Friday, November 30, 2007

US-CERT Technical Cyber Security Alert TA07-334A -- Apple QuickTime RTSP Buffer Overflow

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Alert System
Technical Cyber Security Alert TA07-334A


Apple QuickTime RTSP Buffer Overflow

Original release date: November 30, 2007
Last revised: --
Source: US-CERT

Systems Affected

A buffer overflow in Apple QuickTime affects:
* Apple QuickTime for Windows
* Apple QuickTime for Apple Mac OS X

Overview

Apple QuickTime contains a buffer overflow vulnerability in the way
QuickTime processes Real Time Streaming Protocol (RTSP) streams.
Exploitation of this vulnerability could allow an attacker to execute
arbitrary code.

I. Description

Apple QuickTime contains a stack buffer overflow vulnerability in the
way QuickTime handles the RTSP Content-Type header. Most versions of
QuickTime prior to and including 7.3 running on all supported Apple
Mac OS X and Microsoft Windows platforms are vulnerable. Since
QuickTime is a component of Apple iTunes, iTunes installations are
also affected by this vulnerability.

An attacker could exploit this vulnerability by convincing a user to
access a specially crafted HTML document such as a web page or email
message. The HTML document could use a variety of techniques to cause
QuickTime to load a specially crafted RTSP stream. Common web
browsers, including Microsoft Internet Explorer, Mozilla Firefox, and
Apple Safari can be used to pass RTSP streams to QuickTime, exploit
the vulnerability, and execute arbitrary code.

Exploit code for this vulnerability was first posted publicly on
November 25, 2007.

II. Impact

This vulnerability could allow a remote, unauthenticated attacker to
execute arbitrary code or commands and cause a denial-of-service
condition.

III. Solution

As of November 30, 2007, a QuickTime update for this vulnerability is
not available. To block attack vectors, consider the following
workarounds.

Block the rtsp:// protocol

Using a proxy or firewall capable of recognizing and blocking RTSP
traffic can mitigate this vulnerability. Known public exploit code for
this vulnerability uses the default RTSP port 554/tcp, however RTSP
can use a variety of ports.

Disable file association for QuickTime files

Disable the file association for QuickTime file types. This can be
accomplished by deleting the following registry keys:
HKEY_CLASSES_ROOT\QuickTime.*

This will remove the association for approximately 32 file types that
are configured to open with QuickTime Player.

Disable the QuickTime ActiveX controls in Internet Explorer

The QuickTime ActiveX controls can be disabled in Internet Explorer by
setting the kill bit for the following CLSIDs:
{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}
{4063BE15-3B08-470D-A0D5-B37161CFFD69}

More information about how to set the kill bit is available in
Microsoft Knolwedgebase Article 240797. Alternatively, the following
text can be saved as a .REG file and imported to set the kill bit for
these controls:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{4063BE15-3B08-470D-A0D5-B37161CFFD69}]
"Compatibility Flags"=dword:00000400

Disable the QuickTime plug-in for Mozilla-based browsers

Users of Mozilla-based browsers, such as Firefox can disable the
QuickTime plugin, as specified in the PluginDoc article Uninstalling
Plugins.

Disable JavaScript

For instructions on how to disable JavaScript, please refer to the
Securing Your Web Browser document. This can help prevent some attack
techniques that use the QuickTime plug-in or ActiveX control.

Secure your web browser

To help mitigate these and other vulnerabilities that can be exploited
via a web browser, refer to Securing Your Web Browser.

Do not access QuickTime files from untrusted sources

Do not open QuickTime files from any untrusted sources, including
unsolicited files or links received in email, instant messages, web
forums, or internet relay chat (IRC) channels.


References

* US-CERT Vulnerability Note VU#659761 - <http://www.kb.cert.org/vuls/id/659761>

* Securing Your Web Browser - <http://www.us-cert.gov/reading_room/securing_browser/>

* Mozilla Uninstalling Plugins - <http://plugindoc.mozdev.org/faqs/uninstall.html>

* How to stop an ActiveX control from running in Internet Explorer - <http://support.microsoft.com/kb/240797>

* IETF RFC 2326 Real Time Streaming Protocol - <http://tools.ietf.org/html/rfc2326>

_________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA07-334A.html>
_________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA07-334A Feedback VU#659761" in the
subject.
_________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
_________________________________________________________________

Produced 2007 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>
_________________________________________________________________

Revision History

November 30, 2007: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBR1ArKvRFkHkM87XOAQJg7wf/X4wAipFWO2ZJ5MdPzTwzE+x1OUIJxenP
cFuLApajAMZ33yAyTTjA0sYhKveYhxSwqQTetEPiAWp5r/KPkJL5ugkeSvtzbAgf
U6rsCICcRpjPJ7IjqsW/u6Hk2PBVqWwgip+FhZG5J5mjRPUdRr3JbmKlsEm/XDxi
+ENxwrAgcoQHkLn76xn/9+1vTbI3zxi0GoyAR+GIFzs+Fsn+LazMCCrDI4ltPMnS
c+Qpa3/qkOC+svz63yyHBjhq6eT2HQBP/X/50syweUOf4SrpDOdexX+mRPr03i6+
9byGzjid5sObMAbpH1AzCtiDB56ai3zf+G5qV0uK2ziXihvNEn7JKA==
=Jc+L
-----END PGP SIGNATURE-----

California Fire News

California Fire News

Link to California Fire News - Structure, Wildland, EMS

News: OT News: Hero Stops Runaway SUV On Golden Gate Bridge

Posted: 29 Nov 2007 02:56 PM CST

Hero Stops Runaway SUV On Golden Gate Bridge

SAN FRANCISCO (BCN) ―

A quick-thinking truck driver prevented a serious traffic hazard on the Golden Gate Bridge Tuesday morning when he towed a Jeep containing an unconscious driver to safety amid a busy morning commute, according to the California Highway Patrol.

A 62-year-old Tiburon woman apparently passed out while driving her Jeep Grand Cherokee southbound on bridge lanes at around 6:50 a.m., the CHP said.

Mill Valley resident John Beatty was driving behind the Jeep and noticed it was moving slower than the flow of traffic. He drove up to the right side of the vehicle and saw the woman slumped on her steering wheel.

Beatty took bold and immediate action. He drove his Ford F-350 Super Duty utility truck in front of the Jeep and allowed it to essentially crash into the back of his vehicle so it would latch on, according to bridge officials. He then "slowly and safely" guided the Jeep across the bridge's southbound lanes and brought it to rest in a safe area, away from the flow of traffic.

"He accomplished this while numerous other motorists, oblivious to the emergency, passed," the CHP said in a statement.

Officers said the woman had apparently suffered a medical condition that caused her to lose consciousness. Emergency crews transported her to California Pacific Medical Center, where she later died.

The cause of her death is unknown.

The CHP and bridge officials said if it wasn't for Beatty, this morning's traffic tragedy could have been much worse.

"Due to the action of this Good Samaritan, a potentially worse situation was averted and we are all thankful for that aspect of the traffic incident this morning," said bridge manager Kary Witt.

The bridge's southbound lanes were closed for about 15 minutes. Lanes of the highway were cleared at 7:15 a.m. and traffic began moving normally at about 8 a.m., the CHP said.

Article source: SF Gate
Video: CBS 5

CA-SCU- LeDeit - San Jose - Prescribed burn - 400 acres

Posted: 29 Nov 2007 02:32 PM CST

Satellite Map of Ledeit Fire perimeter
Credit
: Cal Fire News / Geo Mac

Cal Fire is preparing to continue igniting a controlled burn in the hills above Morgan Hill / San Jose near Lick Observatory - Called the Ledeit Fire (Pronounced Lee Day) The Cal Fire teams are currently setting up radios and performing other preparations prior to the firing operation.
Cal Fire hopes to eventually burn 700 to 1000 acres,
Expect a large header this afternoon around 3:00 to 4:00 with operations slowing down later in the evening.
VMP - Ledeit
Location: Mount Hamilton South of Lick Observatory - NW of Lick Fire in Henry Coe State Park Area earlier this year
Current size: Approximately 400 acres
Prescribed size: 1000 acres

What is the CDF Vegetation Management Program (VMP)? The VMP was created in 1981 as a cost-sharing program between private landowners and CDF to reduce fire-prone vegetation. Through prescribed burns, as well as mechanical means of modifying vegetation, VMP projects strive to reduce the risk of large damaging wildfires and improve the growing conditions of native plant and wildlife species. A prescribed burn site can also act as a fire break, stopping a wildfire in its tracks; and firefighters use these previously burned areas as safe places to take a stand against a fire
.

Big Basin State Park - Prescribed burn

Posted: 29 Nov 2007 11:07 AM CST

The haze drifting southwest from Big Basin State Park is the result of a slow-moving prescription burn started by State Parks and Cal Fire crews in a 500-acre plot of redwoods Nov. 9. The prescribed burn is designed to blacken 500 acres, but late Wednesday it had charred about 120 acres.

Forest Service Schedules Second Prescribed Burn For SNF

Posted: 29 Nov 2007 11:00 AM CST

BJ Hansen

Sonora, Ca -- The Forest Service has announced that a second prescribed burn will begin Thursday within the Stanislaus National Forest.

Earlier this week, it was made public that beginning Thursday a 100 acre burn will occur two miles north of Arnold along Summit Level Rd.

Also starting tomorrow will be a 400 acre burn in the Wrights Creek area, four miles south of Long Barn. Smoke may be visible for many days along the Hwy 108 corridor.

The Forest Service notes that the benefits of a prescribed burn include promoting forest health, reducing flammable vegetation and protecting the public and firefighters.

Source: Article

CNN.com

News: Breaking News -- MercuryNews.com

AP Top U.S. News At 8:45 p.m.