Britney Spears, Apple's Quicktime and New Spam Attacks


Printer-friendly version Email this CRN article

The SANS Internet Storm Center says Apple's Quicktime 7.3 update fixed "a number of serious vulnerabilities," including:


* A memory corruption bug which can be triggered by a maliciously crafted movie. It could potentially result in arbitrary code execution (CVE-2007-2395)

* A heap overflow in the use of Sample Table Sample Descriptor atoms, which can be triggered through maliciously crafted movie files. It could potentially result in arbitrary code execution (CVE-2007-3750).

* Vulnerabilities in Quicktime for Java which could allow untrusted applets to obtain elevated privileges (CVE-2007-3751).

* Two bugs in PICT file processing, potentially resulting in arbitrary code execution (CVE-2007-4672).

* A bug in QTVR movie file parsing which could result in arbitrary code execution (CVE-2007-4675).

* A bug in the parsing of color table atoms which could result in arbitrary code execution (CVE-2007-4677).

The Quicktime flaw wasn't just an idle issue, either. Spammers have been specifically pinpointing softness in Quicktime -- and using Britney Spears as a weapon of attack. The folks at Marshal TRACE report:

Today, looking through our detected spam we have seen a number of emails with subject lines related to Britney Spears. The emails contain only a link to a website and are targeting recipients whose browsers have an older version of the Apple QuickTime plug-in installed. The emails contain subject lines such as:

Britney Spears shows it again!

Britney Spears booked on traffic charge

The email contains a link to web site that shoots "Obfuscated Javascript" in an IFramewhich, Marshal TRACE says, "detects if, and what versions of, the Apple QuickTime plug-in is installed. Another hidden IFrame is created containing an embedded object that embeds a QuickTime object that exploits an Apple QuickTime RTSP URI Buffer Overflow Vulnerability allowing the attacker to run commands on the victims PC."

The advice they provide: don't click links in unsolicited email, especially containing references to celebrities who have been in the headlines of the day. Well, yeah. That certainly sounds like a no-brainer (at this point, it's probably not even advisable for Britney to click open her own email), until you realize the spammers must keep using this tactic because it works.

Printer-friendly version Email this CRN article