BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to the Zeroday Tracker: Your Vulnerability Watchlist

Get critical updates on the latest zeroday threats, including impact, mitigation and protection information - only from BeyondTrust.

QTL Arbitrary JavaScript Execution

Disclosed September 20, 2006    Fully Patched

Vulnerability Description:

A zero-day vulnerability has been publicly disclosed within QuickTime. An attacker could leverage this vulnerability to execute arbitrary JavaScript code under the context of the logged in user.

Vendors:

Apple

Vulnerable Software/Devices:

QuickTime 7.X
NOTE: Firefox Must Be Installed As The Default Browser

Vulnerability Severity:

High

Exploit Availability:

N/A

Exploit Impact:

Local Code Execution
Arbitrary JavaScript execution under the context of the logged in user This vulnerability allows for arbitrary JavaScript to be executed under the context of the logged in user. This JavaScript code could be used to auto-download malicious binaries or perform other system infection actions.

BeyondTrust Prevention and Detection:

BeyondTrust's Blink® Personal Edition protects from this vulnerability.
BeyondTrust's Blink® Professional Edition protects from this vulnerability.
BeyondTrust's Retina® Network Security Scanner scans devices to detect for this vulnerability.

Patch:
QuickTime Patch

Mitigation:

Firefox has close the exploit vector by disabling script execution from the command line. To mitigate the impact of this vulnerability, users are urged to upgrade to Firefox version 2.0.0.7 or later.

Other than rolling out the latest version of Firefox, the best form of mitigation is to disable the QuickTime plugins for each affected Internet Browser Vector: IE7, Firefox, and Opera. This can be accomplished by prepending the QuickTime plugin binaries (npqt*.dll or nppqt*.dll) in the Plugins folders for Opera/Firefox/Quicktime to have an 'X' at the beggining of their filename. To mitigate the vulnerability from using Internet Explorer as an attack vector, block the QuickTime CLSIDs (02BF25D5-8C17-4B23-BC80-D3488ABDDC6B;4063BE15-3B08-470D-A0D5-B37161CFFD69) following the directions of KB240797.

NOTE: If a user manually opened a malicious QuickTime file, they could still be exploited. The listed mitigation ensures that users must manually open a malicious file, rather than the file auto-opening when browsed to with a Browser.

Links:

Mozilla Foundation Security Advisory 2007-28
Original Vulnerability Disclosure
Second Disclosure of Same Vulnerability Vulnerability
Third Disclosure of Same Vulnerability Vulnerability
CVE-2006-4965

CVE(s):

None

Leave a Reply