New QuickTime Flaw Bypasses ASLR, DEP 162
Trailrunner7 writes "A Spanish security researcher has discovered a new vulnerability in Apple's QuickTime software that can be used to bypass both ASLR and DEP on current versions of Windows and give an attacker control of a remote PC. The flaw apparently results from a parameter from an older version of QuickTime that was left in the code by mistake. It was discovered by Ruben Santamarta of Wintercore, who said the vulnerability can be exploited remotely via a malicious Web site. On a machine running Internet Explorer on Windows 7, Vista or XP with QuickTime 7.x or 6.x installed, the problem can be exploited by using a heap-spraying technique. In his explanation of the details of the vulnerability and the exploit for it, Santamarta said he believes the parameter at the heart of the problem simply was not cleared out of older versions of the QuickTime code. 'The QuickTime plugin is widely installed and exploitable through IE; ASLR and DEP are not effective in this case and we will likely see this in the wild,' said HD Moore, founder of the Metasploit Project."
ew quicktime? (Score:1, Insightful)
Re:ew quicktime? (Score:4, Funny)
Closed source. .....
Apple's evil.
Wait.
Microsoft's evil.
Wait.
It's Google.
No. Apple.
No. Microsoft.
Damn you evil closed source! You have me so confused as to who to hate
Re: (Score:3, Informative)
Apple is bad for OSS' ideals and goals. Also bad for nerd ideals and goals. And bad for computers in general. Seriously, iTunes in past has acted like malware same w/ quicktime.
Google is actually good. BUT the potential for evil that they have is so incredibly huge that it would make anyone paranoid. So people keep their eyes on it.
Re: (Score:3, Insightful)
I guess it's their shitty engineering that makes my computer so stable and operational.
Yeah. Yesterday, I plugged a Mac laptop into a projector. Apparently the Mac needs to reboot after detecting new hardware or something--so it immediately rebooted without prompting, notifying, or even asking me to save. Apple is so awesomely user-friendly. That must be their engineering commitment to build a stable and operational computer.
Anyways--while the mac was busy rebooting, I plugged my linux laptop in. It immediately started working.
Re: (Score:2)
Is the "interesting" mod referring to how interesting it is that you are bad at understanding/discovering causes?
Re: (Score:2)
Apple refuses to follow standards and does not have a decent framework for introducing new hardware. Cause discovered and understood.
Having supported Mac's in a professional capacity I have seen multiple examples of what the GP is talking about but Mac users tend to pretend that their machine didn't reboot when they plugged in a new bit of kit.
To get back on topic, I avoid quicktime like
Re: (Score:2)
You've seen a MacBook do a silent reboot when plugged into a secondary monitor?
Re: (Score:2)
Worse, I've seen an Imac do a "silent" (what's silent about it, it's quite obvious what happened) reboot when a USB thumb drive was plugged into it.
Re: (Score:2)
Is the "interesting" mod referring to how interesting it is that you are bad at understanding/discovering causes?
What do I care about the cause? Who cares if it's a null pointer or other bizarre issue in the Mac? The point is, one crashed and the other didn't. I find it funny that the mac fanboy is talking about how Macs are so damn stable, they were designed by Jesus himself--yet I had the exact opposite experience. (And I'm perfectly fine admitting that I have had tons of trouble in the past with Ubuntu and external monitors. I was actually surprised it worked.)
Re: (Score:2)
Mod parent up: +1, Bullshit
Re: (Score:2)
Did Fox News write that one for you?
-1 total fabrication.
Re: (Score:2)
That's an interesting story.. what's that I smell? It smells like bullshit. Are you sure that it wasn't your "linux" laptop dual-booted into windows?
You're right--I often confuse blue screens with core dumps.
Re: (Score:2)
Where was it that I said linux was good for grandmothers? Or anything about linux OR grandmothers. Geez.
Re: (Score:2)
Why do you say that? The exposure is in the OS. Although the software may have exposed it, the vulnerability lies with MS to fix.
Re: (Score:2)
are you seriously that stupid?
you think that the exploit, which is in Quicktime, is MS's fault?
so do you say the same thing about it being apple's fault when a program by adobe is used to exploit OSX in the yearly pwn2own?
newsflash.
it's an apple problem, regardless of the desires of the apple fandom.
Re: (Score:3, Interesting)
Yes I do believe that the exposure in the PDF problem was Apple's fault due to a flaw in iOS. You might also recall (or maybe not given your response) that Apple closed that exposure (not Adobe).
The owner of the exposure was clear, just as it is clear in this case. If ASLR and DEP fails to protect against such an exposure, they are flawed.
Re: (Score:2)
Re: (Score:3, Informative)
So any application (including malware) that does not use ASLR or DEP gets a free pass vulnerability? You don't elect to use these things. They are a keystone of the OS Security, not some feature you 'opt into'.
Re: (Score:2)
Re: (Score:2)
Malware implies code already executing on your machine. By the time you get that far, DEP and ASLR are already bypassed; their purpose is to prevent the execution of such code in the first place. There are other things one can do to mitigate the damage, such as limited permissions and sandboxing, but you're comparing apples to oranges here. DEP and ASLR make exploits more difficult. Malware is something that exploits (or stupid users) install. Malware could quite happily opt in to DEP and ASLR; it wouldn't
Re: (Score:2)
Except that you’re completely wrong, of course.
ASLR and DEP are not “keystone OS security” features designed to protect the OS from malicious applications.
They are, in fact, “opt-in” security features designed to protect applications from malicious input which could cause a buffer underrun (and this is always an application error, not an OS error).
Re: (Score:3, Insightful)
So by you reasoning, all hackers properly implement security features?
Do you even know what ASLR and DEP are? They are not 'features' that an app uses. They are built into the OS. If the OS can be exploited to bypass these then the exposure lies in the OS.
You seem to be missing the disconnect between what your saying and reality. If bypassing OS security was as simple as 'not properly implementing the security features available', then hackers jobs would be all to easy. They could simply opt-out of using th
Re: (Score:2)
Re: (Score:2)
Apparently you are the one who does not understand. DEP and ASLR are features provided by the OS, but they are *NOT* universally backward-compatible features. Some apps will break if DEP is enabled. Some libraries will break if ASLR is enabled. ASLR is new enough that it's still not uncommon to find libraries which weren't coded with it in mind.
As for "not properly implementing security the features available" you *really* should take the foot out of your mouth before you choke on it. For one thing, any app
Re: (Score:2)
Re:ew quicktime? (Score:5, Informative)
Considering that QuickTime is a core component of iTunes, if you own an iPhone, iPod or iPad, its fairly hard to avoid QuickTime and still get full advantage of your device.
Full advantage? (Score:1, Funny)
If you own an iPhone, iPod, or iPad, it's fairly hard to get full advantage of your money.
Re: (Score:3, Interesting)
The thing I love about the iPhone is the lack of OS X integration. It works via iTunes, just like an iPod, meaning that you have to plug in a cable to sync. Meanwhile, almost every other phone (including my last four, two from Ericsson and two from Nokia), sync via bluetooth in iSync, so you just put them in the same room as the Mac and click on the 'sync now' button in the top-right of the menu bar. All of your calendars, contacts, and notes are sync'd. You can transfer photographs and other files by b
Re:Full advantage? (Score:4, Informative)
You make it sound like pairing the device is hard, but it's a simple wizard that takes about 10-15 seconds to run. It then needs to run once and that's it. Any time your phone is in the same room as the phone, you can sync just by hitting the 'sync now' button. No need to find the cable or connect it.
I used to own an iPod, so I'm familiar with using iTunes for syncing. I plugged my iPod into my computer occasionally, but it was always a hassle. In contrast, the phone that I had at the time was always sync'd because I could initiate the sync while I was at my computer but my phone was still in my coat pocket hanging up.
If I take a picture with my phone, I can select it and say 'send via bluetooth' on the phone, select my computer, and it appears on my computer. Again, no need for a cable, no need for a full sync. It's as easy as sending an MMS, as long as the computer is in the same room as the phone.
Before the iPhone was launched an Apple decided to cripple every other device because the iPhone couldn't keep up, I got an on-screen notification whenever someone dialed my phone and I could send SMS and dial the phone from within Address Book. I can't do that with recent versions of OS X without a third-party app, because the iPhone can't do any of it and Apple didn't want their phone to look quite as bad as it is.
Re: (Score:3, Interesting)
Re: (Score:3, Insightful)
Is QuickTime really that bad? I understand the objection to "claim all file types", but that's true of all commercial A/V systems. Beyond that, is there anything in particular I should object to about QuickTime, or is it just random Apple hate?
Re:ew quicktime? (Score:4, Informative)
Re: (Score:3, Interesting)
Also curious if this exploit really only affects IE? If it doesn't affect FireFox doesn't that mean that IE is also part of the problem?
Re: (Score:3, Insightful)
Re: (Score:2)
Quicktime installs a handful of additional (and unnecessary) stuff. In particular, it includes an IE plug-in that not only enables viewing of Quicktime movies in the browser but also replaces handling of other media formats, including JPEG rendering. This increases the browser footprint and slows it down noticeably, or at least it did the last time I installed Quicktime (a couple years ago). Also, I'm not entirely sure if it's Quicktime or iTunes that installs Bonjour, but that definitely falls into the cat
Re: (Score:1, Offtopic)
Re: (Score:3, Informative)
Good thing they're not running Windows or Internet Explorer.
Victim prerequisites:
* Internet Explorer.
* XP,Vista,W7.
* Apple Quicktime 7.x, 6.x ( 2004 versions are also vulnerable, older versions not checked )
Re: (Score:2)
Misread parent, although not using IE is still pretty standard, no?
Re:ew quicktime? (Score:4, Interesting)
Another outstanding reason to avoid shiny geegaws from an evil company.
To be fair, the flaw is almost a first for Quicktime --an ancient product line predating iProducts, back when "multimedia" came in big letters on all home computers and all videos on the web were MPEG or MOV downloads. What is so bad is how we sleep in our laurels and wake up to find that we falsely associated safety with it because QT ran on a little targetted OS before it was ported to Windows...
IIRC, Apple isn't the number one seller of smartphones nor MP3 players, or distributor of Windows Multimedia readers. Yet it's generating enough attention to get exploited. Even if you and I don't own recent apple products, we have been falling in a parallel situation and taking it for granted again: all those free Google clients downloaded over the years have become a juicy target. All we need is someone to find a weak spot.
Scratch that! All we need is an unlikely "someone" among that small group who will PUBLISH the weak spot of that juicy target. All the others just exploit it for months without us being the wiser.
Re: (Score:2, Informative)
To be fair, the flaw is almost a first for Quicktime --an ancient product line predating iProducts, back when "multimedia" came in big letters on all home computers and all videos on the web were MPEG or MOV downloads. What is so bad is how we sleep in our laurels and wake up to find that we falsely associated safety with it because QT ran on a little targetted OS before it was ported to Windows...
What on earth are you talking about?
http://secunia.com/advisories/product/5090/
Re: (Score:2)
To be fair, the flaw is almost a first for Quicktime
Uh... Secunia would beg to differ. 56 advisories, each if which may cover multiple vulnerabilities. There are 136 reported vulnerabilities (across 27 advisories) in Quicktime 7.x alone. The oldest reported vulnerability in Secunia's database is for Quicktime 3. It's not the worst record ever, but it's hardly valid to claim that this flaw is "almost a first" in any way.
Re: (Score:2)
Apple kicked my dog and slept with my girl friend.
Itunes requires quicktime (Score:3, Informative)
Re:Itunes requires quicktime (Score:5, Insightful)
not the plugin (Score:2)
You can turn off the browser plugin.
Re: (Score:1, Funny)
People still use that garbage? That's like installing real player.
It's quite green to use garbage. And yes I'm a real player, and you can install me for a small fee.
This is why people love Apple! (Score:1, Funny)
People love Apple for this stuff, though.
No more screwing around bypassing ASLR or DEP, even the exploit code Just Works.
Re: (Score:2)
try updating itunes without getting all sorts of apple crapware on your system...
My GF updated itunes a while back on my laptop to sync her iphone, and suddenly i had safari installed...
and yes, i know my own flaws here:
1) let my GF on my laptop
2) own an ipod, thus needing itunes
3) running windows on my laptop
at the very least 2 will be corrected pretty soon (same for her iphone, she wants android now..)
Re: (Score:2)
and yes, i know my own flaws here:
1) let my GF on my laptop
2) own an ipod, thus needing itunes
3) running windows on my laptop
at the very least 2 will be corrected pretty soon (same for her iphone, she wants android now..)
Bravo for dumping Windows, but don't you think dumping your GF is a little harsh? ;)
Re: (Score:2)
well, i have her convinced that android is better then getting a new iphone (and it didnt even take any brainwashing techniques), so dumping wont be needed :)
(kidding, off course.. when we got together she had a windows mobile phone, and had just bought a laptop with vista... i honestly dont care too much)
Re: (Score:2)
Well someone has figured out the purpose of a double rainbow.
Quick! (Score:1, Offtopic)
Can someone please print out and mail this article to Alanis Morissette so she knows what irony is?
Re: (Score:2)
It's like 10,000 PCs when all you need is a Mac.
Re:Quick! (Score:4, Funny)
Or free software when you've already paid.
Re: (Score:2)
it is a critical vulnerability fix, two minutes to late
PS (Score:2)
From the article: "The result of the problem is the creation of what amounts to a backdoor in the QuickTime code, Santamarta said. 'WATCH OUT! Do not hype this issue beyond it deserves...'"
Looks like we already missed the boat on that one.
Re: (Score:3, Informative)
Perhaps you should have quoted the next sentence:
This time Backdoor != malicious code but a horrible trick a developer implemented during the development cycle.
It’s still a backdoor, and it can still be maliciously exploited. It’s just that it was apparently not put there to intentionally be malicious.
Quicktime Uninstalled (Score:1)
Re: (Score:1)
Re: (Score:1, Informative)
Would Quicktime Alternative be any safer?
"QuickTime Alternative consists of codec libraries extracted from the official distribution, including the official QuickTime plugin required for playing QuickTime files (.MOV and others)"
Re: (Score:2)
Free, open-source, plays just about everything. Files, streams, discs, you name it. Also does conversion (apparently, never really tried it), streaming (VLC as the stream server, that is), and minor video editing (hue, brightness, rotation, filters, etc.; but I don't know if this is just for viewing or what). Also subtitles.
Comment removed (Score:4, Informative)
Re: (Score:2)
It's probably Apple getting it's own back after dealing with IE and MS Office for Mac.
Re: (Score:2)
Word 5.1a for Mac was great!
iPad name (Score:2)
You do realize that Steve Jobs was going to call the original iMac the MacMan? Yeah. MacMan [maclife.com]. Business technologist extraordinare he is, but he's really not good at names.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I used to use VLC exclusively, but now I really only use it for media files that SMPlayer doesn’t like.
I initially made the switch after somebody said that SMPlayer could be configured to require very little resources – it was about the only way I could get videos to play halfway decently on a particular computer that I was stuck using for a while. VLC wouldn’t play anything without it skipping badly on that computer even after I tried to configure it to be as minimalistic as possible.
Main
Re: (Score:1, Interesting)
I have now uninstalled the Quicktime player. Would Quicktime Alternative be any safer? Seems Apple has had a rash of security issues lately.
Depends on what you want it for, but VLC is always a good alternative.
Windows 7 have basic support for playing mov files, without having to install Quicktime (and yay! for that). If you think upgrading to Win7 just for that is a bit overkill (it is of course :), your concern was security and Windows 7 is significantly better than XP overall in that regard.
Re: (Score:2)
Any proper MPEG-4 player should do, actually. After all, besides h.264 and AAC in MPEG-4, the MP4 file format is also part of the spec. And the MP4 container is a pretty substantial subset of the QuickTime MOV container. (th
Re: (Score:2)
The issues with QuickTime is why I banned iTunes several years ago, and have no intentions of reverting the ban until Apple releases an iTunes that doesn't sneak-install apps that work on a system level and are accessible even when iTunes isn't running.
Just because Microsoft is evil doesn't make Apple good. Far from it -- they're quite often one of the most rotten fruits in the barrel. Quicktime isn't just proprietary, but unsafe by design, and comes with a preferences interface that is designed to trick
Well duh. (Score:2)
Re:Well duh. (Score:5, Interesting)
This boils down to doing a heap spraying attack, and those are in the general class of exploits that ASLR (and to a lesser extent, DEP) are designed to prevent. However, it's fairly well-known at this point that ASLR can be defeated (sometimes) by well-crafted heap-spraying attacks. (Likewise, DEP can be defeated by stack-smashing using return-oriented programming.)
Re: (Score:2)
those are in the general class of exploits that ASLR (and to a lesser extent, DEP) are designed to prevent
To be pedantic, neither of those is designed to "prevent" so much so as to minimize the likelihood of successful attack. It's not like, say PHP magic quotes, rather just something to make life significantly harder for exploit writers.
Re: (Score:2)
In fact, neither ASLR nor DEP can ever prevent an attack. They can at most minimize the damage, turning running arbitrary code into a mere DoS.
With or without ASLR or DEP, you still need to fix the underlying security hole.
Re: (Score:2)
Exploits get patched eventually. If this increases the time it takes between a patch and a new exploit, wouldn't you say it is still worth it?
Re: (Score:1, Interesting)
Indeed, ROP is fun and the easiest technique to exploit classical buffer overflow bugs right now, but this is only because the compiler is too lax at implementing canaries and ASLR is crap.
ASLR when performed right is unbeatable in the same way as 256-bit key encryption is, and I think the final nail on the code execution coffin will be full ASLR rather than DEP and Stack protection. The problem is that ASLR as shipped right now in most systems is far too weak and in some places it doesn't exist at all, giv
Re: (Score:2)
From what I recently read in regards to DEP/ASLR testing, the Apple Devs are simply being effen lazy or stupid as quicktime doesn't even use ASLR according to the graphic on this page http://taosecurity.blogspot.com/2010/07/secunia-survey-of-dep-and-aslr [blogspot.com]. html
Note that I'd seen this graphic last week (don't recall if Eweek or other). I hate to say it but it's really bad when Adobe is actually responding to the issue by fixing their software unlike Apple. My understanding is that followin an ASLR design st
Re:Well duh. (Score:5, Informative)
More to the point, this attack uses ROP (which, as you say, defeats DEP) but it does it using bits fo code, called "gadgets", that are part of a library which is loaded without ASLR. Even though the browser itself is using ASLR, some of its libraries will be loaded at known locations, which is what makes this attack work. That's not exactly defeating ASLR so much as it is taking advantage of the fact that it isn't universally used yet, kind of like the way some legacy programs aren't DEP-compatible.
For the time being, ASLR is only opt-in; if a library doesn't mark itself as ASLR-compatible, the loader will put it at its preferred base address. Or at least, it will try to. The fact is that dynamically linked libraries can never guarantee that their preferred address range is available, and therefore should never assume that they are at a given location in memory. In fact, most of them don't... but they still don't have the opt-in flag, either because they're old or because the developer didn't set it. I wonder how hard it would be to simply *force* ASLR by telling each library, as it loads, that its preferred address is simply unavailable and it's going to be stuck someplace else...
Re: (Score:2)
wonder how hard it would be to simply *force* ASLR by telling each library, as it loads, that its preferred address is simply unavailable and it's going to be stuck someplace else...
it would be real easy and this is probably precisely how it's done, at least, only libraries which are relocated at all get ASLR. It's not done universally because some [improperly written] libraries crap themselves when you do this.
Re: (Score:1, Offtopic)
Kinda disappointed (Score:1)
Working..somewhat (Score:1)
MS should be more like Apple (Score:2)
This might have been avoided if MS had a something like the App store for Windows. They could have taken their time before allowing this to be released .... just to be really really sure there something like this wouldn't happen.
I keeed, I keeed .... sorta. :-)
Hold on (Score:3, Interesting)
If a badly-written program can circumvent ASLR and DEP for itself, then aren't DEP and ASLR a bit useless? The point of them is to prevent data execution, and to randomise the address space. How does a badly-written, ancient program "bypass" such measures? I can understand such measures not being applied (e.g. because ASLR or DEP on really-old code would break it because it was written with certain assumptions) but what that then assumes is that some administrator or Microsoft programmer has chosen at some point to disable DEP and ASLR for those old programs (if they have DEP and ASLR enabled at all). And if the code wasn't compiled without some DEP/ASLR magic enabled, then is this really surprising? What's to stop any other program similarly avoiding DEP/ASLR, or anyone exploiting such programs?
How is this a "Quicktime problem" when the code being attacked is years old, and yet the OS still lets it break basic security? Surely the problem is not the program, but the things that let it execute. Hell, I have used old Windows programs that refuse to work with DEP enabled because they make certain assumptions and I realised that because the DEP handler would prevent them working in XP - they were NOT compiled at a time when any knowledge of DEP or ASLR on Windows was around. That's the whole point of DEP, isn't it? To stop programs executing code they shouldn't? I had to force an override for them network-wide but that was my choice, and no I did not specifically enable DEP myself, the Windows XP install decided to do that for me.
Is this version of QuickTime whitelisted? Are DEP and ASLR really that worthless that "old programs" compiled before they came along are allowed to do anything? Isn't this the fault of an administrator running an outdated program rather than anything to do with DEP, ASLR, Quicktime or anything else? What's Quicktime doing differently to every other old, insecure program out there that makes it more of a risk?
Seems like a complete red herring to me. Don't run old software. Don't run insecure software. Don't run programs that you haven't authorised yourself. And, apparently, don't rely on DEP or ASLR to actually DO anything.
Re: (Score:3, Insightful)
If a badly-written program can circumvent ASLR and DEP for itself, then aren't DEP and ASLR a bit useless?
In terms of preventing malware from running, no, they're an extra roadblock, but they are certainly not the hardest to overcome.
How does a badly-written, ancient program "bypass" such measures?
By linking the exploit to MS provided software included with Windows that does not use ASLR. From the article, "The gadgets come from Windows Live messenger dlls that are loaded by default on IE and have no ASLR flag,"
The Quicktime problem is that someone can get arbitrary code to try to execute on your box in the first place. That only happens because of the Quicktime flaw.
Are DEP and ASLR really that worthless that "old programs" compiled before they came along are allowed to do anything?
This is
Thanks, Apple. (Score:2)
Thapple.
Ummm, question? (Score:3, Insightful)
FTFA:
The gadgets come from Windows Live messenger dlls that are loaded by default on IE and have no ASLR flag.
Wouldn't that be an IE bug at this point that QuickTime is exploiting, not so much a QuickTime bug? I'm not apologizing for Apple not cleaning up their code after they removed a feature (RTFA!), but seems like MS is just as much to blame for this one with the WindowsLive DLL being loaded by default and having no security on it.
Just saying ... if you RTFA and don't just bash QT all day.
YA ALL MISSING IT!! (Score:2, Insightful)
Re: (Score:2)
Hm seems to the that other programs had this too. Like VLC!!
Nice FUD... neither of TFAs mentioned VLC or VideoLan player. I checked.
So, citation needed.
Re: (Score:2)
A surprisingly large number of popular applications — including Quicktime, Foxit Reader, Google Picasa, OpenOffice.org, RealPlayer, and VLC Player — all neglect to use one or the other, a recent review by Secunia found.
Guess what? I don’t CARE. Bulletproof code doesn’t need DEP/ASLR, and shitty code (as we’ve seen) can manage to use DEP/ASLR and still be exploitable.
DEP is not a mandatory security feature. It is an opt-in feature to help avoid buffer underrun. As buffer underrun is always caused by badly-written code in the first place, DEP is a feature by which lousy programmers can try to protect themselves from their own lousy code.
If you want to produce a quality, stable, well-written application (su
Re: (Score:2)
Just for the record, your excessive use of ALL CAPS and exclamation points!! does not benefit the argument that your posts are not FUD.
Re: (Score:2, Funny)
Re: (Score:2)
Apple bills itself as the quality option, so how can it be accidental that the Windows versions of each of their software products be so horrible on so many metrics?
The only question is, does the shitty shitness of their shit reflect intentional malice, or intentional apathy?
Re: (Score:1)
I don't like Apple products that much (especially QuickTime and the Shiny iWhatever products) but i fail to see why a grading system would need a Video/Audio decoder.
Re: (Score:2)
you fail to see how a color grading system would need an a/v decoder?
Re: (Score:2)
Re:what the hell is quicktime! (Score:4, Informative)
Re: (Score:2)
The unfortunate thing is that if you've got an iAnything, you probably use Quicktime too. iTunes, as you mentioned, uses Qt, but Qt also silently installs a browser plug-in (the attack vector used in the article) that takes over not just video playback but even things like image rendering.
Re: (Score:2)