New QuickTime Flaw Bypasses ASLR, DEP

Trailrunner7 writes "A Spanish security researcher has discovered a new vulnerability in Apple's QuickTime software that can be used to bypass both ASLR and DEP on current versions of Windows and give an attacker control of a remote PC. The flaw apparently results from a parameter from an older version of QuickTime that was left in the code by mistake. It was discovered by Ruben Santamarta of Wintercore, who said the vulnerability can be exploited remotely via a malicious Web site. On a machine running Internet Explorer on Windows 7, Vista or XP with QuickTime 7.x or 6.x installed, the problem can be exploited by using a heap-spraying technique. In his explanation of the details of the vulnerability and the exploit for it, Santamarta said he believes the parameter at the heart of the problem simply was not cleared out of older versions of the QuickTime code. 'The QuickTime plugin is widely installed and exploitable through IE; ASLR and DEP are not effective in this case and we will likely see this in the wild,' said HD Moore, founder of the Metasploit Project."

Re:ew quicktime?

[jonwil]

Considering that QuickTime is a core component of iTunes, if you own an iPhone, iPod or iPad, its fairly hard to avoid QuickTime and still get full advantage of your device.

Itunes requires quicktime

[rsborg]

I'd say it's almost as widely installed as Adobe Reader. Here's a guesstimate answer as to how many copies there are [google.com] (numbers are old)

Re:Quicktime Uninstalled

[Anonymous Coward]

Would Quicktime Alternative be any safer?

"QuickTime Alternative consists of codec libraries extracted from the official distribution, including the official QuickTime plugin required for playing QuickTime files (.MOV and others)"

Re:Well duh.

[cbhacking]

More to the point, this attack uses ROP (which, as you say, defeats DEP) but it does it using bits fo code, called "gadgets", that are part of a library which is loaded without ASLR. Even though the browser itself is using ASLR, some of its libraries will be loaded at known locations, which is what makes this attack work. That's not exactly defeating ASLR so much as it is taking advantage of the fact that it isn't universally used yet, kind of like the way some legacy programs aren't DEP-compatible.

For the time being, ASLR is only opt-in; if a library doesn't mark itself as ASLR-compatible, the loader will put it at its preferred base address. Or at least, it will try to. The fact is that dynamically linked libraries can never guarantee that their preferred address range is available, and therefore should never assume that they are at a given location in memory. In fact, most of them don't... but they still don't have the opt-in flag, either because they're old or because the developer didn't set it. I wonder how hard it would be to simply *force* ASLR by telling each library, as it loads, that its preferred address is simply unavailable and it's going to be stuck someplace else...

Re:ew quicktime?

[Idiomatick]

MS is bad for OSS' ideals and goals most of the time.

Apple is bad for OSS' ideals and goals. Also bad for nerd ideals and goals. And bad for computers in general. Seriously, iTunes in past has acted like malware same w/ quicktime.

Google is actually good. BUT the potential for evil that they have is so incredibly huge that it would make anyone paranoid. So people keep their eyes on it.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:ew quicktime?

[Stupendoussteve]

Good thing they're not running Windows or Internet Explorer.

Victim prerequisites:

* Internet Explorer.
* XP,Vista,W7.
* Apple Quicktime 7.x, 6.x ( 2004 versions are also vulnerable, older versions not checked )

Re:ew quicktime?

[Techman83]

IMO Opinion quicktime causes windows to slow down and also likes to install background services. The Quicktime Alternative is just far less bloated and seems to work just as well. Also you aren't forced to use the quicktime player, it just behaves like any other normal video codec.

Re:what the hell is quicktime!

[TheRaven64]

If you've got a Mac, you almost certainly do use QuickTime. You may not use the QuickTime Player front-end, but a lot of other Mac apps use the underlying frameworks for media playback. Any time a Cocoa app goes beep, it's using the NSSound object (maybe wrapped in the NSBeep() function), and NSSound uses QuickTime for audio decoding. iTunes uses it for playing back music, Safari uses it for video and audio, iMovie uses it for playback and encoding, and so on. Unless you boot into single-user mode and then bring the machine up without launching the window server, odds are that you use QuickTime regularly.

Re:PS

[clone53421]

Perhaps you should have quoted the next sentence:

This time Backdoor != malicious code but a horrible trick a developer implemented during the development cycle.

It’s still a backdoor, and it can still be maliciously exploited. It’s just that it was apparently not put there to intentionally be malicious.

Re:ew quicktime?

[Anonymous Coward]

To be fair, the flaw is almost a first for Quicktime --an ancient product line predating iProducts, back when "multimedia" came in big letters on all home computers and all videos on the web were MPEG or MOV downloads. What is so bad is how we sleep in our laurels and wake up to find that we falsely associated safety with it because QT ran on a little targetted OS before it was ported to Windows...

What on earth are you talking about?

http://secunia.com/advisories/product/5090/

Re:Full advantage?

[TheRaven64]

You make it sound like pairing the device is hard, but it's a simple wizard that takes about 10-15 seconds to run. It then needs to run once and that's it. Any time your phone is in the same room as the phone, you can sync just by hitting the 'sync now' button. No need to find the cable or connect it.

I used to own an iPod, so I'm familiar with using iTunes for syncing. I plugged my iPod into my computer occasionally, but it was always a hassle. In contrast, the phone that I had at the time was always sync'd because I could initiate the sync while I was at my computer but my phone was still in my coat pocket hanging up.

If I take a picture with my phone, I can select it and say 'send via bluetooth' on the phone, select my computer, and it appears on my computer. Again, no need for a cable, no need for a full sync. It's as easy as sending an MMS, as long as the computer is in the same room as the phone.

Before the iPhone was launched an Apple decided to cripple every other device because the iPhone couldn't keep up, I got an on-screen notification whenever someone dialed my phone and I could send SMS and dial the phone from within Address Book. I can't do that with recent versions of OS X without a third-party app, because the iPhone can't do any of it and Apple didn't want their phone to look quite as bad as it is.

Re:ew quicktime?

[DJRumpy]

So any application (including malware) that does not use ASLR or DEP gets a free pass vulnerability? You don't elect to use these things. They are a keystone of the OS Security, not some feature you 'opt into'.