Details on Dino’s QuickTime Advisory (With Code Snippet)
By secgeeks - Posted on May 31st, 2007
140
vote
As Dave noted, Apple has released a patch for Dino’s QuickTime finding. 3Com followed up with their advisory. Direct your attention to the nut graf:
The flaw exists within the QuickTime Java extensions (QTJava.dll), specifically the routine toQTPointer() exposed through quicktime.util.QTHandleRef. A lack of sanity checking on the parameters passed to this routine, through the Java Virtual Machine (JVM), allows an attacker to write arbitrary values to memory.
What this is saying:
*
If you have the QuickTime for Java extensions installed (in other words, if you have QuickTime installed),
*
then a Java applet will be allowed to construct and play with QuickTime objects, which are backed with unprotected C code,
*
and specifically, some of those objects wrap pointers to memory tracked by a dynamic C library,
*
and unfortunately those objects are not careful enough with the values passed to them by Java code,
*
so Java applets can overwrite arbitrary process memory directly,
*
which they should never be able to do, because keeping Java applet code from touching memory directly is the whole point of the applet sandbox.
Bookmark/Search this post with:
Recent comments
30 weeks 5 days ago
33 weeks 2 days ago
1 year 2 weeks ago
1 year 2 weeks ago
1 year 2 weeks ago
1 year 18 weeks ago
1 year 34 weeks ago
2 years 25 weeks ago
2 years 26 weeks ago
2 years 28 weeks ago