Threat Center Security News QuickTime ActiveX Control Multiple Vulnerabilities
QuickTime ActiveX Control Multiple Vulnerabilities Print E-mail
Written by Rebecca Mints   
Tuesday, 19 February 2008 09:17

Apple QuickTime, Apple's steaming media framework, is available for Apple Mac OS X as well as Microsoft Windows.  In the Windows version however, a vulneralbility exists via the functionality provided by the Active X control.

The vulnerability is in its handling of parameters passed through various methods.  A DoS occurs when applying long strings to certain functions:  SetBgColor, SetHREF, SetMovieName, SetTarget, SetMatrix.  The proof-of-concept and more technical detail for said vulnerability are publicly available.  Affected control is installed with Apple Safari as well as Apple iTunes.  As of yet no updates are available nor has Apple confirmed.  The vulnerability can be mitigated by using Microsoft's "kill bit" mechanism using CLSID "02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" to disable the affected control. Normal functionality may be affected.


References:
Posting by Laurent Gaffie
http://www.securityfocus.com/archive/1/488045
Microsoft Knowledge Base Article (details the "kill bit" mechanism)
http://support.microsoft.com/kb/240797
Apple QuickTime Home Page
http://www.apple.com/quicktime

 

WTW Threat Level