Privacy and Legal Notice

DOE-CIRC TECHNICAL BULLETIN

T-152: Apple QuickTime JP2 Image Handling Heap Buffer Overflow Vulnerability

[CVE-2009-0957]

June 4, 2009 14:00 GMT
PROBLEM: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple QuickTime.
PLATFORM: Apple QuickTime versions prior to 7.6.2 Available for: Mac OS X v10.4.11, Mac OS X v10.5.7, Windows Vista and XP SP3
ABSTRACT: The specific flaw exists during the parsing of malformed Jpen2000 image files. A field is read directly from the file and used to allocate memory for a structure.
LINKS:  
  DOE-CIRC BULLETIN: http://www.doecirc.energy.gov/bulletins/t-152.shtml
  OTHER LINKS: Apple
http://support.apple.com/kb/HT3591
http://lists.apple.com/archives/security-announce/2009/Jun/msg00000.html
Vupen Security
http://www.vupen.com/english/advisories/2009/1469
Security Focus
http://www.securityfocus.com/bid/35165/info
Zero Day Initiative
http://www.zerodayinitiative.com/advisories/ZDI-09-029/
CVE: CVE-2009-0957
IMPACT ASSESSMENT This risk is high. Viewing a maliciously crafted JP2 image may lead to an unexpected application termination or arbitrary code execution. 
[***** Start CVE-2009-0957 *****]

Discussion:
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple QuickTime. User
interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious
file. 

The specific flaw exists during the parsing of malformed Jpen2000 image files. A field is read directly from the file and
used to allocate memory for a structure. If the value read is smaller then the expected structure size then a memory
corruption will occur which can be leveraged by an attacker to execute arbitrary code under the context of the current user.

Solution:
QuickTime 7.6.2 may be obtained from the Software Update application, or from the QuickTime Downloads site:
http://www.apple.com/quicktime/download/

The vendor has released an update and an advisory. Refer to below link for details. 

 http://www.securityfocus.com/bid/35165/solution


[***** End CVE-2009-0957 *****]
DOECIRC services are available to DOE, DOE Contractors, and the NIH. DOE-CIRC can be contacted at: 
    Voice:          866-941-2472
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov
UCRL-MI-119788