\", string:os) )\n{\n packages = get_kb_item(\"Host/MacOSX/packages\");\n if ( ! packages ) exit(0);\n if (!egrep(pattern:\"^SecUpd(Srvr)?2007-003\", string:packages)) security_hole(0);\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}]}
CVE-2007-0588
