New QuickTime Flaw Bypasses ASLR, DEP

Trailrunner7 writes "A Spanish security researcher has discovered a new vulnerability in Apple's QuickTime software that can be used to bypass both ASLR and DEP on current versions of Windows and give an attacker control of a remote PC. The flaw apparently results from a parameter from an older version of QuickTime that was left in the code by mistake. It was discovered by Ruben Santamarta of Wintercore, who said the vulnerability can be exploited remotely via a malicious Web site. On a machine running Internet Explorer on Windows 7, Vista or XP with QuickTime 7.x or 6.x installed, the problem can be exploited by using a heap-spraying technique. In his explanation of the details of the vulnerability and the exploit for it, Santamarta said he believes the parameter at the heart of the problem simply was not cleared out of older versions of the QuickTime code. 'The QuickTime plugin is widely installed and exploitable through IE; ASLR and DEP are not effective in this case and we will likely see this in the wild,' said HD Moore, founder of the Metasploit Project."

ew quicktime?

[w00tsauce]

People still use that garbage? That's like installing real player.

Re:ew quicktime?

Closed source.
Apple's evil.
Wait.
Microsoft's evil.
Wait.
It's Google.
No. Apple.
No. Microsoft.
Damn you evil closed source! You have me so confused as to who to hate .....

Re:ew quicktime?

[jonwil]

Considering that QuickTime is a core component of iTunes, if you own an iPhone, iPod or iPad, its fairly hard to avoid QuickTime and still get full advantage of your device.

Re:ew quicktime?

People still use that garbage? That's like installing real player.

It's quite green to use garbage. And yes I'm a real player, and you can install me for a small fee.

Re:ew quicktime?

[Techman83]

iTunes without QuickTime Get iTune Not necessarily. I don't own one, but a few of my friends have iDevices and the only way I'll support them is if they let me install itunes this way!

Re:ew quicktime?

[Idiomatick]

MS is bad for OSS' ideals and goals most of the time.

Apple is bad for OSS' ideals and goals. Also bad for nerd ideals and goals. And bad for computers in general. Seriously, iTunes in past has acted like malware same w/ quicktime.

Google is actually good. BUT the potential for evil that they have is so incredibly huge that it would make anyone paranoid. So people keep their eyes on it.

Re:ew quicktime?

[profplump]

Is QuickTime really that bad? I understand the objection to "claim all file types", but that's true of all commercial A/V systems. Beyond that, is there anything in particular I should object to about QuickTime, or is it just random Apple hate?

Re:ew quicktime?

[vlueboy]

Another outstanding reason to avoid shiny geegaws from an evil company.

To be fair, the flaw is almost a first for Quicktime --an ancient product line predating iProducts, back when "multimedia" came in big letters on all home computers and all videos on the web were MPEG or MOV downloads. What is so bad is how we sleep in our laurels and wake up to find that we falsely associated safety with it because QT ran on a little targetted OS before it was ported to Windows...

IIRC, Apple isn't the number one seller of smartphones nor MP3 players, or distributor of Windows Multimedia readers. Yet it's generating enough attention to get exploited. Even if you and I don't own recent apple products, we have been falling in a parallel situation and taking it for granted again: all those free Google clients downloaded over the years have become a juicy target. All we need is someone to find a weak spot.

Scratch that! All we need is an unlikely "someone" among that small group who will PUBLISH the weak spot of that juicy target. All the others just exploit it for months without us being the wiser.

Re:ew quicktime?

[Stupendoussteve]

Good thing they're not running Windows or Internet Explorer.

Victim prerequisites:

* Internet Explorer.
* XP,Vista,W7.
* Apple Quicktime 7.x, 6.x ( 2004 versions are also vulnerable, older versions not checked )

Re:ew quicktime?

[Techman83]

IMO Opinion quicktime causes windows to slow down and also likes to install background services. The Quicktime Alternative is just far less bloated and seems to work just as well. Also you aren't forced to use the quicktime player, it just behaves like any other normal video codec.

Re:ew quicktime?

[Stupendoussteve]

Misread parent, although not using IE is still pretty standard, no?

Re:ew quicktime?

[pspahn]

Well someone has figured out the purpose of a double rainbow.

Re:ew quicktime?

[Vectormatic]

try updating itunes without getting all sorts of apple crapware on your system...

My GF updated itunes a while back on my laptop to sync her iphone, and suddenly i had safari installed...

and yes, i know my own flaws here:
1) let my GF on my laptop
2) own an ipod, thus needing itunes
3) running windows on my laptop

at the very least 2 will be corrected pretty soon (same for her iphone, she wants android now..)

Re:ew quicktime?

[Gilmoure]

Apple kicked my dog and slept with my girl friend.

Re:ew quicktime?

[darkpixel2k]

I guess it's their shitty engineering that makes my computer so stable and operational.

Yeah. Yesterday, I plugged a Mac laptop into a projector. Apparently the Mac needs to reboot after detecting new hardware or something--so it immediately rebooted without prompting, notifying, or even asking me to save. Apple is so awesomely user-friendly. That must be their engineering commitment to build a stable and operational computer.
Anyways--while the mac was busy rebooting, I plugged my linux laptop in. It immediately started working.

Re:ew quicktime?

[DJRumpy]

Why do you say that? The exposure is in the OS. Although the software may have exposed it, the vulnerability lies with MS to fix.

Apple fanboys downvoting the truth because they can't accept it? How surprising.

Re:ew quicktime?

[initdeep]

are you seriously that stupid?

you think that the exploit, which is in Quicktime, is MS's fault?

so do you say the same thing about it being apple's fault when a program by adobe is used to exploit OSX in the yearly pwn2own?

newsflash.

it's an apple problem, regardless of the desires of the apple fandom.

Re:ew quicktime?

[DJRumpy]

Yes I do believe that the exposure in the PDF problem was Apple's fault due to a flaw in iOS. You might also recall (or maybe not given your response) that Apple closed that exposure (not Adobe).

The owner of the exposure was clear, just as it is clear in this case. If ASLR and DEP fails to protect against such an exposure, they are flawed.

Re:ew quicktime?

it's an apple problem, regardless of the desires of the apple fandom.

I certainly hope all of the blackhats will take such a responsible stance and own up to any such flaws in their malware...

Re:ew quicktime?

To be fair, the flaw is almost a first for Quicktime --an ancient product line predating iProducts, back when "multimedia" came in big letters on all home computers and all videos on the web were MPEG or MOV downloads. What is so bad is how we sleep in our laurels and wake up to find that we falsely associated safety with it because QT ran on a little targetted OS before it was ported to Windows...

What on earth are you talking about?

http://secunia.com/advisories/product/5090/

Re:ew quicktime?

[emocomputerjock]

Quicktime does not properly use either ASLR or DEP. The application is at fault.

Re:ew quicktime?

[DJRumpy]

So any application (including malware) that does not use ASLR or DEP gets a free pass vulnerability? You don't elect to use these things. They are a keystone of the OS Security, not some feature you 'opt into'.

Re:ew quicktime?

[emocomputerjock]

If the attack is using a third party application that does not properly implement the security features available, then the application is at fault.

Re:ew quicktime?

[lordDallan]

Anyone have facts to back this up? Not trying to jump down anyone's throat. Genuinely curious if this has been measured.

Also curious if this exploit really only affects IE? If it doesn't affect FireFox doesn't that mean that IE is also part of the problem?

Re:ew quicktime?

[DJRumpy]

So by you reasoning, all hackers properly implement security features?

Do you even know what ASLR and DEP are? They are not 'features' that an app uses. They are built into the OS. If the OS can be exploited to bypass these then the exposure lies in the OS.

You seem to be missing the disconnect between what your saying and reality. If bypassing OS security was as simple as 'not properly implementing the security features available', then hackers jobs would be all to easy. They could simply opt-out of using things like Virus Scan, Firewalls, Permissions, ASLR, or DEP.

Re:ew quicktime?

[emocomputerjock]

They're exploiting a third-party application using an exploit in the application. The application is at fault.

Re:ew quicktime?

[dwightk]

Is the "interesting" mod referring to how interesting it is that you are bad at understanding/discovering causes?

Re:ew quicktime?

[konohitowa]

Mod parent up: +1, Bullshit

Re:ew quicktime?

[Culture20]

and yes, i know my own flaws here:
1) let my GF on my laptop
2) own an ipod, thus needing itunes
3) running windows on my laptop

at the very least 2 will be corrected pretty soon (same for her iphone, she wants android now..)

Bravo for dumping Windows, but don't you think dumping your GF is a little harsh? ;)

Re:ew quicktime?

[Idiomatick]

"If you think 90% of the world's population has any chance of successfully installing, using, and maintaining any stable distro of Linux, you should try to help my grandmother find the word count on her computer sometimes, it will open your eyes to what level most of the worlds people compute on."

Where was it that I said linux was good for grandmothers? Or anything about linux OR grandmothers. Geez.

Re:ew quicktime?

[Idiomatick]

Thats hilarious. I could design an ap on any current OS that could do bad things. Do you really expect an OS to protect itself from explicitly trusted programs? How could it even do that without psychic powers? I'm certain an ap that deletes every document on the computer would work in every OS... the computer doesn't know that you didn't intend for that to happen...

Re:ew quicktime?

[Techman83]

My facts are my personal experiences over the years, so take that as a testimonial of some random Internet user. But for a better and more complete explanation the quicktime alternative was written for a reason and the facts stated here may go a long way to let you know why. I mean seriously a picture viewer? Also, why on earth would a I want a _Video Codec_ to install a system service for updating and another one for making quicktime load faster for that 1 time every six months I'll use it. Applications that behave in this manner are a personal pet hat of mine (I repackage applications for a living) and Apple are big culprits for doing this (they are not alone here, I'm looking at you Adobe).

Re:ew quicktime?

[mjwx]

Is the "interesting" mod referring to how interesting it is that you are bad at understanding/discovering causes?

Apple refuses to follow standards and does not have a decent framework for introducing new hardware. Cause discovered and understood.

Having supported Mac's in a professional capacity I have seen multiple examples of what the GP is talking about but Mac users tend to pretend that their machine didn't reboot when they plugged in a new bit of kit.

To get back on topic, I avoid quicktime like the plague as it's more bug ridden and vulnerable then anything produced by Adobe and almost as bad as IE6 itself. Of course Apple insists on foisting Quicktime upon people by tying it into Itunes so I avoid all Apple products all together. Itunes should not require Quicktime, Bonjur or the other 30 odd components it installs.

Re:ew quicktime?

[darkpixel2k]

Is the "interesting" mod referring to how interesting it is that you are bad at understanding/discovering causes?

What do I care about the cause? Who cares if it's a null pointer or other bizarre issue in the Mac? The point is, one crashed and the other didn't. I find it funny that the mac fanboy is talking about how Macs are so damn stable, they were designed by Jesus himself--yet I had the exact opposite experience. (And I'm perfectly fine admitting that I have had tons of trouble in the past with Ubuntu and external monitors. I was actually surprised it worked.)

Re:ew quicktime?

[darkpixel2k]

That's an interesting story.. what's that I smell? It smells like bullshit. Are you sure that it wasn't your "linux" laptop dual-booted into windows?

You're right--I often confuse blue screens with core dumps.

Re:ew quicktime?

[cbhacking]

Malware implies code already executing on your machine. By the time you get that far, DEP and ASLR are already bypassed; their purpose is to prevent the execution of such code in the first place. There are other things one can do to mitigate the damage, such as limited permissions and sandboxing, but you're comparing apples to oranges here. DEP and ASLR make exploits more difficult. Malware is something that exploits (or stupid users) install. Malware could quite happily opt in to DEP and ASLR; it wouldn't change anything.

However, non-malicious software developers can choose to opt-in to these features in order to provide an extra layer of security against exploits. That's what DEP and ASLR are: extra layers of security, neither an absolute barrier to attack nor a "keystone of the OS Security" as you put it. They just make successful exploits much more difficult. The principle is called Defense in Depth, and if you know anything about security of any kind you'll be familiar with the notion.

As for why they're opt-in rather than opt-out (or unavoidable) the problem is that they are not completely non-breaking changes to the OS behavior. Some applications will crash or otherwise fail to work if they are run with DEP, or their libraries are loaded with ASLR. Those programs and libraries are poorly written by modern standards, but then again, if they'd been written correctly in the first place DEP and ASLR would be irrelevant because they wouldn't have security vulnerabilities in the first place.

Re:ew quicktime?

[konohitowa]

You've seen a MacBook do a silent reboot when plugged into a secondary monitor?

Re:ew quicktime?

[cbhacking]

Apparently you are the one who does not understand. DEP and ASLR are features provided by the OS, but they are *NOT* universally backward-compatible features. Some apps will break if DEP is enabled. Some libraries will break if ASLR is enabled. ASLR is new enough that it's still not uncommon to find libraries which weren't coded with it in mind.

As for "not properly implementing security the features available" you *really* should take the foot out of your mouth before you choke on it. For one thing, any application running as Admin (including most software installers) can opt out of firewall (turn it off or add an exemption; *lots* of apps or their installers do this), opt out of virus scan (non-trivial, but they could add themselves to the allowed files list or simply turn off the scanner), or opt out of permissions (change the ACLs to world-writable). Of course, this assumes that you're talking about software already executing on the computer. Once you're to this point; DEP and ASLR are irrelevant; their only purpose is to try and prevent exploits and they can do nothing once the malicious code begins to execute.

However, "hackers" still have to find a vulnerability in the program that they are trying to execute. A firewall only protects network interfaces; if the software is properly secured it can't be compromised no matter what comes over the connection. A virus scanner only detects malicious software on the system; if there are no exploitable programs then the attacker has no way to get malicious software onto the computer in the first place (aside from social engineering, but you can't fix stupid). Permissions can limit the damage that malware or a compromised program does, but again if there's no way to compromise any programs that doesn't matter (and most XP users run as Admin anyhow).

If the Quicktime developers hadn't left this problem in their code, there would be no problem at all.

Re:ew quicktime?

[cbhacking]

Quicktime installs a handful of additional (and unnecessary) stuff. In particular, it includes an IE plug-in that not only enables viewing of Quicktime movies in the browser but also replaces handling of other media formats, including JPEG rendering. This increases the browser footprint and slows it down noticeably, or at least it did the last time I installed Quicktime (a couple years ago). Also, I'm not entirely sure if it's Quicktime or iTunes that installs Bonjour, but that definitely falls into the category of stuff I don't want a media player installing and enabling without my express consent.

The IE plug-in can be disabled using IE's add-in manager. I don't know whether Quicktime installs a Firefox plug-in as well, or not. If it does, the odds are that it is also exploitable. If not, you're probably fine unless you download the file and open it directly.

Re:ew quicktime?

[mjwx]

You've seen a MacBook do a silent reboot when plugged into a secondary monitor?

Worse, I've seen an Imac do a "silent" (what's silent about it, it's quite obvious what happened) reboot when a USB thumb drive was plugged into it.

Re:ew quicktime?

[cbhacking]

To be fair, the flaw is almost a first for Quicktime

Uh... Secunia would beg to differ. 56 advisories, each if which may cover multiple vulnerabilities. There are 136 reported vulnerabilities (across 27 advisories) in Quicktime 7.x alone. The oldest reported vulnerability in Secunia's database is for Quicktime 3. It's not the worst record ever, but it's hardly valid to claim that this flaw is "almost a first" in any way.

Re:ew quicktime?

[Vectormatic]

well, i have her convinced that android is better then getting a new iphone (and it didnt even take any brainwashing techniques), so dumping wont be needed :)

(kidding, off course.. when we got together she had a windows mobile phone, and had just bought a laptop with vista... i honestly dont care too much)

Re:ew quicktime?

[clone53421]

Except that you’re completely wrong, of course.

ASLR and DEP are not “keystone OS security” features designed to protect the OS from malicious applications.

They are, in fact, “opt-in” security features designed to protect applications from malicious input which could cause a buffer underrun (and this is always an application error, not an OS error).

Re:ew quicktime?

[cthulhu11]

This has never happened to me.

Re:ew quicktime?

[jo_ham]

Did Fox News write that one for you?

-1 total fabrication.

PS

[schmidt349]

From the article: "The result of the problem is the creation of what amounts to a backdoor in the QuickTime code, Santamarta said. 'WATCH OUT! Do not hype this issue beyond it deserves...'"

Looks like we already missed the boat on that one.

Re:PS

[clone53421]

Perhaps you should have quoted the next sentence:

This time Backdoor != malicious code but a horrible trick a developer implemented during the development cycle.

It’s still a backdoor, and it can still be maliciously exploited. It’s just that it was apparently not put there to intentionally be malicious.

Itunes requires quicktime

[rsborg]

I'd say it's almost as widely installed as Adobe Reader. Here's a guesstimate answer as to how many copies there are (numbers are old)

Re:Itunes requires quicktime

[Lehk228]

bonzi buddy was pretty widely installed too.

Quicktime Uninstalled

[dustinsherrill]

I have now uninstalled the Quicktime player. Would Quicktime Alternative be any safer? Seems Apple has had a rash of security issues lately.

Re:Quicktime Uninstalled

[bakamorgan]

There was a news article a ways back that stated that apple had more security holes then M$. Guess no one got the hint.

Re:Quicktime Uninstalled

Would Quicktime Alternative be any safer?

"QuickTime Alternative consists of codec libraries extracted from the official distribution, including the official QuickTime plugin required for playing QuickTime files (.MOV and others)"

Re:Quicktime Uninstalled

[SheeEttin]

I'm gonna plug VLC here.
Free, open-source, plays just about everything. Files, streams, discs, you name it. Also does conversion (apparently, never really tried it), streaming (VLC as the stream server, that is), and minor video editing (hue, brightness, rotation, filters, etc.; but I don't know if this is just for viewing or what). Also subtitles.

Re:Quicktime Uninstalled

I have now uninstalled the Quicktime player. Would Quicktime Alternative be any safer? Seems Apple has had a rash of security issues lately.

Depends on what you want it for, but VLC is always a good alternative.

Windows 7 have basic support for playing mov files, without having to install Quicktime (and yay! for that). If you think upgrading to Win7 just for that is a bit overkill (it is of course :), your concern was security and Windows 7 is significantly better than XP overall in that regard.

Re:Quicktime Uninstalled

[hairyfeet]

The problem is nobody uses Quicktime for actually playing media files (BTW on Windows I'd prefer Kantaris as it has the VLC core but a MUCH nicer UI IMHO) anymore but like Safari Windows users get stuck with it if they want to use their iStuff.

That is why I've told customers unless they want a really shitty experience if they want to play with iStuff they better be ready to shell out for a Mac. The Windows version has always been completely shitty, the red headed stepchild of Apple. Sure it'll work, but it is buggier, slower, and generally more crappy in every way than the native Mac version. Personally I'll stick with my Sandisk and if I wanted all the bling bling I'd get a Cowon and since funnily enough I prefer my phone to just make phone calls and actually like typing on a keyboard I don't think I'm in any danger of getting an iPhone or iPad (damn that is the WORST name, I still can't believe Steve came up with that.)

Re:Quicktime Uninstalled

[tokul]

Would Quicktime Alternative be any safer?

Quicktime alternative does not install alternative. IMHO it installs original Apple codecs and plugin without player/editor nagware. Probably some versions behind official Apple QT. It might have more bugs than Apple QT.

Re:Quicktime Uninstalled

[LordLucless]

It's probably Apple getting it's own back after dealing with IE and MS Office for Mac.

Re:Quicktime Uninstalled

[arth1]

The issues with QuickTime is why I banned iTunes several years ago, and have no intentions of reverting the ban until Apple releases an iTunes that doesn't sneak-install apps that work on a system level and are accessible even when iTunes isn't running.

Just because Microsoft is evil doesn't make Apple good. Far from it -- they're quite often one of the most rotten fruits in the barrel. Quicktime isn't just proprietary, but unsafe by design, and comes with a preferences interface that is designed to trick the user into inadvertently both "updating" and installing other software, and with planned obsolescence preventing newer version QT codecs from working with old apps (so you have to upgrade the other apps too, or replace them with alternatives from e.g. Apple).

Re:Quicktime Uninstalled

[clone53421]

I used to use VLC exclusively, but now I really only use it for media files that SMPlayer doesn’t like.

I initially made the switch after somebody said that SMPlayer could be configured to require very little resources – it was about the only way I could get videos to play halfway decently on a particular computer that I was stuck using for a while. VLC wouldn’t play anything without it skipping badly on that computer even after I tried to configure it to be as minimalistic as possible.

Main reasons for using SMPlayer now: Interface looks better; default pixel-smoothing video filter looks better; subtitles look better. Of course it has most of the same selling features as VLC... free, plays just about anything, doesn’t invade my PC with crap I don’t want, hotkeys (though different from VLC’s), lots of options. It also has a portable version.

Come to think of it, about the only feature I’d really point out that VLC has and SMPlayer lacks is the ability to transcode media. SMPlayer does have a nice feature which dumps every frame to an image while playing (shift-D starts/stops it), which is handy for making animated gifs.

Re:Quicktime Uninstalled

[Gilmoure]

Word 5.1a for Mac was great!

Re:Quicktime Uninstalled

[tlhIngan]

Windows 7 have basic support for playing mov files, without having to install Quicktime (and yay! for that). If you think upgrading to Win7 just for that is a bit overkill (it is of course :), your concern was security and Windows 7 is significantly better than XP overall in that regard.

Any proper MPEG-4 player should do, actually. After all, besides h.264 and AAC in MPEG-4, the MP4 file format is also part of the spec. And the MP4 container is a pretty substantial subset of the QuickTime MOV container. (the 3GP container is a subset of the MP4 container). The end result is getting your MP4 parser to understand MOV is a pretty trivial affair.

The downside is, well, it only works for h.264 encoded MOVs, the Sorenson codec ones won't be supported. And most h.264 videos already use the MP4 container.

Other than QuickTime serving as the Apple-native media playback framework, there is no need for it. Modern videos are h.264 containered in MP4, playable by anything that understands h.264/MP4. Of course, the Mac had the same thing as well - there was Windows Media Player ported to MacOS that was just as bad (so bad, Microsoft ended up telling Mac users to use a third-party product to play WMV). Probably because it also had to port the Windows DirectShow framework to Mac.

The only real reason to have QuickTime is for the oddball MOV encoded in the pre-h.264 days.

Re:Quicktime Uninstalled

[hairyfeet]

If you had actually bothered to look at the gallery you'd see that it really looks nothing like WMP, but whomever designed the site really didn't know how to describe it. I would say it is more of a cross between MediaMonkey with a little bit of iTunes and WMP thrown together. It is really great for managing libraries of media, and they even have a portable version that works great on a thumbstick.

So why not give the portable a try? No need to install, if you don't like it you can just chunk it, no muss no fuss. That's how I did and ended up switching off of Songbird (got too bloated) and it seems to manage libraries a lot better than WMP IMHO. And since it is free and Open Source it isn't like it'll cost you anything.

Re:Quicktime Uninstalled

[hairyfeet]

Let me see if I got this straight: You are using Windows "classic" ala the Windows 95 GUI, and are actually bitching that something has a GUI that isn't from the stone age? Wow, I thought your kind died off with Win2K. Meanwhile the rest of the world, be it Windows, OSX or Linux, has actually moved away from the Win95 GUI into desktops that...oh what is the word...oh yeah, don't SUCK. Have you ever even TRIED the modern GUI in Windows 7? Breadcrumbs, the new taskbar, useful gadgets, it is all really nice and actually makes things easier which is why everyone moved away from win95.

But tell you what, since the Hairyfeet supports the right to be weird, allow me to introduce you to Evil Player for your audio needs and K-Lite Mega for your video needs. Evil Player has NO GUI, simply a box you drag and drop your audio in, uses less than 40Kb, and fits in great with winClassic, and K-Lite has Media Player Classic Home Cinema, which has the GUI of Media Player 6 (which fits perfectly with classic) and which I've found does hardware acceleration much better than VLC. If you have a GPU from this century you'll find MPC:HC accelerates all the major formats quite nicely. Unless of course you are still using windows Classic because you are on win98 or Win2K, in which case may God have mercy on your poor unsupported soul.

Well duh.

[Securityemo]

This attack doesn't belong to the class of "smashing" attacks ASLR and DEP is designed to prevent. It's like expecting salted passwords to help you defend against misconfigured NFS shares.

Re:Well duh.

[blueg3]

This boils down to doing a heap spraying attack, and those are in the general class of exploits that ASLR (and to a lesser extent, DEP) are designed to prevent. However, it's fairly well-known at this point that ASLR can be defeated (sometimes) by well-crafted heap-spraying attacks. (Likewise, DEP can be defeated by stack-smashing using return-oriented programming.)

Re:Well duh.

[shutdown+-p+now]

those are in the general class of exploits that ASLR (and to a lesser extent, DEP) are designed to prevent

To be pedantic, neither of those is designed to "prevent" so much so as to minimize the likelihood of successful attack. It's not like, say PHP magic quotes, rather just something to make life significantly harder for exploit writers.

Re:Well duh.

Indeed, ROP is fun and the easiest technique to exploit classical buffer overflow bugs right now, but this is only because the compiler is too lax at implementing canaries and ASLR is crap.

ASLR when performed right is unbeatable in the same way as 256-bit key encryption is, and I think the final nail on the code execution coffin will be full ASLR rather than DEP and Stack protection. The problem is that ASLR as shipped right now in most systems is far too weak and in some places it doesn't exist at all, giving the attacker a known environment. In certain circumstances, data corruption is as good as data execution - if it can be done in a predictable way, the game is over.

Full heap randomization and good canary protection should be priorities for the OSes which aren't doing it right now. Linux, for all its security aura is particularly shameful. Apparently keeping your data from organized crime isn't worth a 10% speed-down in Phoronix.

Re:Well duh.

[cbhacking]

More to the point, this attack uses ROP (which, as you say, defeats DEP) but it does it using bits fo code, called "gadgets", that are part of a library which is loaded without ASLR. Even though the browser itself is using ASLR, some of its libraries will be loaded at known locations, which is what makes this attack work. That's not exactly defeating ASLR so much as it is taking advantage of the fact that it isn't universally used yet, kind of like the way some legacy programs aren't DEP-compatible.

For the time being, ASLR is only opt-in; if a library doesn't mark itself as ASLR-compatible, the loader will put it at its preferred base address. Or at least, it will try to. The fact is that dynamically linked libraries can never guarantee that their preferred address range is available, and therefore should never assume that they are at a given location in memory. In fact, most of them don't... but they still don't have the opt-in flag, either because they're old or because the developer didn't set it. I wonder how hard it would be to simply *force* ASLR by telling each library, as it loads, that its preferred address is simply unavailable and it's going to be stuck someplace else...

Re:Well duh.

[shutdown+-p+now]

Exploits get patched eventually. If this increases the time it takes between a patch and a new exploit, wouldn't you say it is still worth it?

Re:Well duh.

[KiloByte]

In fact, neither ASLR nor DEP can ever prevent an attack. They can at most minimize the damage, turning running arbitrary code into a mere DoS.

With or without ASLR or DEP, you still need to fix the underlying security hole.

Re:Well duh.

[drinkypoo]

wonder how hard it would be to simply *force* ASLR by telling each library, as it loads, that its preferred address is simply unavailable and it's going to be stuck someplace else...

it would be real easy and this is probably precisely how it's done, at least, only libraries which are relocated at all get ASLR. It's not done universally because some [improperly written] libraries crap themselves when you do this.

Re:Well duh.

[fast+turtle]

From what I recently read in regards to DEP/ASLR testing, the Apple Devs are simply being effen lazy or stupid as quicktime doesn't even use ASLR according to the graphic on this page http://taosecurity.blogspot.com/2010/07/secunia-survey-of-dep-and-aslr. html

Note that I'd seen this graphic last week (don't recall if Eweek or other). I hate to say it but it's really bad when Adobe is actually responding to the issue by fixing their software unlike Apple. My understanding is that followin an ASLR design standard does not prevent software from using known address spaces. All it does is ensure that the software does not break when thrown into a mandatory ASLR environment.

Re:Quick!

[Concerned+Onlooker]

It's like 10,000 PCs when all you need is a Mac.

not the plugin

[YesIAmAScript]

You can turn off the browser plugin.

Re:Quick!

[MichaelSmith]

Or free software when you've already paid.

Full advantage?

If you own an iPhone, iPod, or iPad, it's fairly hard to get full advantage of your money.

Re:Full advantage?

[sortadan]

If apple would stop forcing people to install their stupid software just to use a phone maybe 'pc' wouldn't have such a hard time of it...

for a default itunes+quicktime install on 64bit windows open cmd.exe as admin (right click is your friend) and type this:

regsvr32 /u "C:\Program Files (x86)\QuickTime\QTPlugin.ocx"

Re:Full advantage?

[TheRaven64]

The thing I love about the iPhone is the lack of OS X integration. It works via iTunes, just like an iPod, meaning that you have to plug in a cable to sync. Meanwhile, almost every other phone (including my last four, two from Ericsson and two from Nokia), sync via bluetooth in iSync, so you just put them in the same room as the Mac and click on the 'sync now' button in the top-right of the menu bar. All of your calendars, contacts, and notes are sync'd. You can transfer photographs and other files by browsing the device in the Bluetooth File Transfer thing and dragging them to or from Finder windows, or you can send them via OBEX from the phone and have them appear automatically in a folder that you designate.

It's almost like the iPhone team had never actually used a Mac.

Re:Full advantage?

open cmd.exe as admin (right click is your friend) and type this:

Opening command prompts and typing weird commands? Nobody's going to remember this crap. Windows has a long way to go before it's ready for the desktop!

Re:Full advantage?

[TheRaven64]

You make it sound like pairing the device is hard, but it's a simple wizard that takes about 10-15 seconds to run. It then needs to run once and that's it. Any time your phone is in the same room as the phone, you can sync just by hitting the 'sync now' button. No need to find the cable or connect it.

I used to own an iPod, so I'm familiar with using iTunes for syncing. I plugged my iPod into my computer occasionally, but it was always a hassle. In contrast, the phone that I had at the time was always sync'd because I could initiate the sync while I was at my computer but my phone was still in my coat pocket hanging up.

If I take a picture with my phone, I can select it and say 'send via bluetooth' on the phone, select my computer, and it appears on my computer. Again, no need for a cable, no need for a full sync. It's as easy as sending an MMS, as long as the computer is in the same room as the phone.

Before the iPhone was launched an Apple decided to cripple every other device because the iPhone couldn't keep up, I got an on-screen notification whenever someone dialed my phone and I could send SMS and dial the phone from within Address Book. I can't do that with recent versions of OS X without a third-party app, because the iPhone can't do any of it and Apple didn't want their phone to look quite as bad as it is.

Re:Full advantage?

[TangoMargarine]

You guys are arguing whether it's more bothersome to set up a one-time sync or to plug in a device each time you use it? Jesus f*cking Christ we're pampered these days. Oh no, I have to park my Ferrari two whole parking spaces away from the door to go get my caramel macchiato...

Kinda disappointed

[OneoFamillion]

At first I thought "Ruben Santamarta of Wintercore" was his name. I also considered this awesome.

Re:Steve Jobs says

[iPhr0stByt3]

Just Get a Mac. And if you don't we'll keep "accidentally" leaving backdoors in our software for windows.

Re:it'll probably be a while till this one's fixed

[bell.colin]

I don't like Apple products that much (especially QuickTime and the Shiny iWhatever products) but i fail to see why a grading system would need a Video/Audio decoder.

This is why people love Apple!

People love Apple for this stuff, though.

No more screwing around bypassing ASLR or DEP, even the exploit code Just Works.

Working..somewhat

[Airborne-ng]

Successfully created meterpreter session with XP test box but not against 7 box despite what TFA says. Anyone experiencing similar results?

Re:Steve Jobs says

[vistapwns]

Yea it's ironic how Apple talks so much about Windows malware, I wonder how much of it got in through Apple software that is poorly coded and/or doesn't opt-in to Windows security technologies.

Re:ebay ticket selling

[euyis]

For some reasons I think I would Mod you funny if I had points.

Re:Steve Jobs says

[Rockoon]

I dont understand why that is modified troll.

Apple bills itself as the quality option, so how can it be accidental that the Windows versions of each of their software products be so horrible on so many metrics?

The only question is, does the shitty shitness of their shit reflect intentional malice, or intentional apathy?

MS should be more like Apple

[Monoman]

This might have been avoided if MS had a something like the App store for Windows. They could have taken their time before allowing this to be released .... just to be really really sure there something like this wouldn't happen.

I keeed, I keeed .... sorta. :-)

Hold on

[ledow]

If a badly-written program can circumvent ASLR and DEP for itself, then aren't DEP and ASLR a bit useless? The point of them is to prevent data execution, and to randomise the address space. How does a badly-written, ancient program "bypass" such measures? I can understand such measures not being applied (e.g. because ASLR or DEP on really-old code would break it because it was written with certain assumptions) but what that then assumes is that some administrator or Microsoft programmer has chosen at some point to disable DEP and ASLR for those old programs (if they have DEP and ASLR enabled at all). And if the code wasn't compiled without some DEP/ASLR magic enabled, then is this really surprising? What's to stop any other program similarly avoiding DEP/ASLR, or anyone exploiting such programs?

How is this a "Quicktime problem" when the code being attacked is years old, and yet the OS still lets it break basic security? Surely the problem is not the program, but the things that let it execute. Hell, I have used old Windows programs that refuse to work with DEP enabled because they make certain assumptions and I realised that because the DEP handler would prevent them working in XP - they were NOT compiled at a time when any knowledge of DEP or ASLR on Windows was around. That's the whole point of DEP, isn't it? To stop programs executing code they shouldn't? I had to force an override for them network-wide but that was my choice, and no I did not specifically enable DEP myself, the Windows XP install decided to do that for me.

Is this version of QuickTime whitelisted? Are DEP and ASLR really that worthless that "old programs" compiled before they came along are allowed to do anything? Isn't this the fault of an administrator running an outdated program rather than anything to do with DEP, ASLR, Quicktime or anything else? What's Quicktime doing differently to every other old, insecure program out there that makes it more of a risk?

Seems like a complete red herring to me. Don't run old software. Don't run insecure software. Don't run programs that you haven't authorised yourself. And, apparently, don't rely on DEP or ASLR to actually DO anything.

Re:Hold on

[99BottlesOfBeerInMyF]

If a badly-written program can circumvent ASLR and DEP for itself, then aren't DEP and ASLR a bit useless?

In terms of preventing malware from running, no, they're an extra roadblock, but they are certainly not the hardest to overcome.

How does a badly-written, ancient program "bypass" such measures?

By linking the exploit to MS provided software included with Windows that does not use ASLR. From the article, "The gadgets come from Windows Live messenger dlls that are loaded by default on IE and have no ASLR flag,"

The Quicktime problem is that someone can get arbitrary code to try to execute on your box in the first place. That only happens because of the Quicktime flaw.

Are DEP and ASLR really that worthless that "old programs" compiled before they came along are allowed to do anything?

This isn't about old programs. This is the current version of Quicktime. This is about old code in the current version. Code that should never have shipped in the first place. But, until DEP and ASLR are applied to everything that is on a huge number of boxes and/or application level sandboxing or access control becomes robust DEP and ASLR are not very effective.

What's Quicktime doing differently to every other old, insecure program out there that makes it more of a risk?

The Quicktime part of this exploit isn't all that unusual. It's just run of the mill except for being the result of programmers' backdoor shortcut code that should never have gone out in the production release. The bypassing of ASLR in this case, was more interesting to me.

Re:Quick!

[Vectormatic]

it is a critical vulnerability fix, two minutes to late

Re:what the hell is quicktime!

[TheRaven64]

If you've got a Mac, you almost certainly do use QuickTime. You may not use the QuickTime Player front-end, but a lot of other Mac apps use the underlying frameworks for media playback. Any time a Cocoa app goes beep, it's using the NSSound object (maybe wrapped in the NSBeep() function), and NSSound uses QuickTime for audio decoding. iTunes uses it for playing back music, Safari uses it for video and audio, iMovie uses it for playback and encoding, and so on. Unless you boot into single-user mode and then bring the machine up without launching the window server, odds are that you use QuickTime regularly.

Re:Every time Steve Jobs says something about Flas

[NJRoadfan]

I hate that stupid plug-in, and if it didn't lock up, it made most MIDI files sound like crap. I have a real MIDI synth to play back those files, but Quicktime thinks it isn't good enough.

Re:it'll probably be a while till this one's fixed

[initdeep]

you fail to see how a color grading system would need an a/v decoder?

iPad name

[rsborg]

iPad (damn that is the WORST name, I still can't believe Steve came up with that.>

You do realize that Steve Jobs was going to call the original iMac the MacMan? Yeah. MacMan. Business technologist extraordinare he is, but he's really not good at names.

Re:Quick!

[TangoMargarine]

it is a critical vulnerability fix, two minutes too late

Homonym irony?

Thanks, Apple.

[Ant+P.]

Thapple.

Huh?

[MadGeek007]

What I don't get is how a flaw in a 3rd party app can be used to bypass the protections at the OS level. Clearly the real problem is deeper than QuickTime.

Ummm, question?

[multimediavt]

FTFA:

The gadgets come from Windows Live messenger dlls that are loaded by default on IE and have no ASLR flag.

Wouldn't that be an IE bug at this point that QuickTime is exploiting, not so much a QuickTime bug? I'm not apologizing for Apple not cleaning up their code after they removed a feature (RTFA!), but seems like MS is just as much to blame for this one with the WindowsLive DLL being loaded by default and having no security on it.

Just saying ... if you RTFA and don't just bash QT all day.

YA ALL MISSING IT!!

[stilesalaska]

Am I missing something here? Apple bashing? Hm seems to the that other programs had this too. Like VLC!! They fixed their program! IT is just not Quick Time! It is so funny reading these post and boy Are there some people here that DON'T READ! JUST BASH! Old version of VLC would be able to do the same thing And Open Office!!! Just sounds like A MS problem not just a Quick Time, Vlc, Openoffice etc...

Re:YA ALL MISSING IT!!

[clone53421]

Hm seems to the that other programs had this too. Like VLC!!

Nice FUD... neither of TFAs mentioned VLC or VideoLan player. I checked.

So, citation needed.

Re:YA ALL MISSING IT!!

[stilesalaska]

Hm You misunderstand Me......... A surprisingly large number of popular applications — including Quicktime, Foxit Reader, Google Picasa, OpenOffice.org, RealPlayer, and VLC Player — all neglect to use one or the other, a recent review by Secunia found. I was talking About --->the exploit underscores the threat that comes from programs that fail to use the ASLR and DEP protections baked into more recent versions of Windows VLC Fixed Their program! (I CHECKED!) FUD NOT JUST pointing out The FACTS! I just need to Be clear! I was not in that post! And FUD is the last thing My post says JUST BASHING LIKE YOU DO! Hmm Go figure! !! http://www.theregister.co.uk/2010/08/30/apple_quicktime_critical_vuln/ It is foolish and wrong to assume! And explain what FUD I was slinging!? None!

Re:YA ALL MISSING IT!!

[stilesalaska]

Just for the record I do Use XP (work) SUSE LINUX (home) I will try to make my comments, more clear! I did not last time! I hate FUD I hate OS war's! Only a few post the facts. The way I see it, is it a problem for EVERYONE! Not just one OS. No no FUD! I was just not clear on my post!

Re:YA ALL MISSING IT!!

[clone53421]

A surprisingly large number of popular applications — including Quicktime, Foxit Reader, Google Picasa, OpenOffice.org, RealPlayer, and VLC Player — all neglect to use one or the other, a recent review by Secunia found.

Guess what? I don’t CARE. Bulletproof code doesn’t need DEP/ASLR, and shitty code (as we’ve seen) can manage to use DEP/ASLR and still be exploitable.

DEP is not a mandatory security feature. It is an opt-in feature to help avoid buffer underrun. As buffer underrun is always caused by badly-written code in the first place, DEP is a feature by which lousy programmers can try to protect themselves from their own lousy code.

If you want to produce a quality, stable, well-written application (such as VLC) and you opt-out of DEP for portions of it or all of it, more power to you.

If you want to produce a shitty, unstable, slow, bloated exploitable piece of crap (such as QuickTime or RealPlayer), more power to you too – but I’ll be using VLC and SMPlayer.

Re:YA ALL MISSING IT!!

[clone53421]

Just for the record, your excessive use of ALL CAPS and exclamation points!! does not benefit the argument that your posts are not FUD.

Re:what the hell is quicktime!

[cbhacking]

The unfortunate thing is that if you've got an iAnything, you probably use Quicktime too. iTunes, as you mentioned, uses Qt, but Qt also silently installs a browser plug-in (the attack vector used in the article) that takes over not just video playback but even things like image rendering.