Fuzzing Revisited—QuickTime Cleaning Out the Closet
I recently posted a blog that refers to fuzzing techniques—inparticular I spoke about finding file format vulnerabilities usingthese fuzzing techniques. Therefore, it was with no great surprise thatI greeted the announcement of the discovery of nine different fileformat vulnerabilities affecting the Apple QuickTime application.However, what did surprise me was the number of separate file formatsthat were found to be vulnerable.
In this particularannouncement the commonly known .jpg, .bmp, .avi, and .pict fileformats were found to be vulnerable, along with several other formatsthat were disclosed. Given the number of issues discovered, there is nodoubt in my mind that these were all found using file fuzzingtechniques. For a full listing of the issues that Apple has resolvedwith a patched version of QuickTime, please refer to the discussion of the security update on the Apple Web site.
Luckily in this case, the vulnerabilities were responsibly disclosedto Apple and no exploits were seen to be circulating in the wild beforethe patched version of QuickTime was made available on May 17, 2006.Indeed, there have been no reports of exploits since the patchedversion was released either, which is a little surprising sinceQuickTime is used across several different browsers and operatingsystems. With a total of nine different vulnerabilities disclosed inthe QuickTime product alone, Apple certainly had their work cut out forthem to patch every single vulnerability affecting their applications.
With Apple working under such tight time constraints, it does make mewonder if all of the vulnerabilities have been closed down completely.After all, it is not uncommon for vendors to have to patch the sameproduct several times because they missed something the first timearound (or the second time, or the third time, etc.). Let's hope thatApple got it right the first time and that we won't be seeing anotherQuickTime patch for a while. There is no doubt that file fuzzingtechniques were used to find these recent vulnerabilities involving the.jpg, .bmp, .avi, and .pict image file formats in QuickTime. AlthoughApple have released a patched version of QuickTime for all of the aboveformats and those referenced in the security article, we have to bewary of any other skeletons lurking in the QuickTime closet.