HighProventia Network IDS, Proventia-G 1.1 and earlier, IBM Security Server Protection for Windows, Proventia Network MFS, BlackICE Server Protection, BlackICE PC Protection, RealSecure Server Sensor, RealSecure Network, Proventia Network IPS, Proventia Desktop, RealSecure Desktop, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology:
This signature detects an attempt to call QuickTime Java code from within a Java bytecode object.
Proventia Network IDS, Proventia-G 1.1 and earlier, IBM Security Server Protection for Windows, Proventia Network MFS, BlackICE Server Protection, BlackICE PC Protection, RealSecure Server Sensor, RealSecure Network, Proventia Network IPS, Proventia Desktop, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology: This signature triggers when QuickTime java code is referenced from within a Java bytecode object. It is possible however, that the QuickTime code is never executed, which would result in a false positive.
High
Proventia Network IDS: XPU 27.010, Proventia-G 1.1 and earlier: XPU 27.010, IBM Security Server Protection for Windows: 2.1.14.2400, IBM Security Server Protection for Windows: 1.0.914.2020, Proventia Network MFS: XPU 27.010, BlackICE Server Protection: 3.6.cqh, BlackICE PC Protection: 3.6cqh, RealSecure Server Sensor: XPU 27.010, RealSecure Network: XPU 27.010, Proventia Network IPS: XPU 27.010, Proventia Desktop: 2020, RealSecure Desktop: eqh, Virtual Server Protection for Vmware: 1.0, Proventia Server IPS for Linux technology: 27.010
Apple QuickTime: 7.0.1, Apple QuickTime: 7.0.3, Apple QuickTime: 7.1.3, Apple QuickTime: 7.0, Apple QuickTime: 7.0.2, Apple QuickTime: 7.0.4, Apple QuickTime: 7.0.8, Apple QuickTime: 7.1, Apple QuickTime: 7.1.1, Apple QuickTime: 7.1.2, Apple QuickTime: 7.1.4, Apple QuickTime: 7.1.5
Unauthorized Access Attempt
Apple QuickTime could allow a remote attacker to execute arbitrary code on the system, caused by a vulnerability in the toQTPointer() function in the QuickTime Java extensions (QTJava.dll). By persuading a victim to visit a malicious Web page using the Safari, Internet Explorer, or Firefox Web browsers, a remote attacker could exploit this vulnerability to overwrite memory and execute arbitrary code on the system.
Apply the Apple QuickTime 7.1.6 update. See References.
Matasano Chargen Blog, April 23, 2007
BREAKING: MacBook Vuln In Quicktime, Affects Win32 Apple Code
http://www.matasano.com/log/812/breaking-macbook-vuln-in-quicktime-affects-win32-apple-code/
Apple QuickTime Web site
Apple - QuickTime
http://www.apple.com/quicktime/win.html
Apple QuickTime 7.1.6 update
About the security content of QuickTime 7.1.6
http://docs.info.apple.com/article.html?artnum=305446
ZDI-07-023
Apple QTJava toQTPointer() Pointer Arithmetic Memory Overwrite Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-07-023.html
IBM Internet Security Systems Protection Alert, May 1, 2007
Apple QuickTime Code Execution
http://www.iss.net/threats/261.html
ISS X-Force
Apple QuickTime Java toQTPointer() code execution
http://www.iss.net/security_center/static/33827.php
CVE
CVE-2007-2175
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2175