Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Buffer overflow in Quicktime

Published: 2010-01-17
Last Updated: 2010-01-17 21:25:12 UTC
by Rick Wanner (Version: 2)
2 comment(s)

A Dutch reader, G. Smit, gave us a heads up about a remotely exploitable vulnerability in Quicktime which can be exploited by malformed .mov files.

There is some information available at Offensive-security blog, in Dutch  at, Fortiguard also shows the vulnerability.  Securityfocus has also updated Bugtraq 32540.

 Although neither Fortiguard or Securityfocus show the latest version of Quicktime, 7.6.5, as being vulnerable,  we are getting reports that the exploit crashes 7.6.5.


-- Rick Wanner - rwanner at isc dot sans dot org

2 comment(s)

Why not Yellow?

Published: 2010-01-17
Last Updated: 2010-01-17 00:37:02 UTC
by Mark Hofman (Version: 1)
0 comment(s)

 A few people have written in to ask us why we have not gone to Infocon Yellow regarding the IE 0 day.  

Changing the Infocon is a decision not taken lightly as we do know that people look at ISC and based on the infocon, react.  Our definitions of when to change are also different to many other organisations and this causes some confusion in some readers.  For example McAfee at the moment is at Critical, Symantec and Trend Micro are at Elevated, we are at Green for business as usual.

A number of reasons went into the decision not to raise the Infocon level.  Currently there is no real evidence that "aurora" is wide spread, we have certainly not been inundated with reports.  An exploit is available in Metasploit, but as far as we are aware at this moment there are no automated tools taking advantage of the exploit and widely attacking the internet.   The exploit currently affects a version of the product that is two major revisions behind the current release, and should really not be widely used anymore.  Easy work arounds are available by utilising other browsers or products, signatures are available from the AV vendors and the patch should be available in the next 3-4 weeks.  From an Internet perspective the issue is currently very very low impact.  

That said there are a number of things that have happened that we should all be aware of.  The Google hack, malicious PDF files, there is an increase in FakeAV, and there will be scams relating to Haiti.  Likewise there is a big chance that the "aurora" module will make an appearance in the various attack packs.  

For now we will be monitoring the situations and keep you posted as usual. 


Mark H 

Keywords: INFOcon Yellow
0 comment(s)
Diary Archives