Slashdot Mirror
New QuickTime Flaw Bypasses ASLR, DEP
Trailrunner7 writes "A Spanish security researcher has discovered a new vulnerability in Apple's QuickTime software that can be used to bypass both ASLR and DEP on current versions of Windows and give an attacker control of a remote PC. The flaw apparently results from a parameter from an older version of QuickTime that was left in the code by mistake. It was discovered by Ruben Santamarta of Wintercore, who said the vulnerability can be exploited remotely via a malicious Web site. On a machine running Internet Explorer on Windows 7, Vista or XP with QuickTime 7.x or 6.x installed, the problem can be exploited by using a heap-spraying technique. In his explanation of the details of the vulnerability and the exploit for it, Santamarta said he believes the parameter at the heart of the problem simply was not cleared out of older versions of the QuickTime code. 'The QuickTime plugin is widely installed and exploitable through IE; ASLR and DEP are not effective in this case and we will likely see this in the wild,' said HD Moore, founder of the Metasploit Project."
Closed source. .....
Apple's evil.
Wait.
Microsoft's evil.
Wait.
It's Google.
No. Apple.
No. Microsoft.
Damn you evil closed source! You have me so confused as to who to hate
Considering that QuickTime is a core component of iTunes, if you own an iPhone, iPod or iPad, its fairly hard to avoid QuickTime and still get full advantage of your device.
I'd say it's almost as widely installed as Adobe Reader. Here's a guesstimate answer as to how many copies there are (numbers are old)
Make sure everyone's vote counts: Verified Voting
This boils down to doing a heap spraying attack, and those are in the general class of exploits that ASLR (and to a lesser extent, DEP) are designed to prevent. However, it's fairly well-known at this point that ASLR can be defeated (sometimes) by well-crafted heap-spraying attacks. (Likewise, DEP can be defeated by stack-smashing using return-oriented programming.)
Or free software when you've already paid.
http://michaelsmith.id.au
More to the point, this attack uses ROP (which, as you say, defeats DEP) but it does it using bits fo code, called "gadgets", that are part of a library which is loaded without ASLR. Even though the browser itself is using ASLR, some of its libraries will be loaded at known locations, which is what makes this attack work. That's not exactly defeating ASLR so much as it is taking advantage of the fact that it isn't universally used yet, kind of like the way some legacy programs aren't DEP-compatible.
For the time being, ASLR is only opt-in; if a library doesn't mark itself as ASLR-compatible, the loader will put it at its preferred base address. Or at least, it will try to. The fact is that dynamically linked libraries can never guarantee that their preferred address range is available, and therefore should never assume that they are at a given location in memory. In fact, most of them don't... but they still don't have the opt-in flag, either because they're old or because the developer didn't set it. I wonder how hard it would be to simply *force* ASLR by telling each library, as it loads, that its preferred address is simply unavailable and it's going to be stuck someplace else...
There's no place I could be, since I've found Serenity...
iTunes without QuickTime Get iTune Not necessarily. I don't own one, but a few of my friends have iDevices and the only way I'll support them is if they let me install itunes this way!
# cat
Damn, my RAM is full of cats. MEOW!!
MS is bad for OSS' ideals and goals most of the time.
Apple is bad for OSS' ideals and goals. Also bad for nerd ideals and goals. And bad for computers in general. Seriously, iTunes in past has acted like malware same w/ quicktime.
Google is actually good. BUT the potential for evil that they have is so incredibly huge that it would make anyone paranoid. So people keep their eyes on it.
Is QuickTime really that bad? I understand the objection to "claim all file types", but that's true of all commercial A/V systems. Beyond that, is there anything in particular I should object to about QuickTime, or is it just random Apple hate?
Another outstanding reason to avoid shiny geegaws from an evil company.
To be fair, the flaw is almost a first for Quicktime --an ancient product line predating iProducts, back when "multimedia" came in big letters on all home computers and all videos on the web were MPEG or MOV downloads. What is so bad is how we sleep in our laurels and wake up to find that we falsely associated safety with it because QT ran on a little targetted OS before it was ported to Windows...
IIRC, Apple isn't the number one seller of smartphones nor MP3 players, or distributor of Windows Multimedia readers. Yet it's generating enough attention to get exploited. Even if you and I don't own recent apple products, we have been falling in a parallel situation and taking it for granted again: all those free Google clients downloaded over the years have become a juicy target. All we need is someone to find a weak spot.
Scratch that! All we need is an unlikely "someone" among that small group who will PUBLISH the weak spot of that juicy target. All the others just exploit it for months without us being the wiser.
The problem is nobody uses Quicktime for actually playing media files (BTW on Windows I'd prefer Kantaris as it has the VLC core but a MUCH nicer UI IMHO) anymore but like Safari Windows users get stuck with it if they want to use their iStuff.
That is why I've told customers unless they want a really shitty experience if they want to play with iStuff they better be ready to shell out for a Mac. The Windows version has always been completely shitty, the red headed stepchild of Apple. Sure it'll work, but it is buggier, slower, and generally more crappy in every way than the native Mac version. Personally I'll stick with my Sandisk and if I wanted all the bling bling I'd get a Cowon and since funnily enough I prefer my phone to just make phone calls and actually like typing on a keyboard I don't think I'm in any danger of getting an iPhone or iPad (damn that is the WORST name, I still can't believe Steve came up with that.)
ACs don't waste your time replying, your posts are never seen by me.
Good thing they're not running Windows or Internet Explorer.
Victim prerequisites:
* Internet Explorer.
* XP,Vista,W7.
* Apple Quicktime 7.x, 6.x ( 2004 versions are also vulnerable, older versions not checked )
IMO Opinion quicktime causes windows to slow down and also likes to install background services. The Quicktime Alternative is just far less bloated and seems to work just as well. Also you aren't forced to use the quicktime player, it just behaves like any other normal video codec.
# cat
Damn, my RAM is full of cats. MEOW!!
If a badly-written program can circumvent ASLR and DEP for itself, then aren't DEP and ASLR a bit useless? The point of them is to prevent data execution, and to randomise the address space. How does a badly-written, ancient program "bypass" such measures? I can understand such measures not being applied (e.g. because ASLR or DEP on really-old code would break it because it was written with certain assumptions) but what that then assumes is that some administrator or Microsoft programmer has chosen at some point to disable DEP and ASLR for those old programs (if they have DEP and ASLR enabled at all). And if the code wasn't compiled without some DEP/ASLR magic enabled, then is this really surprising? What's to stop any other program similarly avoiding DEP/ASLR, or anyone exploiting such programs?
How is this a "Quicktime problem" when the code being attacked is years old, and yet the OS still lets it break basic security? Surely the problem is not the program, but the things that let it execute. Hell, I have used old Windows programs that refuse to work with DEP enabled because they make certain assumptions and I realised that because the DEP handler would prevent them working in XP - they were NOT compiled at a time when any knowledge of DEP or ASLR on Windows was around. That's the whole point of DEP, isn't it? To stop programs executing code they shouldn't? I had to force an override for them network-wide but that was my choice, and no I did not specifically enable DEP myself, the Windows XP install decided to do that for me.
Is this version of QuickTime whitelisted? Are DEP and ASLR really that worthless that "old programs" compiled before they came along are allowed to do anything? Isn't this the fault of an administrator running an outdated program rather than anything to do with DEP, ASLR, Quicktime or anything else? What's Quicktime doing differently to every other old, insecure program out there that makes it more of a risk?
Seems like a complete red herring to me. Don't run old software. Don't run insecure software. Don't run programs that you haven't authorised yourself. And, apparently, don't rely on DEP or ASLR to actually DO anything.
The thing I love about the iPhone is the lack of OS X integration. It works via iTunes, just like an iPod, meaning that you have to plug in a cable to sync. Meanwhile, almost every other phone (including my last four, two from Ericsson and two from Nokia), sync via bluetooth in iSync, so you just put them in the same room as the Mac and click on the 'sync now' button in the top-right of the menu bar. All of your calendars, contacts, and notes are sync'd. You can transfer photographs and other files by browsing the device in the Bluetooth File Transfer thing and dragging them to or from Finder windows, or you can send them via OBEX from the phone and have them appear automatically in a folder that you designate.
It's almost like the iPhone team had never actually used a Mac.
I am TheRaven on Soylent News
If you've got a Mac, you almost certainly do use QuickTime. You may not use the QuickTime Player front-end, but a lot of other Mac apps use the underlying frameworks for media playback. Any time a Cocoa app goes beep, it's using the NSSound object (maybe wrapped in the NSBeep() function), and NSSound uses QuickTime for audio decoding. iTunes uses it for playing back music, Safari uses it for video and audio, iMovie uses it for playback and encoding, and so on. Unless you boot into single-user mode and then bring the machine up without launching the window server, odds are that you use QuickTime regularly.
I am TheRaven on Soylent News
I guess it's their shitty engineering that makes my computer so stable and operational.
Yeah. Yesterday, I plugged a Mac laptop into a projector. Apparently the Mac needs to reboot after detecting new hardware or something--so it immediately rebooted without prompting, notifying, or even asking me to save. Apple is so awesomely user-friendly. That must be their engineering commitment to build a stable and operational computer.
Anyways--while the mac was busy rebooting, I plugged my linux laptop in. It immediately started working.
There's no place like
Yes I do believe that the exposure in the PDF problem was Apple's fault due to a flaw in iOS. You might also recall (or maybe not given your response) that Apple closed that exposure (not Adobe).
The owner of the exposure was clear, just as it is clear in this case. If ASLR and DEP fails to protect against such an exposure, they are flawed.
Perhaps you should have quoted the next sentence:
This time Backdoor != malicious code but a horrible trick a developer implemented during the development cycle.
It’s still a backdoor, and it can still be maliciously exploited. It’s just that it was apparently not put there to intentionally be malicious.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
To be fair, the flaw is almost a first for Quicktime --an ancient product line predating iProducts, back when "multimedia" came in big letters on all home computers and all videos on the web were MPEG or MOV downloads. What is so bad is how we sleep in our laurels and wake up to find that we falsely associated safety with it because QT ran on a little targetted OS before it was ported to Windows...
What on earth are you talking about?
http://secunia.com/advisories/product/5090/
You make it sound like pairing the device is hard, but it's a simple wizard that takes about 10-15 seconds to run. It then needs to run once and that's it. Any time your phone is in the same room as the phone, you can sync just by hitting the 'sync now' button. No need to find the cable or connect it.
I used to own an iPod, so I'm familiar with using iTunes for syncing. I plugged my iPod into my computer occasionally, but it was always a hassle. In contrast, the phone that I had at the time was always sync'd because I could initiate the sync while I was at my computer but my phone was still in my coat pocket hanging up.
If I take a picture with my phone, I can select it and say 'send via bluetooth' on the phone, select my computer, and it appears on my computer. Again, no need for a cable, no need for a full sync. It's as easy as sending an MMS, as long as the computer is in the same room as the phone.
Before the iPhone was launched an Apple decided to cripple every other device because the iPhone couldn't keep up, I got an on-screen notification whenever someone dialed my phone and I could send SMS and dial the phone from within Address Book. I can't do that with recent versions of OS X without a third-party app, because the iPhone can't do any of it and Apple didn't want their phone to look quite as bad as it is.
I am TheRaven on Soylent News
So any application (including malware) that does not use ASLR or DEP gets a free pass vulnerability? You don't elect to use these things. They are a keystone of the OS Security, not some feature you 'opt into'.
Anyone have facts to back this up? Not trying to jump down anyone's throat. Genuinely curious if this has been measured.
Also curious if this exploit really only affects IE? If it doesn't affect FireFox doesn't that mean that IE is also part of the problem?
So by you reasoning, all hackers properly implement security features?
Do you even know what ASLR and DEP are? They are not 'features' that an app uses. They are built into the OS. If the OS can be exploited to bypass these then the exposure lies in the OS.
You seem to be missing the disconnect between what your saying and reality. If bypassing OS security was as simple as 'not properly implementing the security features available', then hackers jobs would be all to easy. They could simply opt-out of using things like Virus Scan, Firewalls, Permissions, ASLR, or DEP.
FTFA:
The gadgets come from Windows Live messenger dlls that are loaded by default on IE and have no ASLR flag.
Wouldn't that be an IE bug at this point that QuickTime is exploiting, not so much a QuickTime bug? I'm not apologizing for Apple not cleaning up their code after they removed a feature (RTFA!), but seems like MS is just as much to blame for this one with the WindowsLive DLL being loaded by default and having no security on it.
Just saying ... if you RTFA and don't just bash QT all day.
My facts are my personal experiences over the years, so take that as a testimonial of some random Internet user. But for a better and more complete explanation the quicktime alternative was written for a reason and the facts stated here may go a long way to let you know why. I mean seriously a picture viewer? Also, why on earth would a I want a _Video Codec_ to install a system service for updating and another one for making quicktime load faster for that 1 time every six months I'll use it. Applications that behave in this manner are a personal pet hat of mine (I repackage applications for a living) and Apple are big culprits for doing this (they are not alone here, I'm looking at you Adobe).
# cat
Damn, my RAM is full of cats. MEOW!!
Am I missing something here? Apple bashing? Hm seems to the that other programs had this too. Like VLC!! They fixed their program! IT is just not Quick Time! It is so funny reading these post and boy Are there some people here that DON'T READ! JUST BASH! Old version of VLC would be able to do the same thing And Open Office!!! Just sounds like A MS problem not just a Quick Time, Vlc, Openoffice etc...