Slashdot Mirror
New QuickTime Flaw Bypasses ASLR, DEP
Trailrunner7 writes "A Spanish security researcher has discovered a new vulnerability in Apple's QuickTime software that can be used to bypass both ASLR and DEP on current versions of Windows and give an attacker control of a remote PC. The flaw apparently results from a parameter from an older version of QuickTime that was left in the code by mistake. It was discovered by Ruben Santamarta of Wintercore, who said the vulnerability can be exploited remotely via a malicious Web site. On a machine running Internet Explorer on Windows 7, Vista or XP with QuickTime 7.x or 6.x installed, the problem can be exploited by using a heap-spraying technique. In his explanation of the details of the vulnerability and the exploit for it, Santamarta said he believes the parameter at the heart of the problem simply was not cleared out of older versions of the QuickTime code. 'The QuickTime plugin is widely installed and exploitable through IE; ASLR and DEP are not effective in this case and we will likely see this in the wild,' said HD Moore, founder of the Metasploit Project."
Closed source. .....
Apple's evil.
Wait.
Microsoft's evil.
Wait.
It's Google.
No. Apple.
No. Microsoft.
Damn you evil closed source! You have me so confused as to who to hate
Considering that QuickTime is a core component of iTunes, if you own an iPhone, iPod or iPad, its fairly hard to avoid QuickTime and still get full advantage of your device.
bonzi buddy was pretty widely installed too.
Snowden and Manning are heroes.
This boils down to doing a heap spraying attack, and those are in the general class of exploits that ASLR (and to a lesser extent, DEP) are designed to prevent. However, it's fairly well-known at this point that ASLR can be defeated (sometimes) by well-crafted heap-spraying attacks. (Likewise, DEP can be defeated by stack-smashing using return-oriented programming.)
Or free software when you've already paid.
http://michaelsmith.id.au
More to the point, this attack uses ROP (which, as you say, defeats DEP) but it does it using bits fo code, called "gadgets", that are part of a library which is loaded without ASLR. Even though the browser itself is using ASLR, some of its libraries will be loaded at known locations, which is what makes this attack work. That's not exactly defeating ASLR so much as it is taking advantage of the fact that it isn't universally used yet, kind of like the way some legacy programs aren't DEP-compatible.
For the time being, ASLR is only opt-in; if a library doesn't mark itself as ASLR-compatible, the loader will put it at its preferred base address. Or at least, it will try to. The fact is that dynamically linked libraries can never guarantee that their preferred address range is available, and therefore should never assume that they are at a given location in memory. In fact, most of them don't... but they still don't have the opt-in flag, either because they're old or because the developer didn't set it. I wonder how hard it would be to simply *force* ASLR by telling each library, as it loads, that its preferred address is simply unavailable and it's going to be stuck someplace else...
There's no place I could be, since I've found Serenity...
Another outstanding reason to avoid shiny geegaws from an evil company.
To be fair, the flaw is almost a first for Quicktime --an ancient product line predating iProducts, back when "multimedia" came in big letters on all home computers and all videos on the web were MPEG or MOV downloads. What is so bad is how we sleep in our laurels and wake up to find that we falsely associated safety with it because QT ran on a little targetted OS before it was ported to Windows...
IIRC, Apple isn't the number one seller of smartphones nor MP3 players, or distributor of Windows Multimedia readers. Yet it's generating enough attention to get exploited. Even if you and I don't own recent apple products, we have been falling in a parallel situation and taking it for granted again: all those free Google clients downloaded over the years have become a juicy target. All we need is someone to find a weak spot.
Scratch that! All we need is an unlikely "someone" among that small group who will PUBLISH the weak spot of that juicy target. All the others just exploit it for months without us being the wiser.
The problem is nobody uses Quicktime for actually playing media files (BTW on Windows I'd prefer Kantaris as it has the VLC core but a MUCH nicer UI IMHO) anymore but like Safari Windows users get stuck with it if they want to use their iStuff.
That is why I've told customers unless they want a really shitty experience if they want to play with iStuff they better be ready to shell out for a Mac. The Windows version has always been completely shitty, the red headed stepchild of Apple. Sure it'll work, but it is buggier, slower, and generally more crappy in every way than the native Mac version. Personally I'll stick with my Sandisk and if I wanted all the bling bling I'd get a Cowon and since funnily enough I prefer my phone to just make phone calls and actually like typing on a keyboard I don't think I'm in any danger of getting an iPhone or iPad (damn that is the WORST name, I still can't believe Steve came up with that.)
ACs don't waste your time replying, your posts are never seen by me.
IMO Opinion quicktime causes windows to slow down and also likes to install background services. The Quicktime Alternative is just far less bloated and seems to work just as well. Also you aren't forced to use the quicktime player, it just behaves like any other normal video codec.
# cat
Damn, my RAM is full of cats. MEOW!!
If you've got a Mac, you almost certainly do use QuickTime. You may not use the QuickTime Player front-end, but a lot of other Mac apps use the underlying frameworks for media playback. Any time a Cocoa app goes beep, it's using the NSSound object (maybe wrapped in the NSBeep() function), and NSSound uses QuickTime for audio decoding. iTunes uses it for playing back music, Safari uses it for video and audio, iMovie uses it for playback and encoding, and so on. Unless you boot into single-user mode and then bring the machine up without launching the window server, odds are that you use QuickTime regularly.
I am TheRaven on Soylent News
You make it sound like pairing the device is hard, but it's a simple wizard that takes about 10-15 seconds to run. It then needs to run once and that's it. Any time your phone is in the same room as the phone, you can sync just by hitting the 'sync now' button. No need to find the cable or connect it.
I used to own an iPod, so I'm familiar with using iTunes for syncing. I plugged my iPod into my computer occasionally, but it was always a hassle. In contrast, the phone that I had at the time was always sync'd because I could initiate the sync while I was at my computer but my phone was still in my coat pocket hanging up.
If I take a picture with my phone, I can select it and say 'send via bluetooth' on the phone, select my computer, and it appears on my computer. Again, no need for a cable, no need for a full sync. It's as easy as sending an MMS, as long as the computer is in the same room as the phone.
Before the iPhone was launched an Apple decided to cripple every other device because the iPhone couldn't keep up, I got an on-screen notification whenever someone dialed my phone and I could send SMS and dial the phone from within Address Book. I can't do that with recent versions of OS X without a third-party app, because the iPhone can't do any of it and Apple didn't want their phone to look quite as bad as it is.
I am TheRaven on Soylent News