PDA

View Full Version : Unpatched QuickTime Vulnerability Exploited




MacRumors
Dec 4, 2007, 08:31 AM
http://www.macrumors.com/images/macrumorsthreadlogo.gif (http://www.macrumors.com)

A recent vulnerability in Apple's QuickTime software is reportedly being successfully exploited on the internet, according to security research vendor Symantec.

The vulnerability (http://www.symantec.com/business/security_response/vulnerability.jsp?bid=26560) affects recent versions of QuickTime, including 7.2 and 7.3, and remains unpatched by Apple. The vulnerability lies in improper handling of RTSP headers which can lead to a buffer overflow where an attacker can execute their own code. Symantec rates the vulnerability as "High" criticality.

Now, Symantec reports (via Macworld (http://www.macworld.com/news/2007/12/03/quicktimeflaw/index.php)) that the vulnerability is being exploited in the wild. Both known exploits involve redirection from the intended web page to a server that uses the vulnerability to load code onto the victim's machine.

Initially, the attacks appear to be loading Windows executables, however Symantec warns that the vulnerability affects both Windows and Mac operating systems.

Symantec suggests the following for mitigating risk until a patch is released:

To protect systems from attack, Symantec recommended blocking access to affected sites. “Filter outgoing access to 85.255.117.212, 85.255.117.213, 216.255.183.59, 69.50.190.135, 58.65.238.116, and 208.113.154.34. Additionally 2005-search.com, 1800-search.com, search-biz.org, and ourvoyeur.net should be filtered,” it said, adding IT managers can also block outgoing TCP access to port 554.

Symantec also suggests that as a last step, users and IT managers consider uninstalling QuickTime until a patch is released.

Article Link (http://www.macrumors.com/2007/12/04/unpatched-quicktime-vulnerability-exploited/)



eme jota ce
Dec 4, 2007, 08:40 AM
yikes!

This is the type of security vulnerability that I find most threatening b/c there's no "Are you sure you want to open this App." final warning.

Anyone know if the executable code needs to load into an Admin user's account or any old account?

Pressure
Dec 4, 2007, 08:47 AM
Symantec also suggests that as a last step, users and IT managers consider uninstalling QuickTime until a patch is released.


Pardon my language but this is hysterical and outrageously funny!

I can't wait to see the next Windows exploit in action and this;

Symantec also suggests that as a last step, users and IT managers consider uninstalling Windows until a patch is released.

Fotek2001
Dec 4, 2007, 09:00 AM
Isn't Leopard's library memory randomization supposed to make buffer overflow attacks like this impossible?

Brian Green
Dec 4, 2007, 09:05 AM
Isn't Leopard's library memory randomization supposed to make buffer overflow attacks like this impossible?


I was just thinking the same thing. Leopard was supposed to have killed the buffer overflow possibility. Hopefully someone with knowledge about this Leopard feature will be able to shed some light on this for us.

My gut feeling says this is BS.

eastcoastsurfer
Dec 4, 2007, 09:11 AM
I was just thinking the same thing. Leopard was supposed to have killed the buffer overflow possibility. Hopefully someone with knowledge about this Leopard feature will be able to shed some light on this for us.

My gut feeling says this is BS.

Nothing in security is foolproof. A friend of mine was at a security conference a few weeks ago and people were giving presentations and demonstrating ways around address randomization.

morespce54
Dec 4, 2007, 09:20 AM
...Symantec also suggests that as a last step, users and IT managers consider uninstalling QuickTime until a patch is released.

sure... and how are we is supposed to do that? :eek::rolleyes:

Data
Dec 4, 2007, 09:20 AM
Well i don't know how bad it actually is but i sure hope apple adresses this problem asap.

840quadra
Dec 4, 2007, 09:23 AM
Ah yes.

Symantec is now working it's way into the pocketbooks of Macintosh users. I will just use VLC and disable QuickTime for the time being, though I don't go to to sites or download videos from untrusted sources anyway.

As always, your best defense against these things, is some good old common sense!

sososowhat
Dec 4, 2007, 09:24 AM
I know nothing about whether buffer overflow is impossible in Leopard, but if that's not the case would this be the very first time a real, exploited vulnerability has been in the wild for OS X?

ChoMomma
Dec 4, 2007, 09:25 AM
I believe it also said that:


Initially, the attacks appear to be loading Windows executables, however Symantec warns that the vulnerability affects both Windows and Mac operating systems.


So is it true that if it did load a Mac OS "executable" it would run without Admin permission?

Small White Car
Dec 4, 2007, 09:28 AM
I believe it also said that:

So is it true that if it did load a Mac OS "executable" it would run without Admin permission?

No. This is still mostly a Window problem.

Mac users should, of course, continue to be careful. Also, it's still very bad news for Apple...putting out insecure Windows software sure doesn't make them look good. Why should potential switchers think Mac are safer if the Apple software on their current PC isn't safe?

notjustjay
Dec 4, 2007, 09:34 AM
I was gonna say, even though it is a vulnerability in Apple software, it is at least only targeting (so far) Windows binaries.

At least, knowing Apple, they will hopefully have a patch released quite quickly.

nbs2
Dec 4, 2007, 09:38 AM
Pardon my language but this is hysterical and outrageously funny!

I can't wait to see the next Windows exploit in action and this;

Symantec also suggests that as a last step, users and IT managers consider uninstalling Windows until a patch is released.

Why is it so funny? I don't there are many businesses that need QT available on user machines for work to get done. If the exploit spreads or adapts, the current solutions may become ineffective. I would think that, if viable and as serious as SYMN makes it sound (of course, when you wait 10 days to make notice you have to wonder how serious it can be) it would be very responsible for most IT managers to lock down something as minor as QT until this can get sorted out.

I know nothing about whether buffer overflow is impossible in Leopard, but if that's not the case would this be the very first time a real, exploited vulnerability has been in the wild for OS X?

I can't remember if that old Leopard pics deal was an exploit - it's so far removed from my memory, that it's just a haze. But I wouldn't call this an OS X exploit yet. From what it sounds like, the situation could feed the "marketshare" defense, with OS X being overlooked for some reason (marketshare still too low?), as only Windows is actually being affected.

vassillios
Dec 4, 2007, 09:39 AM
I was gonna say, even though it is a vulnerability in Apple software, it is at least only targeting (so far) Windows binaries.

At least, knowing Apple, they will hopefully have a patch released quite quickly.

did you miss this:

"however Symantec warns that the vulnerability affects both Windows and Mac operating systems."

Small White Car
Dec 4, 2007, 09:42 AM
did you miss this:

"however Symantec warns that the vulnerability affects both Windows and Mac operating systems."

He didn't miss it. The point is that the Windows hole is being used to put Windows programs onto people's machines.

The Mac hole is being used for...well, nothing yet.

Once that changes, it's Mac problem. Until it does, it's not. (Of course, the flaw in and of itself is a problem...I've said that already. The point is that Windows users have an ACTUAL problem where Mac users have a potential problem. They're both bad, but one is worse than the other.)

brentg33
Dec 4, 2007, 09:45 AM
Hey,
i was just reading on this site about the security hole in quicktime. I was wondering what exactly to look for to know whether or not you have been infected, now that the story indicates its "in the wild". Would something like clamXav be able to pick this up, and if so, what files would you need to scan?

thanks, (sorry to all for being so nervous)
brent

Small White Car
Dec 4, 2007, 09:52 AM
Hey,
i was just reading on this site about the security hole in quicktime. I was wondering what exactly to look for to know whether or not you have been infected, now that the story indicates its "in the wild". Would something like clamXav be able to pick this up, and if so, what files would you need to scan?

thanks, (sorry to all for being so nervous)
brent

I don't know about scanning for past infections, but the safest thing to do right now is just not use Quicktime until Apple puts out an update for it.

That's not advice everyone can follow, I know, but if you can do it, go for it.

John A
Dec 4, 2007, 10:04 AM
Looks like there is no exploit in the wild for the Mac side yet, but that's just a matter of time at this point. CERT has a page with lots of info about this as well.

More info here: http://macsecure.com/2007/12/04/quicktime-vulnerability-rtsp-headers/

shawnce
Dec 4, 2007, 10:20 AM
Looks like there is no exploit in the wild for the Mac side yet, but that's just a matter of time at this point. CERT has a page with lots of info about this as well.

More info here: http://macsecure.com/2007/12/04/quicktime-vulnerability-rtsp-headers/ (fall://macsecure.com/2007/12/04/quicktime-vulnerability-rtsp-headers/)

Humm a newbie posting a link to a site about a exploit that can take place if a site is malicious. ;)

Think I will pass for the moment.

Snowy_River
Dec 4, 2007, 10:58 AM
ZDNet reported on this. According to their report, that actual exploit that exists in the wild is rated as "Very Low Risk". So, it seems that this is nothing to get overly hyped about.

The one thing that I do see this as is a wake up call to Apple. This vulnerability has been present through several updates to QT. Maybe now we'll see a patch for it? One can only hope...

notjustjay
Dec 4, 2007, 11:03 AM
He didn't miss it. The point is that the Windows hole is being used to put Windows programs onto people's machines.

The Mac hole is being used for...well, nothing yet.

Thank you, yes, that's what I meant. I think we're still taking advantage of the relatively low mind- and market-share... given an equal opportunity to target an exploit, people still go for the Windows one because of the higher potential for damage/publicity. It's almost like the malware writers don't want to hurt us :)

I've seen this a lot... there's always a new Windows vulnerability that is exposed and made public because the latest virus exploited it and thousands of people or companies are damaged. It's all over the news, people get paranoid, damage control happens.

While the Apple vulnerabilities tend to be discovered, illustrated with a single proof-of-concept, Apple engineers go "oopsies!" and fix it, and that's that, life goes on. Nobody gets hurt.

This may change, but so far the outlook is pretty good.

nagromme
Dec 4, 2007, 11:08 AM
Hypothetically, if at some point this exploit affects Macs in addition to Windows, would Leopard's new firewall settings have a role in blocking it?

IJ Reilly
Dec 4, 2007, 11:19 AM
A technical question: Symantec recommends blocking access to a number of IP addresses and domains. Assuming someone wanted to do this on their Mac or network, how would it be accomplished?

inkswamp
Dec 4, 2007, 11:20 AM
Isn't Leopard's library memory randomization supposed to make buffer overflow attacks like this impossible?

Difficult but not impossible. I'm no expert on the topic of memory randomization, but the way I understand it, then yes, it makes this kind of vulnerability very difficult to exploit.

For those of you who don't understand it, think of it this way. Imagine the memory of your computer like a map of your hometown. Some vandal wants to change some of the street names to mess with your map. In order for him to do that, he needs to know the exact longitude and latitude of those streets. It's easy for him because he can buy a map of your hometown and get that same information. What Leopard does is chops that map up into little squares and randomly arranges your map, but is also smart enough to know how to continue reading it like normal. Nobody is able to buy a map arranged exactly like that so nobody can get the exact information they need to vandalize your map. It doesn't mean they can't. They just can't quite zero in on exact targets anymore.

That's not a perfect analogy, but you get the idea.

HyperZboy
Dec 4, 2007, 11:43 AM
Apple should fix this, but for Mac users, as usual there is no need to panic.

Since this is .EXE files, there is once again NOTHING out in the wild and there is no virus currently affecting Macs.

Sure, the exploit is there, but we've been through these virus software seller proof of concept things for Macs for years now and almost nothing has ever seen the light of day. And it probably won't ever here either.

Now back to the normal Mac FUD from Symantec...


[False panic attack over]
[Sleeping happily once again] :D

nacengineer
Dec 4, 2007, 11:52 AM
To block that port on your firewall? I mean I doubt the average user even uses RTSP!?

twoodcc
Dec 4, 2007, 12:20 PM
this does sound kinda bad. i'm sure Apple is working on it though

jettredmont
Dec 4, 2007, 12:41 PM
Pardon my language but this is hysterical and outrageously funny!

I can't wait to see the next Windows exploit in action and this;

Symantec also suggests that as a last step, users and IT managers consider uninstalling Windows until a patch is released.

Well, I'm assuming that Symantec's advice is primarily aimed at Windows customers, who form their largest and most loyal user base. For Windows users, Quicktime is just another way of watching video, which is decidedly non-work-related for most Windows IT shops (I mean, if it was work-related, they'd be running Macs anyway, right?)

For us Mac users, we can take temporary solace in the fact that the exploits all target Windows (so far), and take measures to cripple, rather than remove, Quicktime (ie, shut off the port using our built-in firewall). Also, the memory remapping schemes of both Vista and Leopard make this vector of attack less likely to work on those operating systems, so if you're on the bleeding edge of the OS wars, bully for you.

jettredmont
Dec 4, 2007, 12:46 PM
Humm a newbie posting a link to a site about a exploit that can take place if a site is malicious. ;)

Think I will pass for the moment.

The non-blog-spamming link is:

http://www.kb.cert.org/vuls/id/659761

That's "cert.org" ... which I believe is quite trustable :)

FX120
Dec 4, 2007, 01:28 PM
Good thing I've refused to install Quicktime on any of my Windows machines.

Analog Kid
Dec 4, 2007, 01:38 PM
So is it true that if it did load a Mac OS "executable" it would run without Admin permission?
I believe Safari runs with the permissions of the user who launched it, and therefore the embedded Quicktime would also run with those permissions. If you're an admin, any code the jumped the buffer would be admin.

Makes me wonder if it would actually make more sense if Safari ran under its own user... Similarly, does anyone know how the "sandboxing" is supposed to work in Leopard?
A technical question: Symantec recommends blocking access to a number of IP addresses and domains. Assuming someone wanted to do this on their Mac or network, how would it be accomplished?
Little Snitch is one way-- it blocks outgoing connections, while the firewall blocks incoming. I just added the addresses to my filter list (not that it's those addresses I need to worry about, but it's a start). I've also told it to request permission before allowing Quicktime to connect to port 554.

Analog Kid
Dec 4, 2007, 02:13 PM
Apple should fix this, but for Mac users, as usual there is no need to panic.

Now back to the normal Mac FUD from Symantec...

[False panic attack over]
[Sleeping happily once again] :D
Panic? No... But we should be aware of it and protect against it. Complacency is just as bad as panic, and anyone being complacent potentially hurts all of us.
To block that port on your firewall? I mean I doubt the average user even uses RTSP!?
Real Time Streaming Protocol. This is the streaming video protocol.

Anyone know if it's possible for a site to set up so QT starts streaming without someone hitting "play"?

notjustjay
Dec 4, 2007, 02:32 PM
For those of you who don't understand it, think of it this way.

I would use food as an example. Think of a plate as a "buffer" on which you place food which you are going to eat. If you have a 12" wide plate, then you can safely put down a foot long sub. If you try to put a 16" sub down, it's going to hang over the edge. If someone else's plate is right beside yours (it's a crowded table), then some of your food is going to overflow onto their plate.

Most waiters are smart and will double-check the plate size is big enough for the food they're about to put down, but the occasional one forgets. If a hacker wishes to poison someone at the table, he only needs to arrange to sit beside them, and order a specially-prepared piece of poisoned food that intentionally overhangs onto the victim's plate.

Memory randomization is akin to randomly changing the seating order at the table. It's harder to poison your victim if you don't know exactly where he's going to sit.

Dang, now I'm hungry.

Crager724
Dec 4, 2007, 03:45 PM
I'm wondering, I noticed 3 new .exe files on my desktop today and just drug them into the trash. Do I need to do anything more?

Templex
Dec 4, 2007, 04:27 PM
Wow, this seems like the first somewhat serious exploit.
If, on the Mac side, you still need some sort of user confirmation, then it's not that bad, then.

cohibadad
Dec 4, 2007, 04:57 PM
I don't know about scanning for past infections, but the safest thing to do right now is just not use Quicktime until Apple puts out an update for it.

That's not advice everyone can follow, I know, but if you can do it, go for it.

I think I'll live on the edge and keep using Quicktime. I'm just that crazy.

123
Dec 4, 2007, 05:20 PM
A technical question: Symantec recommends blocking access to a number of IP addresses and domains. Assuming someone wanted to do this on their Mac or network, how would it be accomplished?


To protect systems from attack, Symantec recommended blocking access to affected sites. “Filter outgoing access to 85.255.117.212, 85.255.117.213, 216.255.183.59, 69.50.190.135, 58.65.238.116, and 208.113.154.34.

sudo ipfw add 100 deny ip from any to 85.255.117.212, 85.255.117.213, 216.255.183.59, 69.50.190.135, 58.65.238.116, 208.113.154.34

(undo command: sudo ipfw delete 100)
(to see what rules are active: sudo ipfw list <= do this before adding a rule to prevent something else being overwritten)
(learn more: man ipfw)


Additionally 2005-search.com, 1800-search.com, search-biz.org, and ourvoyeur.net should be filtered,” it said,

Currently, these domains resolve to the IPs blocked above. if you think that they will point to different IPs in the future, add the following lines to /etc/hosts
>>
127.0.0.1 2005-search.com
127.0.0.1 1800-search.com
127.0.0.1 search-biz.org.com
127.0.0.1 ourvoyeur.net
>>
to redirect all requests to the local host.


adding IT managers can also block outgoing TCP access to port 554.

sudo ipfw add 101 deny tcp from any to any 554 out

(disables TCP RTSP)
(undo command: sudo ipfw delete 101)

dariusperkins
Dec 4, 2007, 07:06 PM
I would use food as an example. Think of a plate as a "buffer" on which you place food which you are going to eat. If you have a 12" wide plate, then you can safely put down a foot long sub. If you try to put a 16" sub down, it's going to hang over the edge. If someone else's plate is right beside yours (it's a crowded table), then some of your food is going to overflow onto their plate.

Most waiters are smart and will double-check the plate size is big enough for the food they're about to put down, but the occasional one forgets. If a hacker wishes to poison someone at the table, he only needs to arrange to sit beside them, and order a specially-prepared piece of poisoned food that intentionally overhangs onto the victim's plate.

Memory randomization is akin to randomly changing the seating order at the table. It's harder to poison your victim if you don't know exactly where he's going to sit.

Dang, now I'm hungry.

best restaurant analogy ever man.

nagromme
Dec 4, 2007, 08:04 PM
Talk more about the sub sandwiches--I like that :) Maybe french fries too? Maybe the french fries can be security researchers or something? And can we have pie?

Wow, this seems like the first somewhat serious exploit.

There have been exploits on QT for Windows before, I'm pretty sure. And there have been security FLAWS (non-exploited, later patched) under OS X many times. All software has bugs.

At the moment, this is not the first Mac exploit because it's a Windows-only exploit. But we should be aware that until a patch arrives, something similar might be doable in OS X.

MagnusVonMagnum
Dec 4, 2007, 09:29 PM
I'm amazed how so many people just dismiss it as a big deal kind of thing. My reaction is that this hole has been known for some time now and given it's just a header issue, the real question is why didn't Apple patch Quicktime immediately instead of sitting on their butts and waiting for someone to exploit a known security hole? It would take them, what, all of 10 minutes to patch Quicktime and avoid the bad publicity that comes along with such things? Thumbs down to Apple on dropping the ball on this one.

joelovesapple
Dec 5, 2007, 10:08 AM
I tend not to use QT as a rule, only with iTunes as iTunes relies on it to function. However recently I created a seperate Admin account and a managed guest account and also a user account for me, to run as a Standard User. This means that a password is required whenever I have to install something, right, so am I to worry if such a thing did occur?

My Mac is also stealthed (running Leopard) Firewalled, behind a NAT router which is firewalled and stealthed so I'm keeping my fingers crossed. Also I like to make sure I have the most secure browser settings available...

Someone convince me please?:apple:

Heb1228
Dec 5, 2007, 11:16 AM
My mother-in-law called me yesterday telling me that 'firefox had taken over her computer and caused it to go to some strange website.' I'm wondering if this could be related somehow. I tried taking a look at her iMac using iChat's screen sharing but couldn't get very far... its cloudy and she uses satellite internet. I just noticed she had version 2.0.6 of firefox and not 2.0.11. But nothing else sent up any alarm bells. Strange.

John Musbach
Dec 6, 2007, 12:50 AM
http://www.macrumors.com/images/macrumorsthreadlogo.gif (http://www.macrumors.com)

A recent vulnerability in Apple's QuickTime software is reportedly being successfully exploited on the internet, according to security research vendor Symantec.

The vulnerability (http://www.symantec.com/business/security_response/vulnerability.jsp?bid=26560) affects recent versions of QuickTime, including 7.2 and 7.3, and remains unpatched by Apple. The vulnerability lies in improper handling of RTSP headers which can lead to a buffer overflow where an attacker can execute their own code. Symantec rates the vulnerability as "High" criticality.

Now, Symantec reports (via Macworld (http://www.macworld.com/news/2007/12/03/quicktimeflaw/index.php)) that the vulnerability is being exploited in the wild. Both known exploits involve redirection from the intended web page to a server that uses the vulnerability to load code onto the victim's machine.

Initially, the attacks appear to be loading Windows executables, however Symantec warns that the vulnerability affects both Windows and Mac operating systems.

Symantec suggests the following for mitigating risk until a patch is released:



Symantec also suggests that as a last step, users and IT managers consider uninstalling QuickTime until a patch is released.

Article Link (http://www.macrumors.com/2007/12/04/unpatched-quicktime-vulnerability-exploited/)

While this is a little scary I don't believe there currently is much to worry about at this time as while hackers may indeed take advantage of this exploit they most likely will only develop exploits that affect the windows side of things since windows exploit tools are easily purchased, more people are skilled at windows development rather then mac development and windows continues to have the most market share. So... I wouldn't worry just yet, however that doesn't mean that Apple should just do nothing. Apple definitely should still act on this and release a patch for this issue as soon as possible, if not for the mac side of things then for the poor windows folks who may fall victim to these exploits.

John A
Dec 6, 2007, 06:45 AM
sudo ipfw add 100 deny ip from any to 85.255.117.212, 85.255.117.213, 216.255.183.59, 69.50.190.135, 58.65.238.116, 208.113.154.34

(undo command: sudo ipfw delete 100)
(to see what rules are active: sudo ipfw list <= do this before adding a rule to prevent something else being overwritten)
(learn more: man ipfw)




I went about it the same way, but I just find it easier to understand when I see it laid out this way:

01000 0 0 deny tcp from me to not me dst-port 554 out
01100 0 0 deny tcp from me to 85.255.117.212 out
01200 0 0 deny tcp from me to 85.255.117.213 out
01300 0 0 deny tcp from me to 216.255.183.59 out
01400 0 0 deny tcp from me to 69.50.190.135 out
01500 0 0 deny tcp from me to 58.65.238.116 out
01600 0 0 deny tcp from me to 208.113.154.34 out

BagelTycoon
Dec 17, 2007, 02:04 PM
WTF - the upgrade kills prior versions of Paid Quicktime 7 Pro.

Why should I have to pay twice for QT Pro when the necessity of the upgrade is 1) Apple's fault; and 2) I've already paid for and been using a flawed version?

:mad: