New QuickTime Flaw Bypasses ASLR, DEP - Slashdot

Slashdot

New QuickTime Flaw Bypasses ASLR, DEP 162

Posted by Soulskill on Tuesday August 31 2010, @12:07AM
from the once-more-unto-the-breach dept.

Trailrunner7 writes "A Spanish security researcher has discovered a new vulnerability in Apple's QuickTime software that can be used to bypass both ASLR and DEP on current versions of Windows and give an attacker control of a remote PC. The flaw apparently results from a parameter from an older version of QuickTime that was left in the code by mistake. It was discovered by Ruben Santamarta of Wintercore, who said the vulnerability can be exploited remotely via a malicious Web site. On a machine running Internet Explorer on Windows 7, Vista or XP with QuickTime 7.x or 6.x installed, the problem can be exploited by using a heap-spraying technique. In his explanation of the details of the vulnerability and the exploit for it, Santamarta said he believes the parameter at the heart of the problem simply was not cleared out of older versions of the QuickTime code. 'The QuickTime plugin is widely installed and exploitable through IE; ASLR and DEP are not effective in this case and we will likely see this in the wild,' said HD Moore, founder of the Metasploit Project."

This discussion has been archived. No new comments can be posted.

New QuickTime Flaw Bypasses ASLR, DEP

Search 162 Comments Log In/Create an Account

Comments Filter:

ew quicktime? (Score:1, Insightful)

by w00tsauce (1482311) writes: on Tuesday August 31 2010, @12:08AM (#33423246)

People still use that garbage? That's like installing real player.

Share
twitter facebook
Re:Itunes requires quicktime (Score:5, Insightful)

by Lehk228 (705449) writes: on Tuesday August 31 2010, @12:19AM (#33423304) Journal

bonzi buddy was pretty widely installed too.

Parent Share
twitter facebook
Re:ew quicktime? (Score:3, Insightful)

by profplump (309017) writes: <zach@kotlarek.com> on Tuesday August 31 2010, @02:57AM (#33423866) Homepage

Is QuickTime really that bad? I understand the objection to "claim all file types", but that's true of all commercial A/V systems. Beyond that, is there anything in particular I should object to about QuickTime, or is it just random Apple hate?

Parent Share
twitter facebook
Re:Hold on (Score:3, Insightful)

by 99BottlesOfBeerInMyF (813746) writes: on Tuesday August 31 2010, @08:07AM (#33425146)

If a badly-written program can circumvent ASLR and DEP for itself, then aren't DEP and ASLR a bit useless?
In terms of preventing malware from running, no, they're an extra roadblock, but they are certainly not the hardest to overcome.
How does a badly-written, ancient program "bypass" such measures?
By linking the exploit to MS provided software included with Windows that does not use ASLR. From the article, "The gadgets come from Windows Live messenger dlls that are loaded by default on IE and have no ASLR flag,"
The Quicktime problem is that someone can get arbitrary code to try to execute on your box in the first place. That only happens because of the Quicktime flaw.
Are DEP and ASLR really that worthless that "old programs" compiled before they came along are allowed to do anything?
This isn't about old programs. This is the current version of Quicktime. This is about old code in the current version. Code that should never have shipped in the first place. But, until DEP and ASLR are applied to everything that is on a huge number of boxes and/or application level sandboxing or access control becomes robust DEP and ASLR are not very effective.
What's Quicktime doing differently to every other old, insecure program out there that makes it more of a risk?
The Quicktime part of this exploit isn't all that unusual. It's just run of the mill except for being the result of programmers' backdoor shortcut code that should never have gone out in the production release. The bypassing of ASLR in this case, was more interesting to me.

Parent Share
twitter facebook
Re:ew quicktime? (Score:3, Insightful)

by darkpixel2k (623900) writes: <slashdot@darkpixel.com> on Tuesday August 31 2010, @11:08AM (#33425518) Homepage

I guess it's their shitty engineering that makes my computer so stable and operational.
Yeah. Yesterday, I plugged a Mac laptop into a projector. Apparently the Mac needs to reboot after detecting new hardware or something--so it immediately rebooted without prompting, notifying, or even asking me to save. Apple is so awesomely user-friendly. That must be their engineering commitment to build a stable and operational computer.
Anyways--while the mac was busy rebooting, I plugged my linux laptop in. It immediately started working.

Parent Share
twitter facebook
Re:ew quicktime? (Score:3, Insightful)

by DJRumpy (1345787) writes: on Tuesday August 31 2010, @01:26PM (#33427328)

So by you reasoning, all hackers properly implement security features?
Do you even know what ASLR and DEP are? They are not 'features' that an app uses. They are built into the OS. If the OS can be exploited to bypass these then the exposure lies in the OS.
You seem to be missing the disconnect between what your saying and reality. If bypassing OS security was as simple as 'not properly implementing the security features available', then hackers jobs would be all to easy. They could simply opt-out of using things like Virus Scan, Firewalls, Permissions, ASLR, or DEP.

Parent Share
twitter facebook
Ummm, question? (Score:3, Insightful)

by multimediavt (965608) writes: on Tuesday August 31 2010, @07:40PM (#33431266)

FTFA:
The gadgets come from Windows Live messenger dlls that are loaded by default on IE and have no ASLR flag.

Wouldn't that be an IE bug at this point that QuickTime is exploiting, not so much a QuickTime bug? I'm not apologizing for Apple not cleaning up their code after they removed a feature (RTFA!), but seems like MS is just as much to blame for this one with the WindowsLive DLL being loaded by default and having no security on it.
Just saying ... if you RTFA and don't just bash QT all day.

Share
twitter facebook
Re:ew quicktime? (Score:3, Insightful)

by Techman83 (949264) writes: on Tuesday August 31 2010, @09:26PM (#33431814)

My facts are my personal experiences over the years, so take that as a testimonial of some random Internet user. But for a better and more complete explanation the quicktime alternative was written for a reason and the facts stated here [howtogeek.com] may go a long way to let you know why. I mean seriously a picture viewer? Also, why on earth would a I want a _Video Codec_ to install a system service for updating and another one for making quicktime load faster for that 1 time every six months I'll use it. Applications that behave in this manner are a personal pet hat of mine (I repackage applications for a living) and Apple are big culprits for doing this (they are not alone here, I'm looking at you Adobe).

Parent Share
twitter facebook
YA ALL MISSING IT!! (Score:2, Insightful)

by stilesalaska (1841664) writes: on Tuesday August 31 2010, @10:27PM (#33432078)

Am I missing something here? Apple bashing? Hm seems to the that other programs had this too. Like VLC!! They fixed their program! IT is just not Quick Time! It is so funny reading these post and boy Are there some people here that DON'T READ! JUST BASH! Old version of VLC would be able to do the same thing And Open Office!!! Just sounds like A MS problem not just a Quick Time, Vlc, Openoffice etc...

Share
twitter facebook

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

Related Links Top of the: day, week, month.

1051 commentsRand Paul Has a Quick Fix For TSA: Pull the Plug
911 commentsMandatory Brake-Override Proposed For All Cars
737 commentsGimp 2.8 Finally Released
707 commentsIcons That Don't Make Sense Anymore
700 commentsDiesel-Like Engine Could Boost Fuel Economy By 50%

Your step will soil many countries.