Malicious Media Files Usurp QuickTime and iTunes

Severity: Medium

30 March, 2010

Summary:

§  These vulnerabilities affect: QuickTime 7.6.x and iTunes 9.x running on any platform

§  How an attacker exploits them: Multiple vectors of attack, including enticing your user to view maliciously crafted images or videos, or to visit a malicious website

§  Impact: In the worst case, an attacker could execute code on your user's computer, potentially gaining complete control of it

§  What to do: Install QuickTime 7.6.6 and iTunes 9.1 for Windows or OS X

Exposure:

Today, Apple released two security updates [ QuickTime / iTunes ] to fix several vulnerabilities in QuickTime 7.6.x and iTunes 9.x running on Windows or OS X computers. 

The QuickTime update fixes sixteen security issues (number based on CVE-IDs) involving how QuickTime handles certain image and video files. While the vulnerabilities differ technically, they share the same basic scope and impact. If an attacker can trick one of your users into viewing a maliciously crafted image or video in QuickTime, he could exploit any of these flaws to execute code on that user's computer, with that user's privileges. In Windows environments, users typically have local administrator access on their computers, meaning the attacker could leverage these vulnerabilities to gain complete control of their machines. However, OS X separates user accounts from the root account. So attackers can only exploit these flaws to gain user-level privileges on OS X machines.

Apple's iTunes update corrects seven security issues (number based on CVE-IDs), the worst of which have to do with how iTunes handles certain image and media files. Like the QuickTime flaws above, if an attacker can trick one of your users into viewing a maliciously crafted image or media file in iTunes, the worst of these flaws could be exploited to execute code on that user's computer, with that user's privileges. In Windows, this often means the attacker gains control of your user's computer. On a Mac, the attacker only gains user-level privileges. However, another of the iTunes vulnerabilities can allow local users to gain system privileges, so an attacker could leverage a combination of these vulnerabilities to gain complete control of a Mac as well.

If you allow the use of QuickTime or iTunes in your network, we recommend you download and install the latest versions as soon as possible. Keep in mind, iTunes now ships with QuickTime. If you have iTunes, you'll likely need both updates.

Malicious Excel Documents Contain Unwelcome Surprises

Severity: High

9 March, 2010

Summary:

§  These vulnerabilities affect: All current versions of Excel shipping with Microsoft Office, and ancillary Office products (like Excel Viewer)

§  How an attacker exploits them: By enticing you to open maliciously crafted Excel documents

§  Impact: An attacker can execute code, potentially gaining complete control of your computer

§  What to do: Install the appropriate Excel patch immediately, or let Microsoft's Automatic Update do it for you.

Exposure:

Today, Microsoft released a security bulletin describing seven vulnerabilities found in Excel, a component that ships with Microsoft Office. The vulnerabilities affect all current versions of Office for Mac and PC, as well as ancillary Office components, such as Excel Viewer and Office compatibility packs. They even affect Microsoft Sharepoint Server.

Though the seven vulnerabilities differ technically, they share the same basic scope and impact. By enticing one of your users into downloading and opening a maliciously crafted Excel document, an attacker can exploit any of these vulnerabilities to execute code on a victim's computer, inheriting that user's level of privileges and permissions. If your user has local administrative privileges, the attacker gains full control of the user's machine.

Although this type of attack requires some user interaction (which is why Microsoft only rates it as Important), we suspect that your users interact with Office documents quite regularly. An attacker could probably easily convince many users to open a malicious Excel document, so we recommend you apply this Excel update immediately.

Windows Movie Maker Code Execution Vulnerability

Severity: Medium

9 March, 2010

Summary:

§  These vulnerabilities affect: Affects Windows Movie Maker 2.1, 2.6, and 6.0. Also affects Microsoft Producer 2003

§  How an attacker exploits them: By enticing you to open maliciously crafted Movie Maker or Producer project

§  Impact: An attacker can execute code, potentially gaining complete control of your computer

§  What to do: Install the appropriate Movie Maker patch as soon as possible, or let Microsoft's Automatic Update do it for you.

Exposure:

Windows Movie Maker is a video capturing and editing application that you get free with Windows. Movie Maker actually ships with older versions of Windows, such as Windows XP and 2000. However, the latest versions of Windows (Windows Vista and 7), don't provide the Movie Maker application on the installation disc. Instead, you have the option to download it for free as part of the Windows Live Essentials package. In short, if you have Windows XP, you have Windows Movie Maker. However, if you have Windows Vista or 7, you only have it if you chose to download and install the Live Essentials package.

Today, Microsoft released a security bulletin describing a buffer overflow vulnerability that affects Windows 2.1, 2.6, and 6.0. Also affects Microsoft Producer 2003 (Producer is another optional download that adds rich-media creation features to PowerPoint). Movie Maker and Producer do not properly parse specially crafted project files. If an attacker can entice you to download a specially crafted project file, then open that file in Movie Maker or Producer, he can exploit this flaw to execute code on your computer, with your privileges. If you have local administrative privileges, the attacker gains full control your computer.

While code execution flaws have the highest impact, we do not feel this flaw poses a high risk to most business users. Few business users ever run Movie Maker, so it would probably be more difficult to get them to interact with Movie Maker projects. Nonetheless, we still recommend you apply the Movie Maker update as soon as you can.