Slashdot Mirror


New QuickTime Flaw Bypasses ASLR, DEP

Trailrunner7 writes "A Spanish security researcher has discovered a new vulnerability in Apple's QuickTime software that can be used to bypass both ASLR and DEP on current versions of Windows and give an attacker control of a remote PC. The flaw apparently results from a parameter from an older version of QuickTime that was left in the code by mistake. It was discovered by Ruben Santamarta of Wintercore, who said the vulnerability can be exploited remotely via a malicious Web site. On a machine running Internet Explorer on Windows 7, Vista or XP with QuickTime 7.x or 6.x installed, the problem can be exploited by using a heap-spraying technique. In his explanation of the details of the vulnerability and the exploit for it, Santamarta said he believes the parameter at the heart of the problem simply was not cleared out of older versions of the QuickTime code. 'The QuickTime plugin is widely installed and exploitable through IE; ASLR and DEP are not effective in this case and we will likely see this in the wild,' said HD Moore, founder of the Metasploit Project."

7 of 162 comments (clear)

  1. Re:ew quicktime? by Mr.+Slippery · · Score: 0, Troll

    Considering that QuickTime is a core component of iTunes, if you own an iPhone, iPod or iPad, its fairly hard to avoid QuickTime

    Another outstanding reason to avoid shiny geegaws from an evil company.

    Seriously, WTF?

    --
    Tom Swiss | the infamous tms | my blog
    You cannot wash away blood with blood
  2. Re:Just get a PC. by SuperKendall · · Score: -1, Troll

    What does Macs have?

    A complete lack of trojans and spyware and viruses that make all of the things you list pretty much needless (well except for Firefox)?

    Or how about coming with a real firewall built in but not needing it because it also doesn't come with open ports.

    Enjoy your zombie breeding ground! I'll be busy working.

    Steve Jobs to complain to, but it'll fall on deaf ears as it takes them months to patch anything.

    They might hurry more if there were any malware to prevent the spread of. They certainly issue security fixes faster on the iPhone.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  3. Every time Steve Jobs says something about Flash by Alistair+Hutton · · Score: -1, Troll

    I just think about Quicktime on Windows and laugh.

    --
    Puzzle Daze is now my job
  4. ebay ticket selling by lucypinder · · Score: -1, Troll

    This is exactly what I was looking for. Thanks for sharing this great article! That is very interesting Smile I love reading and I am always searching for informative information like this! You are bookmarked! Thanks. http://www.listeasy.net/

  5. Re:ew quicktime? by node_chomsky · · Score: 0, Troll

    It's interesting that my apple (running quick time) has none of these problems. I guess it's their shitty engineering that makes my computer so stable and operational. If you think Apples are less conducive to nerdery and functionality compared to most other options, you are amazingly unobservant. If you think Microsoft has any advantage to either of those two qualities, you are stupid and gullible. If you think 90% of the world's population has any chance of successfully installing, using, and maintaining any stable distro of Linux, you should try to help my grandmother find the word count on her computer sometimes, it will open your eyes to what level most of the worlds people compute on.

  6. Re:ew quicktime? by aristotle-dude · · Score: 0, Troll

    I guess it's their shitty engineering that makes my computer so stable and operational.

    Yeah. Yesterday, I plugged a Mac laptop into a projector. Apparently the Mac needs to reboot after detecting new hardware or something--so it immediately rebooted without prompting, notifying, or even asking me to save. Apple is so awesomely user-friendly. That must be their engineering commitment to build a stable and operational computer.

    Anyways--while the mac was busy rebooting, I plugged my linux laptop in. It immediately started working.

    That's an interesting story.. what's that I smell? It smells like bullshit. Are you sure that it wasn't your "linux" laptop dual-booted into windows?

    --
    Jesus was a compassionate social conservative who called individuals to sin no more.
  7. Re:ew quicktime? by Anonymous Coward · · Score: -1, Troll

    This is complete bullshit. Macs never need to reboot when plugging in a projector, and I can't think of any hardware that you could attach to a Macbook that would require a reboot. The only case that I can think of where that would be true is if you install a an internal drive or putting a new PCI card in a Mac Pro (i.e. an operation that actually requires you to turn off the computer before access the internals). And the only case where they reboot without prompting or notifying would be after a kernel panic on OS X Server. You're either lying or incompetent.