Apple QuickTime Player定制URL漏洞

发布时间：2003-03-31
更新时间：2003-03-31
严重程度：高
威胁程度：普通用户访问权限
错误类型：边界检查错误
利用方式：服务器模式

BUGTRAQ ID：7247
CVE(CAN) ID：CAN-2003-0168

受影响系统

Apple QuickTime Player 6
   -Apple MacOS 9.0
   -Apple MacOS 9.0.4
   -Apple MacOS 9.1
   -Apple MacOS 9.2
   -Apple MacOS 9.2.1
   -Apple MacOS 9.2.2
   -Apple MacOS X 10.0
   -Apple MacOS X 10.0.1
   -Apple MacOS X 10.0.2
   -Apple MacOS X 10.0.3
   -Apple MacOS X 10.0.4
   -Apple MacOS X 10.1
   -Apple MacOS X 10.1
   -Apple MacOS X 10.1.1
   -Apple MacOS X 10.1.2
   -Apple MacOS X 10.1.3
   -Apple MacOS X 10.1.4
   -Apple MacOS X 10.1.5
   -Microsoft Windows 2000 Advanced Server
   -Microsoft Windows 2000 Advanced Server SP1
   -Microsoft Windows 2000 Advanced Server SP2
   -Microsoft Windows 2000 Datacenter Server
   -Microsoft Windows 2000 Datacenter Server SP1
   -Microsoft Windows 2000 Datacenter Server SP2
   -Microsoft Windows 2000 Professional
   -Microsoft Windows 2000 Professional SP1
   -Microsoft Windows 2000 Professional SP2
   -Microsoft Windows 2000 Server
   -Microsoft Windows 2000 Server SP1
   -Microsoft Windows 2000 Server SP2
   -Microsoft Windows 2000 Terminal Services
   -Microsoft Windows 2000 Terminal Services SP1
   -Microsoft Windows 2000 Terminal Services SP2
   -Microsoft Windows 95
   -Microsoft Windows 95 SR2
   -Microsoft Windows 98
   -Microsoft Windows 98SE
   -Microsoft Windows ME
   -Microsoft Windows NT Enterprise Server 4.0
   -Microsoft Windows NT Enterprise Server 4.0 SP1
   -Microsoft Windows NT Enterprise Server 4.0 SP2
   -Microsoft Windows NT Enterprise Server 4.0 SP3
   -Microsoft Windows NT Enterprise Server 4.0 SP4
   -Microsoft Windows NT Enterprise Server 4.0 SP5
   -Microsoft Windows NT Enterprise Server 4.0 SP6
   -Microsoft Windows NT Enterprise Server 4.0 SP6a
   -Microsoft Windows NT Server 4.0
   -Microsoft Windows NT Server 4.0 SP1
   -Microsoft Windows NT Server 4.0 SP2
   -Microsoft Windows NT Server 4.0 SP3
   -Microsoft Windows NT Server 4.0 SP4
   -Microsoft Windows NT Server 4.0 SP5
   -Microsoft Windows NT Server 4.0 SP6
   -Microsoft Windows NT Server 4.0 SP6a
   -Microsoft Windows NT Terminal Server 4.0
   -Microsoft Windows NT Terminal Server 4.0 SP1
   -Microsoft Windows NT Terminal Server 4.0 SP2
   -Microsoft Windows NT Terminal Server 4.0 SP3
   -Microsoft Windows NT Terminal Server 4.0 SP4
   -Microsoft Windows NT Terminal Server 4.0 SP5
   -Microsoft Windows NT Terminal Server 4.0 SP6
   -Microsoft Windows NT Terminal Server 4.0 SP6a
   -Microsoft Windows NT Workstation 4.0
   -Microsoft Windows NT Workstation 4.0 SP1
   -Microsoft Windows NT Workstation 4.0 SP2
   -Microsoft Windows NT Workstation 4.0 SP3
   -Microsoft Windows NT Workstation 4.0 SP4
   -Microsoft Windows NT Workstation 4.0 SP5
   -Microsoft Windows NT Workstation 4.0 SP6
   -Microsoft Windows NT Workstation 4.0 SP6a
Apple QuickTime Player 5.0.2
   -Apple MacOS 9.0
   -Apple MacOS 9.0.4
   -Apple MacOS 9.1
   -Apple MacOS 9.2
   -Apple MacOS 9.2.1
   -Apple MacOS 9.2.2
   -Apple MacOS X 10.0
   -Apple MacOS X 10.0.1
   -Apple MacOS X 10.0.2
   -Apple MacOS X 10.0.3
   -Apple MacOS X 10.0.4
   -Apple MacOS X 10.1
   -Apple MacOS X 10.1
   -Apple MacOS X 10.1.1
   -Apple MacOS X 10.1.2
   -Apple MacOS X 10.1.3
   -Apple MacOS X 10.1.4
   -Apple MacOS X 10.1.5
   -Microsoft Windows 2000 Advanced Server
   -Microsoft Windows 2000 Advanced Server SP1
   -Microsoft Windows 2000 Advanced Server SP2
   -Microsoft Windows 2000 Datacenter Server
   -Microsoft Windows 2000 Datacenter Server SP1
   -Microsoft Windows 2000 Datacenter Server SP2
   -Microsoft Windows 2000 Professional
   -Microsoft Windows 2000 Professional SP1
   -Microsoft Windows 2000 Professional SP2
   -Microsoft Windows 2000 Server
   -Microsoft Windows 2000 Server SP1
   -Microsoft Windows 2000 Server SP2
   -Microsoft Windows 2000 Terminal Services
   -Microsoft Windows 2000 Terminal Services SP1
   -Microsoft Windows 2000 Terminal Services SP2
   -Microsoft Windows 95
   -Microsoft Windows 95 SR2
   -Microsoft Windows 98
   -Microsoft Windows 98SE
   -Microsoft Windows ME
   -Microsoft Windows NT Enterprise Server 4.0
   -Microsoft Windows NT Enterprise Server 4.0 SP1
   -Microsoft Windows NT Enterprise Server 4.0 SP2
   -Microsoft Windows NT Enterprise Server 4.0 SP3
   -Microsoft Windows NT Enterprise Server 4.0 SP4
   -Microsoft Windows NT Enterprise Server 4.0 SP5
   -Microsoft Windows NT Enterprise Server 4.0 SP6
   -Microsoft Windows NT Enterprise Server 4.0 SP6a
   -Microsoft Windows NT Server 4.0
   -Microsoft Windows NT Server 4.0 SP1
   -Microsoft Windows NT Server 4.0 SP2
   -Microsoft Windows NT Server 4.0 SP3
   -Microsoft Windows NT Server 4.0 SP4
   -Microsoft Windows NT Server 4.0 SP5
   -Microsoft Windows NT Server 4.0 SP6
   -Microsoft Windows NT Server 4.0 SP6a
   -Microsoft Windows NT Terminal Server 4.0
   -Microsoft Windows NT Terminal Server 4.0 SP1
   -Microsoft Windows NT Terminal Server 4.0 SP2
   -Microsoft Windows NT Terminal Server 4.0 SP3
   -Microsoft Windows NT Terminal Server 4.0 SP4
   -Microsoft Windows NT Terminal Server 4.0 SP5
   -Microsoft Windows NT Terminal Server 4.0 SP6
   -Microsoft Windows NT Terminal Server 4.0 SP6a
   -Microsoft Windows NT Workstation 4.0
   -Microsoft Windows NT Workstation 4.0 SP1
   -Microsoft Windows NT Workstation 4.0 SP2
   -Microsoft Windows NT Workstation 4.0 SP3
   -Microsoft Windows NT Workstation 4.0 SP4
   -Microsoft Windows NT Workstation 4.0 SP5
   -Microsoft Windows NT Workstation 4.0 SP6
   -Microsoft Windows NT Workstation 4.0 SP6a

详细描述
QuickTime Player存在一个缓冲区溢出漏洞。

QuickTime Player没有正确处理一些类型的URL，远程攻击者可能可以利用这个漏洞在系统上执行任意命令。

解决方案
Apple QuickTime Player 6:
      Apple Upgrade QuickTime Player 6.1
      http://www.apple.com/quicktime/download/
Apple QuickTime Player 5.0.2:
      Apple Upgrade QuickTime Player 6.1
      http://www.apple.com/quicktime/download/

相关信息
报告：Texonet
相关资料：http://www.info.apple.com/usen/security/security_updates.html

最近严重漏洞

Apple QuickTime Player定制URL漏洞