Britney Spears, Apple's Quicktime and New Spam Attacks


The SANS Internet Storm Center says Apple's Quicktime 7.3 update fixed "a number of serious vulnerabilities," including:


* A memory corruption bug which can be triggered by a maliciously crafted movie. It could potentially result in arbitrary code execution (CVE-2007-2395)

* A heap overflow in the use of Sample Table Sample Descriptor atoms, which can be triggered through maliciously crafted movie files. It could potentially result in arbitrary code execution (CVE-2007-3750).

* Vulnerabilities in Quicktime for Java which could allow untrusted applets to obtain elevated privileges (CVE-2007-3751).

* Two bugs in PICT file processing, potentially resulting in arbitrary code execution (CVE-2007-4672).

* A bug in QTVR movie file parsing which could result in arbitrary code execution (CVE-2007-4675).

* A bug in the parsing of color table atoms which could result in arbitrary code execution (CVE-2007-4677).

The Quicktime flaw wasn't just an idle issue, either. Spammers have been specifically pinpointing softness in Quicktime -- and using Britney Spears as a weapon of attack. The folks at Marshal TRACE report:

Today, looking through our detected spam we have seen a number of emails with subject lines related to Britney Spears. The emails contain only a link to a website and are targeting recipients whose browsers have an older version of the Apple QuickTime plug-in installed. The emails contain subject lines such as:

Britney Spears shows it again!

Britney Spears booked on traffic charge

The email contains a link to web site that shoots "Obfuscated Javascript" in an IFramewhich, Marshal TRACE says, "detects if, and what versions of, the Apple QuickTime plug-in is installed. Another hidden IFrame is created containing an embedded object that embeds a QuickTime object that exploits an Apple QuickTime RTSP URI Buffer Overflow Vulnerability allowing the attacker to run commands on the victims PC."

The advice they provide: don't click links in unsolicited email, especially containing references to celebrities who have been in the headlines of the day. Well, yeah. That certainly sounds like a no-brainer (at this point, it's probably not even advisable for Britney to click open her own email), until you realize the spammers must keep using this tactic because it works.