New QuickTime Flaw Bypasses ASLR, DEP

Trailrunner7 writes "A Spanish security researcher has discovered a new vulnerability in Apple's QuickTime software that can be used to bypass both ASLR and DEP on current versions of Windows and give an attacker control of a remote PC. The flaw apparently results from a parameter from an older version of QuickTime that was left in the code by mistake. It was discovered by Ruben Santamarta of Wintercore, who said the vulnerability can be exploited remotely via a malicious Web site. On a machine running Internet Explorer on Windows 7, Vista or XP with QuickTime 7.x or 6.x installed, the problem can be exploited by using a heap-spraying technique. In his explanation of the details of the vulnerability and the exploit for it, Santamarta said he believes the parameter at the heart of the problem simply was not cleared out of older versions of the QuickTime code. 'The QuickTime plugin is widely installed and exploitable through IE; ASLR and DEP are not effective in this case and we will likely see this in the wild,' said HD Moore, founder of the Metasploit Project."

ew quicktime?

[w00tsauce]

People still use that garbage? That's like installing real player.

Re:ew quicktime?

Closed source.
Apple's evil.
Wait.
Microsoft's evil.
Wait.
It's Google.
No. Apple.
No. Microsoft.
Damn you evil closed source! You have me so confused as to who to hate .....

Re:ew quicktime?

[jonwil]

Considering that QuickTime is a core component of iTunes, if you own an iPhone, iPod or iPad, its fairly hard to avoid QuickTime and still get full advantage of your device.

Re:ew quicktime?

[Mr.+Slippery]

Considering that QuickTime is a core component of iTunes, if you own an iPhone, iPod or iPad, its fairly hard to avoid QuickTime

Another outstanding reason to avoid shiny geegaws from an evil company.

Seriously, WTF?

Re:ew quicktime?

People still use that garbage? That's like installing real player.

It's quite green to use garbage. And yes I'm a real player, and you can install me for a small fee.

Re:ew quicktime?

For Slashdot a troll?

Most likely keloid scarring.

Re:ew quicktime?

[Techman83]

iTunes without QuickTime Get iTune Not necessarily. I don't own one, but a few of my friends have iDevices and the only way I'll support them is if they let me install itunes this way!

Re:ew quicktime?

[Idiomatick]

MS is bad for OSS' ideals and goals most of the time.

Apple is bad for OSS' ideals and goals. Also bad for nerd ideals and goals. And bad for computers in general. Seriously, iTunes in past has acted like malware same w/ quicktime.

Google is actually good. BUT the potential for evil that they have is so incredibly huge that it would make anyone paranoid. So people keep their eyes on it.

Re:ew quicktime?

[profplump]

Is QuickTime really that bad? I understand the objection to "claim all file types", but that's true of all commercial A/V systems. Beyond that, is there anything in particular I should object to about QuickTime, or is it just random Apple hate?

Re:ew quicktime?

[vlueboy]

Another outstanding reason to avoid shiny geegaws from an evil company.

To be fair, the flaw is almost a first for Quicktime --an ancient product line predating iProducts, back when "multimedia" came in big letters on all home computers and all videos on the web were MPEG or MOV downloads. What is so bad is how we sleep in our laurels and wake up to find that we falsely associated safety with it because QT ran on a little targetted OS before it was ported to Windows...

IIRC, Apple isn't the number one seller of smartphones nor MP3 players, or distributor of Windows Multimedia readers. Yet it's generating enough attention to get exploited. Even if you and I don't own recent apple products, we have been falling in a parallel situation and taking it for granted again: all those free Google clients downloaded over the years have become a juicy target. All we need is someone to find a weak spot.

Scratch that! All we need is an unlikely "someone" among that small group who will PUBLISH the weak spot of that juicy target. All the others just exploit it for months without us being the wiser.

Re:ew quicktime?

[Stupendoussteve]

Good thing they're not running Windows or Internet Explorer.

Victim prerequisites:

* Internet Explorer.
* XP,Vista,W7.
* Apple Quicktime 7.x, 6.x ( 2004 versions are also vulnerable, older versions not checked )

Re:ew quicktime?

[Techman83]

IMO Opinion quicktime causes windows to slow down and also likes to install background services. The Quicktime Alternative is just far less bloated and seems to work just as well. Also you aren't forced to use the quicktime player, it just behaves like any other normal video codec.

Re:ew quicktime?

[Techman83]

Offtopic note: Answering slashdot posts whilst taking hell desk calls doesn't always work as expected ;)

Re:ew quicktime?

[Stupendoussteve]

Misread parent, although not using IE is still pretty standard, no?

Re:ew quicktime?

iTunes is garbage. Use a real media organiser/player.

Re:ew quicktime?

[pspahn]

Well someone has figured out the purpose of a double rainbow.

Re:ew quicktime?

Apple fanboys downvoting the truth because they can't accept it? How surprising.

Re:ew quicktime?

Yes.

I used to think that it is just the windows version, but when I had the displeasure of using it on a mac it turned out to be the same obnoxious slow bloated pile of shit.

Re:ew quicktime?

Offtopic note: Answering slashdot posts whilst taking hell desk calls doesn't always work as expected ;)

hell desk??? are your users that bad?

Re:ew quicktime?

[Vectormatic]

try updating itunes without getting all sorts of apple crapware on your system...

My GF updated itunes a while back on my laptop to sync her iphone, and suddenly i had safari installed...

and yes, i know my own flaws here:
1) let my GF on my laptop
2) own an ipod, thus needing itunes
3) running windows on my laptop

at the very least 2 will be corrected pretty soon (same for her iphone, she wants android now..)

Re:ew quicktime?

[node_chomsky]

It's interesting that my apple (running quick time) has none of these problems. I guess it's their shitty engineering that makes my computer so stable and operational. If you think Apples are less conducive to nerdery and functionality compared to most other options, you are amazingly unobservant. If you think Microsoft has any advantage to either of those two qualities, you are stupid and gullible. If you think 90% of the world's population has any chance of successfully installing, using, and maintaining any stable distro of Linux, you should try to help my grandmother find the word count on her computer sometimes, it will open your eyes to what level most of the worlds people compute on.

Re:ew quicktime?

[Gilmoure]

Apple kicked my dog and slept with my girl friend.

Re:ew quicktime?

[darkpixel2k]

I guess it's their shitty engineering that makes my computer so stable and operational.

Yeah. Yesterday, I plugged a Mac laptop into a projector. Apparently the Mac needs to reboot after detecting new hardware or something--so it immediately rebooted without prompting, notifying, or even asking me to save. Apple is so awesomely user-friendly. That must be their engineering commitment to build a stable and operational computer.
Anyways--while the mac was busy rebooting, I plugged my linux laptop in. It immediately started working.

Re:ew quicktime?

[DJRumpy]

Why do you say that? The exposure is in the OS. Although the software may have exposed it, the vulnerability lies with MS to fix.

Apple fanboys downvoting the truth because they can't accept it? How surprising.

Re:ew quicktime?

[initdeep]

are you seriously that stupid?

you think that the exploit, which is in Quicktime, is MS's fault?

so do you say the same thing about it being apple's fault when a program by adobe is used to exploit OSX in the yearly pwn2own?

newsflash.

it's an apple problem, regardless of the desires of the apple fandom.

Re:ew quicktime?

[DJRumpy]

Yes I do believe that the exposure in the PDF problem was Apple's fault due to a flaw in iOS. You might also recall (or maybe not given your response) that Apple closed that exposure (not Adobe).

The owner of the exposure was clear, just as it is clear in this case. If ASLR and DEP fails to protect against such an exposure, they are flawed.

Re:ew quicktime?

it's an apple problem, regardless of the desires of the apple fandom.

I certainly hope all of the blackhats will take such a responsible stance and own up to any such flaws in their malware...

Re:ew quicktime?

[aristotle-dude]

I guess it's their shitty engineering that makes my computer so stable and operational.

Yeah. Yesterday, I plugged a Mac laptop into a projector. Apparently the Mac needs to reboot after detecting new hardware or something--so it immediately rebooted without prompting, notifying, or even asking me to save. Apple is so awesomely user-friendly. That must be their engineering commitment to build a stable and operational computer.

Anyways--while the mac was busy rebooting, I plugged my linux laptop in. It immediately started working.

That's an interesting story.. what's that I smell? It smells like bullshit. Are you sure that it wasn't your "linux" laptop dual-booted into windows?

Re:ew quicktime?

To be fair, the flaw is almost a first for Quicktime --an ancient product line predating iProducts, back when "multimedia" came in big letters on all home computers and all videos on the web were MPEG or MOV downloads. What is so bad is how we sleep in our laurels and wake up to find that we falsely associated safety with it because QT ran on a little targetted OS before it was ported to Windows...

What on earth are you talking about?

http://secunia.com/advisories/product/5090/

Re:ew quicktime?

[emocomputerjock]

Quicktime does not properly use either ASLR or DEP. The application is at fault.

Re:ew quicktime?

[DJRumpy]

So any application (including malware) that does not use ASLR or DEP gets a free pass vulnerability? You don't elect to use these things. They are a keystone of the OS Security, not some feature you 'opt into'.

Re:ew quicktime?

[emocomputerjock]

If the attack is using a third party application that does not properly implement the security features available, then the application is at fault.

Re:ew quicktime?

[lordDallan]

Anyone have facts to back this up? Not trying to jump down anyone's throat. Genuinely curious if this has been measured.

Also curious if this exploit really only affects IE? If it doesn't affect FireFox doesn't that mean that IE is also part of the problem?

Re:ew quicktime?

[DJRumpy]

So by you reasoning, all hackers properly implement security features?

Do you even know what ASLR and DEP are? They are not 'features' that an app uses. They are built into the OS. If the OS can be exploited to bypass these then the exposure lies in the OS.

You seem to be missing the disconnect between what your saying and reality. If bypassing OS security was as simple as 'not properly implementing the security features available', then hackers jobs would be all to easy. They could simply opt-out of using things like Virus Scan, Firewalls, Permissions, ASLR, or DEP.

Re:ew quicktime?

[emocomputerjock]

They're exploiting a third-party application using an exploit in the application. The application is at fault.

Re:ew quicktime?

Quicktime --an ancient product line predating iProducts, back when "multimedia" came in big letters on all home computers and all videos on the web were MPEG or MOV downloads.

Quicktime existed when "videos" on the web were still animated GIFs.

Lars T.

Re:ew quicktime?

[Civil_Disobedient]

Is QuickTime really that bad?

YES YES YES JESUS FUCKING CHRIST FOR THE LOVE OF GOD YES!

Do MP3s cause my system to crash/hang/consume ginormous resources just for the sake of existing? No! Why not? Because it's a fucking codec. But with Quicktime, you've got to have a fucking Control Panel extension. For what? What in the hell could possibly necessitate a separate, specific control panel extension?

And the installer? ~30 Megs of what exactly? I could load every popular and not-very-popular codec on my computer, mkv splitters, ac3 decoders, all kinds of useless crap, and it wouldn't take half the space that Quicktime requires. Again... FOR WHAT? Did Apple write the installer in JavaScript?

Quicktime and iTunes are a JOKE. A sick, twisted, D-minus-in-any-programming-class joke.

Re:ew quicktime?

[dwightk]

Is the "interesting" mod referring to how interesting it is that you are bad at understanding/discovering causes?

Re:ew quicktime?

[konohitowa]

Mod parent up: +1, Bullshit

Re:ew quicktime?

[Culture20]

and yes, i know my own flaws here:
1) let my GF on my laptop
2) own an ipod, thus needing itunes
3) running windows on my laptop

at the very least 2 will be corrected pretty soon (same for her iphone, she wants android now..)

Bravo for dumping Windows, but don't you think dumping your GF is a little harsh? ;)

Re:ew quicktime?

[Idiomatick]

"If you think 90% of the world's population has any chance of successfully installing, using, and maintaining any stable distro of Linux, you should try to help my grandmother find the word count on her computer sometimes, it will open your eyes to what level most of the worlds people compute on."

Where was it that I said linux was good for grandmothers? Or anything about linux OR grandmothers. Geez.

Re:ew quicktime?

[Idiomatick]

Thats hilarious. I could design an ap on any current OS that could do bad things. Do you really expect an OS to protect itself from explicitly trusted programs? How could it even do that without psychic powers? I'm certain an ap that deletes every document on the computer would work in every OS... the computer doesn't know that you didn't intend for that to happen...

Re:ew quicktime?

Offtopic note: Answering slashdot posts whilst taking hell desk calls doesn't always work as expected ;)

hell desk??? are your users that bad?

No, it's fairly common for Tier 1 help desk people to call it that. Of course, they tend to just escalate anything semi-difficult anyway, so I'm not sure why.

Oh, and an aside to Techman83: Stop fucking around on Slashdot when you're supposed to be working - *especially* if you have difficulties as a result, as you indicate in your post. I'm sure it's not just the quality of your Slashdot posts that are suffering.

Re:ew quicktime?

[Techman83]

My facts are my personal experiences over the years, so take that as a testimonial of some random Internet user. But for a better and more complete explanation the quicktime alternative was written for a reason and the facts stated here may go a long way to let you know why. I mean seriously a picture viewer? Also, why on earth would a I want a _Video Codec_ to install a system service for updating and another one for making quicktime load faster for that 1 time every six months I'll use it. Applications that behave in this manner are a personal pet hat of mine (I repackage applications for a living) and Apple are big culprits for doing this (they are not alone here, I'm looking at you Adobe).

Re:ew quicktime?

[mjwx]

Is the "interesting" mod referring to how interesting it is that you are bad at understanding/discovering causes?

Apple refuses to follow standards and does not have a decent framework for introducing new hardware. Cause discovered and understood.

Having supported Mac's in a professional capacity I have seen multiple examples of what the GP is talking about but Mac users tend to pretend that their machine didn't reboot when they plugged in a new bit of kit.

To get back on topic, I avoid quicktime like the plague as it's more bug ridden and vulnerable then anything produced by Adobe and almost as bad as IE6 itself. Of course Apple insists on foisting Quicktime upon people by tying it into Itunes so I avoid all Apple products all together. Itunes should not require Quicktime, Bonjur or the other 30 odd components it installs.

Re:ew quicktime?

[darkpixel2k]

Is the "interesting" mod referring to how interesting it is that you are bad at understanding/discovering causes?

What do I care about the cause? Who cares if it's a null pointer or other bizarre issue in the Mac? The point is, one crashed and the other didn't. I find it funny that the mac fanboy is talking about how Macs are so damn stable, they were designed by Jesus himself--yet I had the exact opposite experience. (And I'm perfectly fine admitting that I have had tons of trouble in the past with Ubuntu and external monitors. I was actually surprised it worked.)

Re:ew quicktime?

[darkpixel2k]

That's an interesting story.. what's that I smell? It smells like bullshit. Are you sure that it wasn't your "linux" laptop dual-booted into windows?

You're right--I often confuse blue screens with core dumps.

Re:ew quicktime?

[cbhacking]

Malware implies code already executing on your machine. By the time you get that far, DEP and ASLR are already bypassed; their purpose is to prevent the execution of such code in the first place. There are other things one can do to mitigate the damage, such as limited permissions and sandboxing, but you're comparing apples to oranges here. DEP and ASLR make exploits more difficult. Malware is something that exploits (or stupid users) install. Malware could quite happily opt in to DEP and ASLR; it wouldn't change anything.

However, non-malicious software developers can choose to opt-in to these features in order to provide an extra layer of security against exploits. That's what DEP and ASLR are: extra layers of security, neither an absolute barrier to attack nor a "keystone of the OS Security" as you put it. They just make successful exploits much more difficult. The principle is called Defense in Depth, and if you know anything about security of any kind you'll be familiar with the notion.

As for why they're opt-in rather than opt-out (or unavoidable) the problem is that they are not completely non-breaking changes to the OS behavior. Some applications will crash or otherwise fail to work if they are run with DEP, or their libraries are loaded with ASLR. Those programs and libraries are poorly written by modern standards, but then again, if they'd been written correctly in the first place DEP and ASLR would be irrelevant because they wouldn't have security vulnerabilities in the first place.

Re:ew quicktime?

[konohitowa]

You've seen a MacBook do a silent reboot when plugged into a secondary monitor?

Re:ew quicktime?

[cbhacking]

Apparently you are the one who does not understand. DEP and ASLR are features provided by the OS, but they are *NOT* universally backward-compatible features. Some apps will break if DEP is enabled. Some libraries will break if ASLR is enabled. ASLR is new enough that it's still not uncommon to find libraries which weren't coded with it in mind.

As for "not properly implementing security the features available" you *really* should take the foot out of your mouth before you choke on it. For one thing, any application running as Admin (including most software installers) can opt out of firewall (turn it off or add an exemption; *lots* of apps or their installers do this), opt out of virus scan (non-trivial, but they could add themselves to the allowed files list or simply turn off the scanner), or opt out of permissions (change the ACLs to world-writable). Of course, this assumes that you're talking about software already executing on the computer. Once you're to this point; DEP and ASLR are irrelevant; their only purpose is to try and prevent exploits and they can do nothing once the malicious code begins to execute.

However, "hackers" still have to find a vulnerability in the program that they are trying to execute. A firewall only protects network interfaces; if the software is properly secured it can't be compromised no matter what comes over the connection. A virus scanner only detects malicious software on the system; if there are no exploitable programs then the attacker has no way to get malicious software onto the computer in the first place (aside from social engineering, but you can't fix stupid). Permissions can limit the damage that malware or a compromised program does, but again if there's no way to compromise any programs that doesn't matter (and most XP users run as Admin anyhow).

If the Quicktime developers hadn't left this problem in their code, there would be no problem at all.

Re:ew quicktime?

[cbhacking]

Quicktime installs a handful of additional (and unnecessary) stuff. In particular, it includes an IE plug-in that not only enables viewing of Quicktime movies in the browser but also replaces handling of other media formats, including JPEG rendering. This increases the browser footprint and slows it down noticeably, or at least it did the last time I installed Quicktime (a couple years ago). Also, I'm not entirely sure if it's Quicktime or iTunes that installs Bonjour, but that definitely falls into the category of stuff I don't want a media player installing and enabling without my express consent.

The IE plug-in can be disabled using IE's add-in manager. I don't know whether Quicktime installs a Firefox plug-in as well, or not. If it does, the odds are that it is also exploitable. If not, you're probably fine unless you download the file and open it directly.

Re:ew quicktime?

[mjwx]

You've seen a MacBook do a silent reboot when plugged into a secondary monitor?

Worse, I've seen an Imac do a "silent" (what's silent about it, it's quite obvious what happened) reboot when a USB thumb drive was plugged into it.

Re:ew quicktime?

[cbhacking]

To be fair, the flaw is almost a first for Quicktime

Uh... Secunia would beg to differ. 56 advisories, each if which may cover multiple vulnerabilities. There are 136 reported vulnerabilities (across 27 advisories) in Quicktime 7.x alone. The oldest reported vulnerability in Secunia's database is for Quicktime 3. It's not the worst record ever, but it's hardly valid to claim that this flaw is "almost a first" in any way.

Re:ew quicktime?

[Vectormatic]

well, i have her convinced that android is better then getting a new iphone (and it didnt even take any brainwashing techniques), so dumping wont be needed :)

(kidding, off course.. when we got together she had a windows mobile phone, and had just bought a laptop with vista... i honestly dont care too much)

Re:ew quicktime?

[clone53421]

Except that you’re completely wrong, of course.

ASLR and DEP are not “keystone OS security” features designed to protect the OS from malicious applications.

They are, in fact, “opt-in” security features designed to protect applications from malicious input which could cause a buffer underrun (and this is always an application error, not an OS error).

Re:ew quicktime?

[cthulhu11]

This has never happened to me.

Re:ew quicktime?

That's interesting.

Just two days ago I plugged in my 2007 MacBook Pro to my TV (via DVI-RGB) and the OS automatically noticed it and used it as a second monitor.
When I was done I unplugged it and the second monitor was removed from the OS.
No reboots at any time.

I'll keep my shitty mac hardware.

With an auto reboot I'm guessing the projector shorted something.

Re:ew quicktime?

[jo_ham]

Did Fox News write that one for you?

-1 total fabrication.

Quick!

[schmidt349]

Can someone please print out and mail this article to Alanis Morissette so she knows what irony is?

Re:Quick!

[Concerned+Onlooker]

It's like 10,000 PCs when all you need is a Mac.

Re:Quick!

[MichaelSmith]

Or free software when you've already paid.

Re:Quick!

[Vectormatic]

it is a critical vulnerability fix, two minutes to late

Re:Quick!

[TangoMargarine]

it is a critical vulnerability fix, two minutes too late

Homonym irony?

Re:Quick!

Isn't that ironic.

PS

[schmidt349]

From the article: "The result of the problem is the creation of what amounts to a backdoor in the QuickTime code, Santamarta said. 'WATCH OUT! Do not hype this issue beyond it deserves...'"

Looks like we already missed the boat on that one.

Re:PS

[clone53421]

Perhaps you should have quoted the next sentence:

This time Backdoor != malicious code but a horrible trick a developer implemented during the development cycle.

It’s still a backdoor, and it can still be maliciously exploited. It’s just that it was apparently not put there to intentionally be malicious.

Itunes requires quicktime

[rsborg]

I'd say it's almost as widely installed as Adobe Reader. Here's a guesstimate answer as to how many copies there are (numbers are old)

Re:Itunes requires quicktime

[Lehk228]

bonzi buddy was pretty widely installed too.

Quicktime Uninstalled

[dustinsherrill]

I have now uninstalled the Quicktime player. Would Quicktime Alternative be any safer? Seems Apple has had a rash of security issues lately.

Re:Quicktime Uninstalled

[bakamorgan]

There was a news article a ways back that stated that apple had more security holes then M$. Guess no one got the hint.

Re:Quicktime Uninstalled

Would Quicktime Alternative be any safer?

"QuickTime Alternative consists of codec libraries extracted from the official distribution, including the official QuickTime plugin required for playing QuickTime files (.MOV and others)"

Re:Quicktime Uninstalled

QT Alternative & Lite seem to be dead and outdated now. I installed Alternative once in 2007 and IIRC it allowed you to choose the plugins to install (IE, Mozilla, WMP). Anyway, I imagine you can just manually delete the browser plugins for QT if you desired to keep it.

Re:Quicktime Uninstalled

[SheeEttin]

I'm gonna plug VLC here.
Free, open-source, plays just about everything. Files, streams, discs, you name it. Also does conversion (apparently, never really tried it), streaming (VLC as the stream server, that is), and minor video editing (hue, brightness, rotation, filters, etc.; but I don't know if this is just for viewing or what). Also subtitles.

Re:Quicktime Uninstalled

I have now uninstalled the Quicktime player. Would Quicktime Alternative be any safer? Seems Apple has had a rash of security issues lately.

Depends on what you want it for, but VLC is always a good alternative.

Windows 7 have basic support for playing mov files, without having to install Quicktime (and yay! for that). If you think upgrading to Win7 just for that is a bit overkill (it is of course :), your concern was security and Windows 7 is significantly better than XP overall in that regard.

Re:Quicktime Uninstalled

[hairyfeet]

The problem is nobody uses Quicktime for actually playing media files (BTW on Windows I'd prefer Kantaris as it has the VLC core but a MUCH nicer UI IMHO) anymore but like Safari Windows users get stuck with it if they want to use their iStuff.

That is why I've told customers unless they want a really shitty experience if they want to play with iStuff they better be ready to shell out for a Mac. The Windows version has always been completely shitty, the red headed stepchild of Apple. Sure it'll work, but it is buggier, slower, and generally more crappy in every way than the native Mac version. Personally I'll stick with my Sandisk and if I wanted all the bling bling I'd get a Cowon and since funnily enough I prefer my phone to just make phone calls and actually like typing on a keyboard I don't think I'm in any danger of getting an iPhone or iPad (damn that is the WORST name, I still can't believe Steve came up with that.)

Re:Quicktime Uninstalled

[tokul]

Would Quicktime Alternative be any safer?

Quicktime alternative does not install alternative. IMHO it installs original Apple codecs and plugin without player/editor nagware. Probably some versions behind official Apple QT. It might have more bugs than Apple QT.

Re:Quicktime Uninstalled

Would Quicktime Alternative be any safer?

"QuickTime Alternative consists of codec libraries extracted from the official distribution, including the official QuickTime plugin required for playing QuickTime files (.MOV and others)"

Without the IE plugin, this bug is far harder to exploit. IIRC, QT Alt doesn't install this by default.
It also doesn't make your system crawl by installing lots of services.

Re:Quicktime Uninstalled

[LordLucless]

It's probably Apple getting it's own back after dealing with IE and MS Office for Mac.

Re:Quicktime Uninstalled

[arth1]

The issues with QuickTime is why I banned iTunes several years ago, and have no intentions of reverting the ban until Apple releases an iTunes that doesn't sneak-install apps that work on a system level and are accessible even when iTunes isn't running.

Just because Microsoft is evil doesn't make Apple good. Far from it -- they're quite often one of the most rotten fruits in the barrel. Quicktime isn't just proprietary, but unsafe by design, and comes with a preferences interface that is designed to trick the user into inadvertently both "updating" and installing other software, and with planned obsolescence preventing newer version QT codecs from working with old apps (so you have to upgrade the other apps too, or replace them with alternatives from e.g. Apple).

Re:Quicktime Uninstalled

[clone53421]

I used to use VLC exclusively, but now I really only use it for media files that SMPlayer doesn’t like.

I initially made the switch after somebody said that SMPlayer could be configured to require very little resources – it was about the only way I could get videos to play halfway decently on a particular computer that I was stuck using for a while. VLC wouldn’t play anything without it skipping badly on that computer even after I tried to configure it to be as minimalistic as possible.

Main reasons for using SMPlayer now: Interface looks better; default pixel-smoothing video filter looks better; subtitles look better. Of course it has most of the same selling features as VLC... free, plays just about anything, doesn’t invade my PC with crap I don’t want, hotkeys (though different from VLC’s), lots of options. It also has a portable version.

Come to think of it, about the only feature I’d really point out that VLC has and SMPlayer lacks is the ability to transcode media. SMPlayer does have a nice feature which dumps every frame to an image while playing (shift-D starts/stops it), which is handy for making animated gifs.

Re:Quicktime Uninstalled

[Gilmoure]

Word 5.1a for Mac was great!

Re:Quicktime Uninstalled

[tlhIngan]

Windows 7 have basic support for playing mov files, without having to install Quicktime (and yay! for that). If you think upgrading to Win7 just for that is a bit overkill (it is of course :), your concern was security and Windows 7 is significantly better than XP overall in that regard.

Any proper MPEG-4 player should do, actually. After all, besides h.264 and AAC in MPEG-4, the MP4 file format is also part of the spec. And the MP4 container is a pretty substantial subset of the QuickTime MOV container. (the 3GP container is a subset of the MP4 container). The end result is getting your MP4 parser to understand MOV is a pretty trivial affair.

The downside is, well, it only works for h.264 encoded MOVs, the Sorenson codec ones won't be supported. And most h.264 videos already use the MP4 container.

Other than QuickTime serving as the Apple-native media playback framework, there is no need for it. Modern videos are h.264 containered in MP4, playable by anything that understands h.264/MP4. Of course, the Mac had the same thing as well - there was Windows Media Player ported to MacOS that was just as bad (so bad, Microsoft ended up telling Mac users to use a third-party product to play WMV). Probably because it also had to port the Windows DirectShow framework to Mac.

The only real reason to have QuickTime is for the oddball MOV encoded in the pre-h.264 days.

Re:Quicktime Uninstalled

[ian_from_brisbane]

I'd prefer Kantaris as it has the VLC core but a MUCH nicer UI IMHO)

I decided to take a look, but they immediately lost me with this line: Kantaris has a graphical user interface similar to that of Windows Media Player.

Re:Quicktime Uninstalled

[hairyfeet]

If you had actually bothered to look at the gallery you'd see that it really looks nothing like WMP, but whomever designed the site really didn't know how to describe it. I would say it is more of a cross between MediaMonkey with a little bit of iTunes and WMP thrown together. It is really great for managing libraries of media, and they even have a portable version that works great on a thumbstick.

So why not give the portable a try? No need to install, if you don't like it you can just chunk it, no muss no fuss. That's how I did and ended up switching off of Songbird (got too bloated) and it seems to manage libraries a lot better than WMP IMHO. And since it is free and Open Source it isn't like it'll cost you anything.

Re:Quicktime Uninstalled

[ian_from_brisbane]

If you had actually bothered to look at the gallery you'd see that it really looks nothing like WMP

Yeah failed marketing since they didn't capture my interest (and actively repelled me) in the first few seconds :)

I like VLC without extra GUI graphics, looking just like my "Windows Classic" theme intended.

Re:Quicktime Uninstalled

[hairyfeet]

Let me see if I got this straight: You are using Windows "classic" ala the Windows 95 GUI, and are actually bitching that something has a GUI that isn't from the stone age? Wow, I thought your kind died off with Win2K. Meanwhile the rest of the world, be it Windows, OSX or Linux, has actually moved away from the Win95 GUI into desktops that...oh what is the word...oh yeah, don't SUCK. Have you ever even TRIED the modern GUI in Windows 7? Breadcrumbs, the new taskbar, useful gadgets, it is all really nice and actually makes things easier which is why everyone moved away from win95.

But tell you what, since the Hairyfeet supports the right to be weird, allow me to introduce you to Evil Player for your audio needs and K-Lite Mega for your video needs. Evil Player has NO GUI, simply a box you drag and drop your audio in, uses less than 40Kb, and fits in great with winClassic, and K-Lite has Media Player Classic Home Cinema, which has the GUI of Media Player 6 (which fits perfectly with classic) and which I've found does hardware acceleration much better than VLC. If you have a GPU from this century you'll find MPC:HC accelerates all the major formats quite nicely. Unless of course you are still using windows Classic because you are on win98 or Win2K, in which case may God have mercy on your poor unsupported soul.

Well duh.

[Securityemo]

This attack doesn't belong to the class of "smashing" attacks ASLR and DEP is designed to prevent. It's like expecting salted passwords to help you defend against misconfigured NFS shares.

Re:Well duh.

[blueg3]

This boils down to doing a heap spraying attack, and those are in the general class of exploits that ASLR (and to a lesser extent, DEP) are designed to prevent. However, it's fairly well-known at this point that ASLR can be defeated (sometimes) by well-crafted heap-spraying attacks. (Likewise, DEP can be defeated by stack-smashing using return-oriented programming.)

Re:Well duh.

[shutdown+-p+now]

those are in the general class of exploits that ASLR (and to a lesser extent, DEP) are designed to prevent

To be pedantic, neither of those is designed to "prevent" so much so as to minimize the likelihood of successful attack. It's not like, say PHP magic quotes, rather just something to make life significantly harder for exploit writers.

Re:Well duh.

[Lorens]

So why aren't people more interested in OS like KeyKOS/Eros/Coyotos/CapROS that are designed to prevent all and any attacks while simplifying programming and maintaining or even increasing usability?

Re:Well duh.

[M.+D.+Kristopeit]

To be pedantic, neither of those is designed to "prevent" [...] It's just something to make life significantly harder for exploit writers.

to be pedantic, life will only be significantly harder for a single exploit writer for a fixed amount of time... then the world will have access to a functioning exploit and anyone can copy it at their whim, and life is back to being significantly harder only for the architects of ASLR and DEP, who now have to explain why the preventative measures they were paid to create no longer prevent anything.

Re:Well duh.

I'm trying to follow along here, help me out.

1. Attack doesn't belong into the "smashing" class that ASLR and DEP help prevent.
2. ??????????????
3. Why aren't people interested in this <magic bullet>?

Re:Well duh.

Indeed, ROP is fun and the easiest technique to exploit classical buffer overflow bugs right now, but this is only because the compiler is too lax at implementing canaries and ASLR is crap.

ASLR when performed right is unbeatable in the same way as 256-bit key encryption is, and I think the final nail on the code execution coffin will be full ASLR rather than DEP and Stack protection. The problem is that ASLR as shipped right now in most systems is far too weak and in some places it doesn't exist at all, giving the attacker a known environment. In certain circumstances, data corruption is as good as data execution - if it can be done in a predictable way, the game is over.

Full heap randomization and good canary protection should be priorities for the OSes which aren't doing it right now. Linux, for all its security aura is particularly shameful. Apparently keeping your data from organized crime isn't worth a 10% speed-down in Phoronix.

Re:Well duh.

[cbhacking]

More to the point, this attack uses ROP (which, as you say, defeats DEP) but it does it using bits fo code, called "gadgets", that are part of a library which is loaded without ASLR. Even though the browser itself is using ASLR, some of its libraries will be loaded at known locations, which is what makes this attack work. That's not exactly defeating ASLR so much as it is taking advantage of the fact that it isn't universally used yet, kind of like the way some legacy programs aren't DEP-compatible.

For the time being, ASLR is only opt-in; if a library doesn't mark itself as ASLR-compatible, the loader will put it at its preferred base address. Or at least, it will try to. The fact is that dynamically linked libraries can never guarantee that their preferred address range is available, and therefore should never assume that they are at a given location in memory. In fact, most of them don't... but they still don't have the opt-in flag, either because they're old or because the developer didn't set it. I wonder how hard it would be to simply *force* ASLR by telling each library, as it loads, that its preferred address is simply unavailable and it's going to be stuck someplace else...

Re:Well duh.

[shutdown+-p+now]

Exploits get patched eventually. If this increases the time it takes between a patch and a new exploit, wouldn't you say it is still worth it?

Re:Well duh.

Because next to no one writes software for said platforms? It's a natural monopoly.

Re:Well duh.

[M.+D.+Kristopeit]

and now you're left with a product full of useless code that's only purpose was to delay something that has already happened... but at the same time, there are still users of the software that rely upon that code to work, so removing it is also not an option.... and what happens when software is forced to continue including deprecated procedural code that does nothing except not break the system as long as it isn't removed? the user experience suffers.

<schwartzenegger>it's a tumor.//

Re:Well duh.

[KiloByte]

In fact, neither ASLR nor DEP can ever prevent an attack. They can at most minimize the damage, turning running arbitrary code into a mere DoS.

With or without ASLR or DEP, you still need to fix the underlying security hole.

Re:Well duh.

[drinkypoo]

wonder how hard it would be to simply *force* ASLR by telling each library, as it loads, that its preferred address is simply unavailable and it's going to be stuck someplace else...

it would be real easy and this is probably precisely how it's done, at least, only libraries which are relocated at all get ASLR. It's not done universally because some [improperly written] libraries crap themselves when you do this.

Re:Well duh.

[fast+turtle]

From what I recently read in regards to DEP/ASLR testing, the Apple Devs are simply being effen lazy or stupid as quicktime doesn't even use ASLR according to the graphic on this page http://taosecurity.blogspot.com/2010/07/secunia-survey-of-dep-and-aslr. html

Note that I'd seen this graphic last week (don't recall if Eweek or other). I hate to say it but it's really bad when Adobe is actually responding to the issue by fixing their software unlike Apple. My understanding is that followin an ASLR design standard does not prevent software from using known address spaces. All it does is ensure that the software does not break when thrown into a mandatory ASLR environment.

Steve Jobs says

Just get a Mac. No big deal.

Re:Steve Jobs says

[iPhr0stByt3]

Just Get a Mac. And if you don't we'll keep "accidentally" leaving backdoors in our software for windows.

Re:Steve Jobs says

[vistapwns]

Yea it's ironic how Apple talks so much about Windows malware, I wonder how much of it got in through Apple software that is poorly coded and/or doesn't opt-in to Windows security technologies.

Re:Steve Jobs says

[Rockoon]

I dont understand why that is modified troll.

Apple bills itself as the quality option, so how can it be accidental that the Windows versions of each of their software products be so horrible on so many metrics?

The only question is, does the shitty shitness of their shit reflect intentional malice, or intentional apathy?

Re:Steve Jobs says

Of the two commercial PC OSes, Mac OS X is the one clearly ages behind in security technology.
All the technologies you hear about in this article? Apple started implementing half-cooked versions of them in Snow Leopard.
It isn't all that surprising of a company that shipped a cooperative-multitasking system until 2001 and is now selling a single-task OS.
One day, they'll reintroduce the Apple II with polished titanium casing and say it's technologically superior to IBM Quantum Computers, and the funny thing is it will outsell the latter.

not the plugin

[YesIAmAScript]

You can turn off the browser plugin.

it'll probably be a while till this one's fixed...

apple don't have too much interest in supporting their legacy stuff in windows.

hell, i ran a PC based grading system that quicktime update broke on several occasions. i've had to roll back quicktime installs more than a few times.

but if they do consider fixing this, while they've got everything open, they can look at the colour inaccuracies and implementing a ProRes encoder in windows.

i think this exploit will stay around indefinitely. there's not a mac fanboy in the world who wouldn't say this is actually a windows problem, not an apple one.

ru kidding?

[4d3fect]

Quicktime? Windows?

Full advantage?

If you own an iPhone, iPod, or iPad, it's fairly hard to get full advantage of your money.

Re:Full advantage?

[sortadan]

If apple would stop forcing people to install their stupid software just to use a phone maybe 'pc' wouldn't have such a hard time of it...

for a default itunes+quicktime install on 64bit windows open cmd.exe as admin (right click is your friend) and type this:

regsvr32 /u "C:\Program Files (x86)\QuickTime\QTPlugin.ocx"

Re:Full advantage?

[TheRaven64]

The thing I love about the iPhone is the lack of OS X integration. It works via iTunes, just like an iPod, meaning that you have to plug in a cable to sync. Meanwhile, almost every other phone (including my last four, two from Ericsson and two from Nokia), sync via bluetooth in iSync, so you just put them in the same room as the Mac and click on the 'sync now' button in the top-right of the menu bar. All of your calendars, contacts, and notes are sync'd. You can transfer photographs and other files by browsing the device in the Bluetooth File Transfer thing and dragging them to or from Finder windows, or you can send them via OBEX from the phone and have them appear automatically in a folder that you designate.

It's almost like the iPhone team had never actually used a Mac.

Re:Full advantage?

open cmd.exe as admin (right click is your friend) and type this:

Opening command prompts and typing weird commands? Nobody's going to remember this crap. Windows has a long way to go before it's ready for the desktop!

Re:Full advantage?

Thats amazing! You don't even have to pair them first? How do they know which computer is yours?

I always have to plug my cable in, which is horrible AND I have to make sure my computer is on. You think they could just figure all of this out for me...

Re:Full advantage?

You can transfer photographs and other files by browsing the device in the Bluetooth File Transfer thing and dragging them to or from Finder windows, or you can send them via OBEX from the phone and have them appear automatically in a folder that you designate.

And people wonder why the average Joe finds Linux daunting and the year of the Linux Desktop never seems to arrive.

iTunes comes on all Macs, meaning you plug in your phone, iTunes launches, and it syncs automatically. That includes all files, movies, music, applications, calendars, email accounts, contacts, notes, etc. Even your backups are automatic.

No enabling bluetooth, key pairs, browsing to folders (either via OBEX or Explorer).

It's almost like you've never used iTunes...

Re:Full advantage?

[TheRaven64]

You make it sound like pairing the device is hard, but it's a simple wizard that takes about 10-15 seconds to run. It then needs to run once and that's it. Any time your phone is in the same room as the phone, you can sync just by hitting the 'sync now' button. No need to find the cable or connect it.

I used to own an iPod, so I'm familiar with using iTunes for syncing. I plugged my iPod into my computer occasionally, but it was always a hassle. In contrast, the phone that I had at the time was always sync'd because I could initiate the sync while I was at my computer but my phone was still in my coat pocket hanging up.

If I take a picture with my phone, I can select it and say 'send via bluetooth' on the phone, select my computer, and it appears on my computer. Again, no need for a cable, no need for a full sync. It's as easy as sending an MMS, as long as the computer is in the same room as the phone.

Before the iPhone was launched an Apple decided to cripple every other device because the iPhone couldn't keep up, I got an on-screen notification whenever someone dialed my phone and I could send SMS and dial the phone from within Address Book. I can't do that with recent versions of OS X without a third-party app, because the iPhone can't do any of it and Apple didn't want their phone to look quite as bad as it is.

Re:Full advantage?

[TangoMargarine]

You guys are arguing whether it's more bothersome to set up a one-time sync or to plug in a device each time you use it? Jesus f*cking Christ we're pampered these days. Oh no, I have to park my Ferrari two whole parking spaces away from the door to go get my caramel macchiato...

Kinda disappointed

[OneoFamillion]

At first I thought "Ruben Santamarta of Wintercore" was his name. I also considered this awesome.

Re:Kinda disappointed

Your a moron how could someone be named the same as a company

what the hell is quicktime!

I've got a mac and I still don't use quicktime. VLC anyone?

Re:what the hell is quicktime!

[TheRaven64]

If you've got a Mac, you almost certainly do use QuickTime. You may not use the QuickTime Player front-end, but a lot of other Mac apps use the underlying frameworks for media playback. Any time a Cocoa app goes beep, it's using the NSSound object (maybe wrapped in the NSBeep() function), and NSSound uses QuickTime for audio decoding. iTunes uses it for playing back music, Safari uses it for video and audio, iMovie uses it for playback and encoding, and so on. Unless you boot into single-user mode and then bring the machine up without launching the window server, odds are that you use QuickTime regularly.

Re:what the hell is quicktime!

[cbhacking]

The unfortunate thing is that if you've got an iAnything, you probably use Quicktime too. iTunes, as you mentioned, uses Qt, but Qt also silently installs a browser plug-in (the attack vector used in the article) that takes over not just video playback but even things like image rendering.

Re:it'll probably be a while till this one's fixed

[bell.colin]

I don't like Apple products that much (especially QuickTime and the Shiny iWhatever products) but i fail to see why a grading system would need a Video/Audio decoder.

This is why people love Apple!

People love Apple for this stuff, though.

No more screwing around bypassing ASLR or DEP, even the exploit code Just Works.

Working..somewhat

[Airborne-ng]

Successfully created meterpreter session with XP test box but not against 7 box despite what TFA says. Anyone experiencing similar results?

Re:Just get a PC.

May want to type in the words mac and trojan in a search engine. If you are living under the delusion they don't exist you are the perfect target :-) I guess regardless of platforms there will always be the computer illiterates like yourself that actually believes the dribble sprouted by vendors.

Re:Just get a PC.

AppleScript-THT
DNSChanger
Trojan.iServices.A

3 I can think of without searching. Ignorance is bliss I guess. I imagine a lot of infected windows users also spout off about how they never get infected so they don't need anti virus.

Re:Just get a PC.

[daveime]

Why in God's name would you need any ports other than 80 open ?

The only thing you people connect to is *apple.com for your daily dose of Jobsology.

Re:ebay ticket selling

[euyis]

For some reasons I think I would Mod you funny if I had points.

MS should be more like Apple

[Monoman]

This might have been avoided if MS had a something like the App store for Windows. They could have taken their time before allowing this to be released .... just to be really really sure there something like this wouldn't happen.

I keeed, I keeed .... sorta. :-)

Misread Title

ASL, DERP

*sigh*

queue another itunes update

Great, another 100mb update for a one line bug coming soon.

Hold on

[ledow]

If a badly-written program can circumvent ASLR and DEP for itself, then aren't DEP and ASLR a bit useless? The point of them is to prevent data execution, and to randomise the address space. How does a badly-written, ancient program "bypass" such measures? I can understand such measures not being applied (e.g. because ASLR or DEP on really-old code would break it because it was written with certain assumptions) but what that then assumes is that some administrator or Microsoft programmer has chosen at some point to disable DEP and ASLR for those old programs (if they have DEP and ASLR enabled at all). And if the code wasn't compiled without some DEP/ASLR magic enabled, then is this really surprising? What's to stop any other program similarly avoiding DEP/ASLR, or anyone exploiting such programs?

How is this a "Quicktime problem" when the code being attacked is years old, and yet the OS still lets it break basic security? Surely the problem is not the program, but the things that let it execute. Hell, I have used old Windows programs that refuse to work with DEP enabled because they make certain assumptions and I realised that because the DEP handler would prevent them working in XP - they were NOT compiled at a time when any knowledge of DEP or ASLR on Windows was around. That's the whole point of DEP, isn't it? To stop programs executing code they shouldn't? I had to force an override for them network-wide but that was my choice, and no I did not specifically enable DEP myself, the Windows XP install decided to do that for me.

Is this version of QuickTime whitelisted? Are DEP and ASLR really that worthless that "old programs" compiled before they came along are allowed to do anything? Isn't this the fault of an administrator running an outdated program rather than anything to do with DEP, ASLR, Quicktime or anything else? What's Quicktime doing differently to every other old, insecure program out there that makes it more of a risk?

Seems like a complete red herring to me. Don't run old software. Don't run insecure software. Don't run programs that you haven't authorised yourself. And, apparently, don't rely on DEP or ASLR to actually DO anything.

Re:Hold on

[99BottlesOfBeerInMyF]

If a badly-written program can circumvent ASLR and DEP for itself, then aren't DEP and ASLR a bit useless?

In terms of preventing malware from running, no, they're an extra roadblock, but they are certainly not the hardest to overcome.

How does a badly-written, ancient program "bypass" such measures?

By linking the exploit to MS provided software included with Windows that does not use ASLR. From the article, "The gadgets come from Windows Live messenger dlls that are loaded by default on IE and have no ASLR flag,"

The Quicktime problem is that someone can get arbitrary code to try to execute on your box in the first place. That only happens because of the Quicktime flaw.

Are DEP and ASLR really that worthless that "old programs" compiled before they came along are allowed to do anything?

This isn't about old programs. This is the current version of Quicktime. This is about old code in the current version. Code that should never have shipped in the first place. But, until DEP and ASLR are applied to everything that is on a huge number of boxes and/or application level sandboxing or access control becomes robust DEP and ASLR are not very effective.

What's Quicktime doing differently to every other old, insecure program out there that makes it more of a risk?

The Quicktime part of this exploit isn't all that unusual. It's just run of the mill except for being the result of programmers' backdoor shortcut code that should never have gone out in the production release. The bypassing of ASLR in this case, was more interesting to me.

Re:Hold on

These problems aren't unique to the windows platform, for example X server needed to be run as root with DEP disabled until very recently. Having to compile your applications to support DEP and ASLR tends to be a non issue since the idea is to prevent them from becoming attack vectors. If someone is allowed to run a binary they compiled ASLR and DEP do nothing to hinder their attempts at taking over the machine with whatever credentials they were run as (and if there are any privilege escalation vulnerabilities in your system, perhaps as the superuser).

Re:Every time Steve Jobs says something about Flas

Used to be that Quicktime on Windows + MIDI on a web page = quickest way to hang your web browser process. I've no idea if this is still the case because there's no way I'd ever install Quicktime on a Windows ever again, not even to see if it still sucks so bad.

Re:Every time Steve Jobs says something about Flas

[NJRoadfan]

I hate that stupid plug-in, and if it didn't lock up, it made most MIDI files sound like crap. I have a real MIDI synth to play back those files, but Quicktime thinks it isn't good enough.

a vulnerability in QuickTime software ?

Shouldn't that be a flaw in Memory Management Unit of the underlying Operating System. And never mind badly-written software, what's to stop anyone in deliberately porgramming in such flaws in order to bypass security.

Re:a vulnerability in QuickTime software ?

Shouldn't that be a flaw in Memory Management Unit of the underlying Operating System.

It’s a feature, not a bug.

never mind badly-written software, what's to stop anyone in deliberately porgramming in such flaws in order to bypass security

This bypasses DEP. It does not bypass UAC. The exploit runs from the context of the IE web browser.

Re:it'll probably be a while till this one's fixed

[initdeep]

you fail to see how a color grading system would need an a/v decoder?

Re:Every time Steve Jobs says something about Flas

I hate that stupid plug-in, and if it didn't lock up, it made most MIDI files sound like crap. I have a real MIDI synth to play back those files, but Quicktime thinks it isn't good enough.

Was the Synth made by Apple? Is it called iSynth? No? Then of course it wasn't good enough!

iPad name

[rsborg]

iPad (damn that is the WORST name, I still can't believe Steve came up with that.>

You do realize that Steve Jobs was going to call the original iMac the MacMan? Yeah. MacMan. Business technologist extraordinare he is, but he's really not good at names.

Thanks, Apple.

[Ant+P.]

Thapple.

Huh?

[MadGeek007]

What I don't get is how a flaw in a 3rd party app can be used to bypass the protections at the OS level. Clearly the real problem is deeper than QuickTime.

Ummm, question?

[multimediavt]

FTFA:

The gadgets come from Windows Live messenger dlls that are loaded by default on IE and have no ASLR flag.

Wouldn't that be an IE bug at this point that QuickTime is exploiting, not so much a QuickTime bug? I'm not apologizing for Apple not cleaning up their code after they removed a feature (RTFA!), but seems like MS is just as much to blame for this one with the WindowsLive DLL being loaded by default and having no security on it.

Just saying ... if you RTFA and don't just bash QT all day.

YA ALL MISSING IT!!

[stilesalaska]

Am I missing something here? Apple bashing? Hm seems to the that other programs had this too. Like VLC!! They fixed their program! IT is just not Quick Time! It is so funny reading these post and boy Are there some people here that DON'T READ! JUST BASH! Old version of VLC would be able to do the same thing And Open Office!!! Just sounds like A MS problem not just a Quick Time, Vlc, Openoffice etc...

Re:YA ALL MISSING IT!!

[clone53421]

Hm seems to the that other programs had this too. Like VLC!!

Nice FUD... neither of TFAs mentioned VLC or VideoLan player. I checked.

So, citation needed.

Re:YA ALL MISSING IT!!

[stilesalaska]

Hm You misunderstand Me......... A surprisingly large number of popular applications — including Quicktime, Foxit Reader, Google Picasa, OpenOffice.org, RealPlayer, and VLC Player — all neglect to use one or the other, a recent review by Secunia found. I was talking About --->the exploit underscores the threat that comes from programs that fail to use the ASLR and DEP protections baked into more recent versions of Windows VLC Fixed Their program! (I CHECKED!) FUD NOT JUST pointing out The FACTS! I just need to Be clear! I was not in that post! And FUD is the last thing My post says JUST BASHING LIKE YOU DO! Hmm Go figure! !! http://www.theregister.co.uk/2010/08/30/apple_quicktime_critical_vuln/ It is foolish and wrong to assume! And explain what FUD I was slinging!? None!

Re:YA ALL MISSING IT!!

[stilesalaska]

Just for the record I do Use XP (work) SUSE LINUX (home) I will try to make my comments, more clear! I did not last time! I hate FUD I hate OS war's! Only a few post the facts. The way I see it, is it a problem for EVERYONE! Not just one OS. No no FUD! I was just not clear on my post!

Re:YA ALL MISSING IT!!

[clone53421]

A surprisingly large number of popular applications — including Quicktime, Foxit Reader, Google Picasa, OpenOffice.org, RealPlayer, and VLC Player — all neglect to use one or the other, a recent review by Secunia found.

Guess what? I don’t CARE. Bulletproof code doesn’t need DEP/ASLR, and shitty code (as we’ve seen) can manage to use DEP/ASLR and still be exploitable.

DEP is not a mandatory security feature. It is an opt-in feature to help avoid buffer underrun. As buffer underrun is always caused by badly-written code in the first place, DEP is a feature by which lousy programmers can try to protect themselves from their own lousy code.

If you want to produce a quality, stable, well-written application (such as VLC) and you opt-out of DEP for portions of it or all of it, more power to you.

If you want to produce a shitty, unstable, slow, bloated exploitable piece of crap (such as QuickTime or RealPlayer), more power to you too – but I’ll be using VLC and SMPlayer.

Re:YA ALL MISSING IT!!

[clone53421]

Just for the record, your excessive use of ALL CAPS and exclamation points!! does not benefit the argument that your posts are not FUD.