Forgot your password?
typodupeerror
Security Internet Explorer Windows Technology Apple

New QuickTime Flaw Bypasses ASLR, DEP 162

Posted by Soulskill
from the once-more-unto-the-breach dept.
Trailrunner7 writes "A Spanish security researcher has discovered a new vulnerability in Apple's QuickTime software that can be used to bypass both ASLR and DEP on current versions of Windows and give an attacker control of a remote PC. The flaw apparently results from a parameter from an older version of QuickTime that was left in the code by mistake. It was discovered by Ruben Santamarta of Wintercore, who said the vulnerability can be exploited remotely via a malicious Web site. On a machine running Internet Explorer on Windows 7, Vista or XP with QuickTime 7.x or 6.x installed, the problem can be exploited by using a heap-spraying technique. In his explanation of the details of the vulnerability and the exploit for it, Santamarta said he believes the parameter at the heart of the problem simply was not cleared out of older versions of the QuickTime code. 'The QuickTime plugin is widely installed and exploitable through IE; ASLR and DEP are not effective in this case and we will likely see this in the wild,' said HD Moore, founder of the Metasploit Project."
This discussion has been archived. No new comments can be posted.

New QuickTime Flaw Bypasses ASLR, DEP

Comments Filter:
  • ew quicktime? (Score:1, Insightful)

    by w00tsauce (1482311)
    People still use that garbage? That's like installing real player.
    • by Anonymous Coward on Tuesday August 31, 2010 @12:12AM (#33423270)

      Closed source.
      Apple's evil.
      Wait.
      Microsoft's evil.
      Wait.
      It's Google.
      No. Apple.
      No. Microsoft.
      Damn you evil closed source! You have me so confused as to who to hate .....

      • Re: (Score:3, Informative)

        by Idiomatick (976696)
        MS is bad for OSS' ideals and goals most of the time.

        Apple is bad for OSS' ideals and goals. Also bad for nerd ideals and goals. And bad for computers in general. Seriously, iTunes in past has acted like malware same w/ quicktime.

        Google is actually good. BUT the potential for evil that they have is so incredibly huge that it would make anyone paranoid. So people keep their eyes on it.
    • Re:ew quicktime? (Score:5, Informative)

      by jonwil (467024) on Tuesday August 31, 2010 @12:17AM (#33423294)

      Considering that QuickTime is a core component of iTunes, if you own an iPhone, iPod or iPad, its fairly hard to avoid QuickTime and still get full advantage of your device.

      • by Anonymous Coward

        If you own an iPhone, iPod, or iPad, it's fairly hard to get full advantage of your money.

      • Re: (Score:3, Interesting)

        by Techman83 (949264)
        iTunes without QuickTime Get iTune [msfn.org] Not necessarily. I don't own one, but a few of my friends have iDevices and the only way I'll support them is if they let me install itunes this way!
        • Re: (Score:3, Insightful)

          by profplump (309017)

          Is QuickTime really that bad? I understand the objection to "claim all file types", but that's true of all commercial A/V systems. Beyond that, is there anything in particular I should object to about QuickTime, or is it just random Apple hate?

          • Re:ew quicktime? (Score:4, Informative)

            by Techman83 (949264) on Tuesday August 31, 2010 @03:10AM (#33423908)
            IMO Opinion quicktime causes windows to slow down and also likes to install background services. The Quicktime Alternative is just far less bloated and seems to work just as well. Also you aren't forced to use the quicktime player, it just behaves like any other normal video codec.
            • Re: (Score:3, Interesting)

              by lordDallan (685707)
              Anyone have facts to back this up? Not trying to jump down anyone's throat. Genuinely curious if this has been measured.

              Also curious if this exploit really only affects IE? If it doesn't affect FireFox doesn't that mean that IE is also part of the problem?
              • Re: (Score:3, Insightful)

                by Techman83 (949264)
                My facts are my personal experiences over the years, so take that as a testimonial of some random Internet user. But for a better and more complete explanation the quicktime alternative was written for a reason and the facts stated here [howtogeek.com] may go a long way to let you know why. I mean seriously a picture viewer? Also, why on earth would a I want a _Video Codec_ to install a system service for updating and another one for making quicktime load faster for that 1 time every six months I'll use it. Applications th
              • by cbhacking (979169)

                Quicktime installs a handful of additional (and unnecessary) stuff. In particular, it includes an IE plug-in that not only enables viewing of Quicktime movies in the browser but also replaces handling of other media formats, including JPEG rendering. This increases the browser footprint and slows it down noticeably, or at least it did the last time I installed Quicktime (a couple years ago). Also, I'm not entirely sure if it's Quicktime or iTunes that installs Bonjour, but that definitely falls into the cat

          • Re: (Score:1, Offtopic)

            by Techman83 (949264)
            Offtopic note: Answering slashdot posts whilst taking hell desk calls doesn't always work as expected ;)
      • Re: (Score:3, Informative)

        Good thing they're not running Windows or Internet Explorer.

        Victim prerequisites:

        * Internet Explorer.
        * XP,Vista,W7.
        * Apple Quicktime 7.x, 6.x ( 2004 versions are also vulnerable, older versions not checked )

    • by rsborg (111459)
      I'd say it's almost as widely installed as Adobe Reader. Here's a guesstimate answer as to how many copies there are [google.com] (numbers are old)
    • Re: (Score:1, Funny)

      by Anonymous Coward

      People still use that garbage? That's like installing real player.

      It's quite green to use garbage. And yes I'm a real player, and you can install me for a small fee.

    • by Anonymous Coward

      People love Apple for this stuff, though.

      No more screwing around bypassing ASLR or DEP, even the exploit code Just Works.

    • try updating itunes without getting all sorts of apple crapware on your system...

      My GF updated itunes a while back on my laptop to sync her iphone, and suddenly i had safari installed...

      and yes, i know my own flaws here:
      1) let my GF on my laptop
      2) own an ipod, thus needing itunes
      3) running windows on my laptop

      at the very least 2 will be corrected pretty soon (same for her iphone, she wants android now..)

      • by Culture20 (968837)

        and yes, i know my own flaws here:
        1) let my GF on my laptop
        2) own an ipod, thus needing itunes
        3) running windows on my laptop

        at the very least 2 will be corrected pretty soon (same for her iphone, she wants android now..)

        Bravo for dumping Windows, but don't you think dumping your GF is a little harsh? ;)

        • well, i have her convinced that android is better then getting a new iphone (and it didnt even take any brainwashing techniques), so dumping wont be needed :)

          (kidding, off course.. when we got together she had a windows mobile phone, and had just bought a laptop with vista... i honestly dont care too much)

  • Quick! (Score:1, Offtopic)

    by schmidt349 (690948)

    Can someone please print out and mail this article to Alanis Morissette so she knows what irony is?

  • by schmidt349 (690948)

    From the article: "The result of the problem is the creation of what amounts to a backdoor in the QuickTime code, Santamarta said. 'WATCH OUT! Do not hype this issue beyond it deserves...'"

    Looks like we already missed the boat on that one.

    • Re: (Score:3, Informative)

      by clone53421 (1310749)

      Perhaps you should have quoted the next sentence:

      This time Backdoor != malicious code but a horrible trick a developer implemented during the development cycle.

      It’s still a backdoor, and it can still be maliciously exploited. It’s just that it was apparently not put there to intentionally be malicious.

  • I have now uninstalled the Quicktime player. Would Quicktime Alternative be any safer? Seems Apple has had a rash of security issues lately.
    • There was a news article a ways back that stated that apple had more security holes then M$. Guess no one got the hint.
    • Re: (Score:1, Informative)

      by Anonymous Coward

      Would Quicktime Alternative be any safer?

      "QuickTime Alternative consists of codec libraries extracted from the official distribution, including the official QuickTime plugin required for playing QuickTime files (.MOV and others)"

    • by SheeEttin (899897)
      I'm gonna plug VLC [videolan.org] here.
      Free, open-source, plays just about everything. Files, streams, discs, you name it. Also does conversion (apparently, never really tried it), streaming (VLC as the stream server, that is), and minor video editing (hue, brightness, rotation, filters, etc.; but I don't know if this is just for viewing or what). Also subtitles.
      • by hairyfeet (841228) <bassbeast1968@@@gmail...com> on Tuesday August 31, 2010 @03:02AM (#33423884) Journal

        The problem is nobody uses Quicktime for actually playing media files (BTW on Windows I'd prefer Kantaris [kantaris.org] as it has the VLC core but a MUCH nicer UI IMHO) anymore but like Safari Windows users get stuck with it if they want to use their iStuff.

        That is why I've told customers unless they want a really shitty experience if they want to play with iStuff they better be ready to shell out for a Mac. The Windows version has always been completely shitty, the red headed stepchild of Apple. Sure it'll work, but it is buggier, slower, and generally more crappy in every way than the native Mac version. Personally I'll stick with my Sandisk and if I wanted all the bling bling I'd get a Cowon and since funnily enough I prefer my phone to just make phone calls and actually like typing on a keyboard I don't think I'm in any danger of getting an iPhone or iPad (damn that is the WORST name, I still can't believe Steve came up with that.)

        • It's probably Apple getting it's own back after dealing with IE and MS Office for Mac.

        • iPad (damn that is the WORST name, I still can't believe Steve came up with that.>

          You do realize that Steve Jobs was going to call the original iMac the MacMan? Yeah. MacMan [maclife.com]. Business technologist extraordinare he is, but he's really not good at names.

      • I used to use VLC exclusively, but now I really only use it for media files that SMPlayer doesn’t like.

        I initially made the switch after somebody said that SMPlayer could be configured to require very little resources – it was about the only way I could get videos to play halfway decently on a particular computer that I was stuck using for a while. VLC wouldn’t play anything without it skipping badly on that computer even after I tried to configure it to be as minimalistic as possible.

        Main

    • Re: (Score:1, Interesting)

      by Anonymous Coward

      I have now uninstalled the Quicktime player. Would Quicktime Alternative be any safer? Seems Apple has had a rash of security issues lately.

      Depends on what you want it for, but VLC is always a good alternative.

      Windows 7 have basic support for playing mov files, without having to install Quicktime (and yay! for that). If you think upgrading to Win7 just for that is a bit overkill (it is of course :), your concern was security and Windows 7 is significantly better than XP overall in that regard.

      • by tlhIngan (30335)

        Windows 7 have basic support for playing mov files, without having to install Quicktime (and yay! for that). If you think upgrading to Win7 just for that is a bit overkill (it is of course :), your concern was security and Windows 7 is significantly better than XP overall in that regard.

        Any proper MPEG-4 player should do, actually. After all, besides h.264 and AAC in MPEG-4, the MP4 file format is also part of the spec. And the MP4 container is a pretty substantial subset of the QuickTime MOV container. (th

    • by arth1 (260657)

      The issues with QuickTime is why I banned iTunes several years ago, and have no intentions of reverting the ban until Apple releases an iTunes that doesn't sneak-install apps that work on a system level and are accessible even when iTunes isn't running.

      Just because Microsoft is evil doesn't make Apple good. Far from it -- they're quite often one of the most rotten fruits in the barrel. Quicktime isn't just proprietary, but unsafe by design, and comes with a preferences interface that is designed to trick

  • This attack doesn't belong to the class of "smashing" attacks ASLR and DEP is designed to prevent. It's like expecting salted passwords to help you defend against misconfigured NFS shares.
    • Re:Well duh. (Score:5, Interesting)

      by blueg3 (192743) on Tuesday August 31, 2010 @12:27AM (#33423352)

      This boils down to doing a heap spraying attack, and those are in the general class of exploits that ASLR (and to a lesser extent, DEP) are designed to prevent. However, it's fairly well-known at this point that ASLR can be defeated (sometimes) by well-crafted heap-spraying attacks. (Likewise, DEP can be defeated by stack-smashing using return-oriented programming.)

      • those are in the general class of exploits that ASLR (and to a lesser extent, DEP) are designed to prevent

        To be pedantic, neither of those is designed to "prevent" so much so as to minimize the likelihood of successful attack. It's not like, say PHP magic quotes, rather just something to make life significantly harder for exploit writers.

        • by KiloByte (825081)

          In fact, neither ASLR nor DEP can ever prevent an attack. They can at most minimize the damage, turning running arbitrary code into a mere DoS.

          With or without ASLR or DEP, you still need to fix the underlying security hole.

      • Re: (Score:1, Interesting)

        by Anonymous Coward

        Indeed, ROP is fun and the easiest technique to exploit classical buffer overflow bugs right now, but this is only because the compiler is too lax at implementing canaries and ASLR is crap.

        ASLR when performed right is unbeatable in the same way as 256-bit key encryption is, and I think the final nail on the code execution coffin will be full ASLR rather than DEP and Stack protection. The problem is that ASLR as shipped right now in most systems is far too weak and in some places it doesn't exist at all, giv

        • From what I recently read in regards to DEP/ASLR testing, the Apple Devs are simply being effen lazy or stupid as quicktime doesn't even use ASLR according to the graphic on this page http://taosecurity.blogspot.com/2010/07/secunia-survey-of-dep-and-aslr [blogspot.com]. html

          Note that I'd seen this graphic last week (don't recall if Eweek or other). I hate to say it but it's really bad when Adobe is actually responding to the issue by fixing their software unlike Apple. My understanding is that followin an ASLR design st

      • Re:Well duh. (Score:5, Informative)

        by cbhacking (979169) <been_out_cruising-slashdot@@@yahoo...com> on Tuesday August 31, 2010 @01:27AM (#33423600) Homepage Journal

        More to the point, this attack uses ROP (which, as you say, defeats DEP) but it does it using bits fo code, called "gadgets", that are part of a library which is loaded without ASLR. Even though the browser itself is using ASLR, some of its libraries will be loaded at known locations, which is what makes this attack work. That's not exactly defeating ASLR so much as it is taking advantage of the fact that it isn't universally used yet, kind of like the way some legacy programs aren't DEP-compatible.

        For the time being, ASLR is only opt-in; if a library doesn't mark itself as ASLR-compatible, the loader will put it at its preferred base address. Or at least, it will try to. The fact is that dynamically linked libraries can never guarantee that their preferred address range is available, and therefore should never assume that they are at a given location in memory. In fact, most of them don't... but they still don't have the opt-in flag, either because they're old or because the developer didn't set it. I wonder how hard it would be to simply *force* ASLR by telling each library, as it loads, that its preferred address is simply unavailable and it's going to be stuck someplace else...

        • by drinkypoo (153816)

          wonder how hard it would be to simply *force* ASLR by telling each library, as it loads, that its preferred address is simply unavailable and it's going to be stuck someplace else...

          it would be real easy and this is probably precisely how it's done, at least, only libraries which are relocated at all get ASLR. It's not done universally because some [improperly written] libraries crap themselves when you do this.

    • Re: (Score:1, Offtopic)

      by Lorens (597774)
      So why aren't people more interested in OS like KeyKOS/Eros/Coyotos/CapROS [wikipedia.org] that are designed to prevent all and any attacks while simplifying programming and maintaining or even increasing usability?
  • At first I thought "Ruben Santamarta of Wintercore" was his name. I also considered this awesome.
  • Successfully created meterpreter session with XP test box but not against 7 box despite what TFA says. Anyone experiencing similar results?
  • This might have been avoided if MS had a something like the App store for Windows. They could have taken their time before allowing this to be released .... just to be really really sure there something like this wouldn't happen.

    I keeed, I keeed .... sorta. :-)

  • Hold on (Score:3, Interesting)

    by ledow (319597) on Tuesday August 31, 2010 @06:09AM (#33424554) Homepage

    If a badly-written program can circumvent ASLR and DEP for itself, then aren't DEP and ASLR a bit useless? The point of them is to prevent data execution, and to randomise the address space. How does a badly-written, ancient program "bypass" such measures? I can understand such measures not being applied (e.g. because ASLR or DEP on really-old code would break it because it was written with certain assumptions) but what that then assumes is that some administrator or Microsoft programmer has chosen at some point to disable DEP and ASLR for those old programs (if they have DEP and ASLR enabled at all). And if the code wasn't compiled without some DEP/ASLR magic enabled, then is this really surprising? What's to stop any other program similarly avoiding DEP/ASLR, or anyone exploiting such programs?

    How is this a "Quicktime problem" when the code being attacked is years old, and yet the OS still lets it break basic security? Surely the problem is not the program, but the things that let it execute. Hell, I have used old Windows programs that refuse to work with DEP enabled because they make certain assumptions and I realised that because the DEP handler would prevent them working in XP - they were NOT compiled at a time when any knowledge of DEP or ASLR on Windows was around. That's the whole point of DEP, isn't it? To stop programs executing code they shouldn't? I had to force an override for them network-wide but that was my choice, and no I did not specifically enable DEP myself, the Windows XP install decided to do that for me.

    Is this version of QuickTime whitelisted? Are DEP and ASLR really that worthless that "old programs" compiled before they came along are allowed to do anything? Isn't this the fault of an administrator running an outdated program rather than anything to do with DEP, ASLR, Quicktime or anything else? What's Quicktime doing differently to every other old, insecure program out there that makes it more of a risk?

    Seems like a complete red herring to me. Don't run old software. Don't run insecure software. Don't run programs that you haven't authorised yourself. And, apparently, don't rely on DEP or ASLR to actually DO anything.

    • Re: (Score:3, Insightful)

      If a badly-written program can circumvent ASLR and DEP for itself, then aren't DEP and ASLR a bit useless?

      In terms of preventing malware from running, no, they're an extra roadblock, but they are certainly not the hardest to overcome.

      How does a badly-written, ancient program "bypass" such measures?

      By linking the exploit to MS provided software included with Windows that does not use ASLR. From the article, "The gadgets come from Windows Live messenger dlls that are loaded by default on IE and have no ASLR flag,"

      The Quicktime problem is that someone can get arbitrary code to try to execute on your box in the first place. That only happens because of the Quicktime flaw.

      Are DEP and ASLR really that worthless that "old programs" compiled before they came along are allowed to do anything?

      This is

  • Thapple.

  • Ummm, question? (Score:3, Insightful)

    by multimediavt (965608) on Tuesday August 31, 2010 @07:40PM (#33431266)

    FTFA:

    The gadgets come from Windows Live messenger dlls that are loaded by default on IE and have no ASLR flag.

    Wouldn't that be an IE bug at this point that QuickTime is exploiting, not so much a QuickTime bug? I'm not apologizing for Apple not cleaning up their code after they removed a feature (RTFA!), but seems like MS is just as much to blame for this one with the WindowsLive DLL being loaded by default and having no security on it.

    Just saying ... if you RTFA and don't just bash QT all day.

  • Am I missing something here? Apple bashing? Hm seems to the that other programs had this too. Like VLC!! They fixed their program! IT is just not Quick Time! It is so funny reading these post and boy Are there some people here that DON'T READ! JUST BASH! Old version of VLC would be able to do the same thing And Open Office!!! Just sounds like A MS problem not just a Quick Time, Vlc, Openoffice etc...
    • Hm seems to the that other programs had this too. Like VLC!!

      Nice FUD... neither of TFAs mentioned VLC or VideoLan player. I checked.

      So, citation needed.

3500 Calories = 1 Food Pound

Working...