-----BEGIN PGP SIGNED MESSAGE-----

Apple Security Advisory APPLE-SA-2002-09-19

Overview

A buffer overflow exists in the ActiveX control distributed in Apple
QuickTime for Windows Version 5.0.2. Any user who opens this control in
Microsoft Windows Internet Explorer or other affected Windows mail
clients is vulnerable to attack.

QuickTime versions for Mac OS X or Mac OS 9 are not vulnerable.

Recommendation

Users and web site administrators running the Windows operating system
should upgrade to the new version of the ActiveX control as soon as
possible. This can be done by either downloading a new ActiveX control,
or updating to QuickTime 6 which contains a fixed version of the ActiveX
control.

    ActiveX control only:
http://www.apple.com/quicktime/download/qtcheck/
    This control will work with QuickTime version 3.0 and later.

    QuickTime 6 (free update): http://www.apple.com/QuickTime/download/

Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned the
following identification to this issue. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

   CAN-2002-0376 Apple QuickTime ActiveX v5.0.2 Buffer Overrun

Description

QuickTime for Windows version 5.0.2 is distributed with an ActiveX
control to allow QuickTime movies to be played on versions on Microsoft
Windows Internet Explorer. The ActiveX control for QuickTime for
Windows 5.0.2 has a buffer overflow vulnerability triggered by
insufficient input validation when parsing the "pluginspage" parameter.

This vulnerability can be exploited by a remote attacker who can induce
a victim to visit any web site with malicious code offering the
vulnerable code or executing a control already present on the victim's
computer. Also affected are users who open HTML messages in Windows
mail clients that use Internet Explorer to render HTML and load ActiveX
controls (e.g., Outlook, Outlook Express, Eudora, etc). Note that an
email attack would be rendered harmless if the end user email client
handled HTML mail in Internet Explorer's Restricted Sites Zone (say by
having applied the Outlook Email Security Update distributed by
Microsoft; Outlook Express 6 and Outlook 2002 handle mail in the
Restricted Site Zone by default). Mail clients unable to render HTML or
that do not invoke Internet Explorer are unaffected.

All web content managers who support QuickTime technology and all
Windows users of Microsoft Internet Explorer are encouraged to upgrade
to the new ActiveX control or QuickTime Version 6.0 as soon as possible.

Solution 
Either download the new ActiveX control by itself, or update to
QuickTime 6:

    ActiveX control only:
http://www.apple.com/quicktime/download/qtcheck/
    This control will work with QuickTime version 3.0 and later.

    QuickTime 6 (free update): http://www.apple.com/QuickTime/download/

Mitigating factors

* In the case of the web-based attack, an attacker would need to force a
user to visit the attackers Web site. Users who exercise caution in
visiting web sites could minimize their risk.

* In the web based attack, If ActiveX controls have been disabled in the
zone in which the page were viewed, the vulnerability could not be
exploited. Users who place untrusted sites in the Restricted Sites zone,
which disables ActiveX by default, or have disabled ActiveX controls in
the Internet zone could minimize their risk.

* In the case of HTML email based attacks, customers who read email in
the Restricted Sites zone would be protected against attempts to exploit
this vulnerability. Customers using Outlook 2002 and Outlook Express
6.0, as well as Outlook 2000 and Outlook 98 customers who have applied
the Outlook Email Security Update would thus be protected by default.
Also, Outlook Express 5.0 customers who have chosen to read mail in the
Restricted Sites zone would be protected by default.

* In the HTML email based attack, Outlook 2002 customers who have
enabled the "Read as Plain Text" option available in SP1 or later would
also be protected.

Further information

Are there any caveats associated with the patch?

Yes. Customers should be aware that although the vulnerabilities here
involve an ActiveX control, the patch does not set the Kill Bit.

Whats an ActiveX control?

ActiveX controls are small, single-purpose programs that can be called
by programs and web pages. ActiveX allows a programmer to write a piece
of software one time, and make its functionality available to other
programs that may need it.

Whats the "Kill Bit"? 
The Kill Bit is a method by which an ActiveX control can be prevented
from ever being invoked via Internet Explorer, even if its present on
the system. (More information on the Kill Bit is available in Microsoft
Knowledge Base article Q240797). Typically, when a security
vulnerability involves an ActiveX control, the patch delivers a new
control and sets the Kill Bit on the vulnerable control. However, it
isnt feasible to do so in this case.

Why isnt it feasible to set the Kill Bit in this case?

The Kill bit is currently implemented in Windows as an "all or nothing"
switch. Setting the Kill bit will totally disable your ability to use
QuickTime in media which invokes it via the ActiveX control. This
includes millions of web pages, along with many CDs and DVDs. By
design, the Web pages, CDs and DVDs contain hard-coded references to the
ActiveX control to load QuickTime. The QuickTime content on these web
pages, CDs and DVDs would no longer be accessible. As a result, a new
ActiveX control is provided to remove the vulnerabilities, but the Kill
Bit is not set on the old one.

Will the Kill Bit on this control be eventually set?

Yes. Microsoft is developing a new technology that will enable it to set
the Kill Bit on the vulnerable version of the control without forcing
users to re-author web pages containing references to these controls.
When the new technology is available, we'll provide a QuickTime update
that makes use of it.

References

    http://www.apple.com/QuickTime/download/
    http://www.apple.com/quicktime/download/qtcheck/
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0376

http://support.microsoft.com/directory/article.asp?ID=KB;EN-US;Q240797
    http://support.microsoft.com/default.aspx?scid=kb;en-us;Q154850&FR=1

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.3

iQEVAwUBPZHqmSFlYNdE6F9oAQFOwAf/Ywf+cZZVp9Q4N3xJnP5x8HQ6HYh8je9E
jGCVB4jlTAaJp49dY9K/4JXaOIp358uqvDMzOcJPlXyTwRJb3aDytFzXs0sek3vK
aAK0ltFUjEYM3fNwBv8KJoBpdxToe9C+dzswitootZWUTZK4CnisG61GrVcHpIGc
7hPkBDUepSwscnci8PmzYxCo6kWXvL4rMhVcUDA4dfQLslwnLlASXtN1sAeyOPus
jpUT7Vj6lTrdbFSMrbBJbQXajXKBm0coF4g/c+JzYm/uV8GnQ4FD1LwN8oLkBC4c
ogLSm52By9VREUHOaKIgg6Txp0nJVQbuQE68536yUDNe6qgJSCQZPQ==
=JSPS
-----END PGP SIGNATURE-----