Unpatched QuickTime Vulnerability Exploited

[MacRumors]

A recent vulnerability in Apple's QuickTime software is reportedly being successfully exploited on the internet, according to security research vendor Symantec.

The vulnerability affects recent versions of QuickTime, including 7.2 and 7.3, and remains unpatched by Apple. The vulnerability lies in improper handling of RTSP headers which can lead to a buffer overflow where an attacker can execute their own code. Symantec rates the vulnerability as "High" criticality.

Now, Symantec reports (via Macworld) that the vulnerability is being exploited in the wild. Both known exploits involve redirection from the intended web page to a server that uses the vulnerability to load code onto the victim's machine.

Initially, the attacks appear to be loading Windows executables, however Symantec warns that the vulnerability affects both Windows and Mac operating systems.

Symantec suggests the following for mitigating risk until a patch is released:

Quote:

To protect systems from attack, Symantec recommended blocking access to affected sites. “Filter outgoing access to 85.255.117.212, 85.255.117.213, 216.255.183.59, 69.50.190.135, 58.65.238.116, and 208.113.154.34. Additionally 2005-search.com, 1800-search.com, search-biz.org, and ourvoyeur.net should be filtered,” it said, adding IT managers can also block outgoing TCP access to port 554.

Symantec also suggests that as a last step, users and IT managers consider uninstalling QuickTime until a patch is released.

Article Link

[eme jota ce]

yikes!

This is the type of security vulnerability that I find most threatening b/c there's no "Are you sure you want to open this App." final warning.

Anyone know if the executable code needs to load into an Admin user's account or any old account?

[Pressure]

Quote:

Originally Posted by Macrumors

Symantec also suggests that as a last step, users and IT managers consider uninstalling QuickTime until a patch is released.

Pardon my language but this is hysterical and outrageously funny!

I can't wait to see the next Windows exploit in action and this;

Symantec also suggests that as a last step, users and IT managers consider uninstalling Windows until a patch is released.

[Fotek2001]

Isn't Leopard's library memory randomization supposed to make buffer overflow attacks like this impossible?

[Brian Green]

Quote:

Originally Posted by Fotek2001

Isn't Leopard's library memory randomization supposed to make buffer overflow attacks like this impossible?

I was just thinking the same thing. Leopard was supposed to have killed the buffer overflow possibility. Hopefully someone with knowledge about this Leopard feature will be able to shed some light on this for us.

My gut feeling says this is BS.

[eastcoastsurfer]

Quote:

Originally Posted by Brian Green

I was just thinking the same thing. Leopard was supposed to have killed the buffer overflow possibility. Hopefully someone with knowledge about this Leopard feature will be able to shed some light on this for us.

My gut feeling says this is BS.

Nothing in security is foolproof. A friend of mine was at a security conference a few weeks ago and people were giving presentations and demonstrating ways around address randomization.

[Data]

Well i don't know how bad it actually is but i sure hope apple adresses this problem asap.

[inkswamp]

Quote:

Originally Posted by Fotek2001

Isn't Leopard's library memory randomization supposed to make buffer overflow attacks like this impossible?

Difficult but not impossible. I'm no expert on the topic of memory randomization, but the way I understand it, then yes, it makes this kind of vulnerability very difficult to exploit.

For those of you who don't understand it, think of it this way. Imagine the memory of your computer like a map of your hometown. Some vandal wants to change some of the street names to mess with your map. In order for him to do that, he needs to know the exact longitude and latitude of those streets. It's easy for him because he can buy a map of your hometown and get that same information. What Leopard does is chops that map up into little squares and randomly arranges your map, but is also smart enough to know how to continue reading it like normal. Nobody is able to buy a map arranged exactly like that so nobody can get the exact information they need to vandalize your map. It doesn't mean they can't. They just can't quite zero in on exact targets anymore.

That's not a perfect analogy, but you get the idea.

[nacengineer]

To block that port on your firewall? I mean I doubt the average user even uses RTSP!?

[twoodcc]

this does sound kinda bad. i'm sure Apple is working on it though

[notjustjay]

Quote:

Originally Posted by inkswamp

For those of you who don't understand it, think of it this way.

I would use food as an example. Think of a plate as a "buffer" on which you place food which you are going to eat. If you have a 12" wide plate, then you can safely put down a foot long sub. If you try to put a 16" sub down, it's going to hang over the edge. If someone else's plate is right beside yours (it's a crowded table), then some of your food is going to overflow onto their plate.

Most waiters are smart and will double-check the plate size is big enough for the food they're about to put down, but the occasional one forgets. If a hacker wishes to poison someone at the table, he only needs to arrange to sit beside them, and order a specially-prepared piece of poisoned food that intentionally overhangs onto the victim's plate.

Memory randomization is akin to randomly changing the seating order at the table. It's harder to poison your victim if you don't know exactly where he's going to sit.

Dang, now I'm hungry.

[Crager724]

I'm wondering, I noticed 3 new .exe files on my desktop today and just drug them into the trash. Do I need to do anything more?

[dariusperkins]

Quote:

Originally Posted by notjustjay

I would use food as an example. Think of a plate as a "buffer" on which you place food which you are going to eat. If you have a 12" wide plate, then you can safely put down a foot long sub. If you try to put a 16" sub down, it's going to hang over the edge. If someone else's plate is right beside yours (it's a crowded table), then some of your food is going to overflow onto their plate.

Most waiters are smart and will double-check the plate size is big enough for the food they're about to put down, but the occasional one forgets. If a hacker wishes to poison someone at the table, he only needs to arrange to sit beside them, and order a specially-prepared piece of poisoned food that intentionally overhangs onto the victim's plate.

Memory randomization is akin to randomly changing the seating order at the table. It's harder to poison your victim if you don't know exactly where he's going to sit.

Dang, now I'm hungry.

best restaurant analogy ever man.

[Templex]

Wow, this seems like the first somewhat serious exploit.
If, on the Mac side, you still need some sort of user confirmation, then it's not that bad, then.

[nagromme]

Talk more about the sub sandwiches--I like that Maybe french fries too? Maybe the french fries can be security researchers or something? And can we have pie?

Quote:

Originally Posted by Templex

Wow, this seems like the first somewhat serious exploit.

There have been exploits on QT for Windows before, I'm pretty sure. And there have been security FLAWS (non-exploited, later patched) under OS X many times. All software has bugs.

At the moment, this is not the first Mac exploit because it's a Windows-only exploit. But we should be aware that until a patch arrives, something similar might be doable in OS X.

[jettredmont]

Quote:

Originally Posted by Pressure

Pardon my language but this is hysterical and outrageously funny!

I can't wait to see the next Windows exploit in action and this;

Symantec also suggests that as a last step, users and IT managers consider uninstalling Windows until a patch is released.

Well, I'm assuming that Symantec's advice is primarily aimed at Windows customers, who form their largest and most loyal user base. For Windows users, Quicktime is just another way of watching video, which is decidedly non-work-related for most Windows IT shops (I mean, if it was work-related, they'd be running Macs anyway, right?)

For us Mac users, we can take temporary solace in the fact that the exploits all target Windows (so far), and take measures to cripple, rather than remove, Quicktime (ie, shut off the port using our built-in firewall). Also, the memory remapping schemes of both Vista and Leopard make this vector of attack less likely to work on those operating systems, so if you're on the bleeding edge of the OS wars, bully for you.

[morespce54]

Quote:

Originally Posted by Macrumors

...Symantec also suggests that as a last step, users and IT managers consider uninstalling QuickTime until a patch is released.

sure... and how are we is supposed to do that?

[brentg33]

Hey,
i was just reading on this site about the security hole in quicktime. I was wondering what exactly to look for to know whether or not you have been infected, now that the story indicates its "in the wild". Would something like clamXav be able to pick this up, and if so, what files would you need to scan?

thanks, (sorry to all for being so nervous)
brent

[Small White Car]

Quote:

Originally Posted by brentg33

Hey,
i was just reading on this site about the security hole in quicktime. I was wondering what exactly to look for to know whether or not you have been infected, now that the story indicates its "in the wild". Would something like clamXav be able to pick this up, and if so, what files would you need to scan?

thanks, (sorry to all for being so nervous)
brent

I don't know about scanning for past infections, but the safest thing to do right now is just not use Quicktime until Apple puts out an update for it.

That's not advice everyone can follow, I know, but if you can do it, go for it.

[cohibadad]

Quote:

Originally Posted by Small White Car

I don't know about scanning for past infections, but the safest thing to do right now is just not use Quicktime until Apple puts out an update for it.

That's not advice everyone can follow, I know, but if you can do it, go for it.

I think I'll live on the edge and keep using Quicktime. I'm just that crazy.

[John A]

Looks like there is no exploit in the wild for the Mac side yet, but that's just a matter of time at this point. CERT has a page with lots of info about this as well.

More info here: http://macsecure.com/2007/12/04/quic...-rtsp-headers/

[shawnce]

Quote:

Originally Posted by John A

Looks like there is no exploit in the wild for the Mac side yet, but that's just a matter of time at this point. CERT has a page with lots of info about this as well.

More info here: http://macsecure.com/2007/12/04/quicktime-vulnerability-rtsp-headers/

Humm a newbie posting a link to a site about a exploit that can take place if a site is malicious.

Think I will pass for the moment.

[Snowy_River]

ZDNet reported on this. According to their report, that actual exploit that exists in the wild is rated as "Very Low Risk". So, it seems that this is nothing to get overly hyped about.

The one thing that I do see this as is a wake up call to Apple. This vulnerability has been present through several updates to QT. Maybe now we'll see a patch for it? One can only hope...

[nagromme]

Hypothetically, if at some point this exploit affects Macs in addition to Windows, would Leopard's new firewall settings have a role in blocking it?

[jettredmont]

Quote:

Originally Posted by shawnce

Humm a newbie posting a link to a site about a exploit that can take place if a site is malicious.

Think I will pass for the moment.

The non-blog-spamming link is:

http://www.kb.cert.org/vuls/id/659761

That's "cert.org" ... which I believe is quite trustable