Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

Unpatched QuickTime Vulnerability Exploited

MacRumors

macrumors bot
Original poster
Apr 12, 2001
50,521
11,906
https://www.macrumors.com/images/macrumorsthreadlogodarkd.png

A recent vulnerability in Apple's QuickTime software is reportedly being successfully exploited on the internet, according to security research vendor Symantec.

The vulnerability affects recent versions of QuickTime, including 7.2 and 7.3, and remains unpatched by Apple. The vulnerability lies in improper handling of RTSP headers which can lead to a buffer overflow where an attacker can execute their own code. Symantec rates the vulnerability as "High" criticality.

Now, Symantec reports (via Macworld) that the vulnerability is being exploited in the wild. Both known exploits involve redirection from the intended web page to a server that uses the vulnerability to load code onto the victim's machine.

Initially, the attacks appear to be loading Windows executables, however Symantec warns that the vulnerability affects both Windows and Mac operating systems.

Symantec suggests the following for mitigating risk until a patch is released:

To protect systems from attack, Symantec recommended blocking access to affected sites. “Filter outgoing access to 85.255.117.212, 85.255.117.213, 216.255.183.59, 69.50.190.135, 58.65.238.116, and 208.113.154.34. Additionally 2005-search.com, 1800-search.com, search-biz.org, and ourvoyeur.net should be filtered,” it said, adding IT managers can also block outgoing TCP access to port 554.

Symantec also suggests that as a last step, users and IT managers consider uninstalling QuickTime until a patch is released.

Article Link
 

eme jota ce

macrumors regular
Jul 26, 2005
193
0
Chicago
yikes!

This is the type of security vulnerability that I find most threatening b/c there's no "Are you sure you want to open this App." final warning.

Anyone know if the executable code needs to load into an Admin user's account or any old account?
 

Pressure

macrumors 601
May 30, 2006
4,192
419
Denmark
Symantec also suggests that as a last step, users and IT managers consider uninstalling QuickTime until a patch is released.

Pardon my language but this is hysterical and outrageously funny!

I can't wait to see the next Windows exploit in action and this;

Symantec also suggests that as a last step, users and IT managers consider uninstalling Windows until a patch is released.
 

Brian Green

macrumors newbie
Mar 26, 2003
2
0
Seattle, WA
Isn't Leopard's library memory randomization supposed to make buffer overflow attacks like this impossible?


I was just thinking the same thing. Leopard was supposed to have killed the buffer overflow possibility. Hopefully someone with knowledge about this Leopard feature will be able to shed some light on this for us.

My gut feeling says this is BS.
 

eastcoastsurfer

macrumors 6502a
Feb 15, 2007
600
27
I was just thinking the same thing. Leopard was supposed to have killed the buffer overflow possibility. Hopefully someone with knowledge about this Leopard feature will be able to shed some light on this for us.

My gut feeling says this is BS.

Nothing in security is foolproof. A friend of mine was at a security conference a few weeks ago and people were giving presentations and demonstrating ways around address randomization.
 

Data

macrumors 6502
Dec 20, 2006
389
11
Well i don't know how bad it actually is but i sure hope apple adresses this problem asap.
 

840quadra

Moderator
Staff member
Feb 1, 2005
8,204
3,493
Twin Cities Minnesota
Ah yes.

Symantec is now working it's way into the pocketbooks of Macintosh users. I will just use VLC and disable QuickTime for the time being, though I don't go to to sites or download videos from untrusted sources anyway.

As always, your best defense against these things, is some good old common sense!
 

sososowhat

macrumors 6502
Feb 20, 2003
285
39
Palo Alto, CA
I know nothing about whether buffer overflow is impossible in Leopard, but if that's not the case would this be the very first time a real, exploited vulnerability has been in the wild for OS X?
 

Small White Car

macrumors G4
Aug 29, 2006
10,925
1,235
Washington DC
I believe it also said that:

So is it true that if it did load a Mac OS "executable" it would run without Admin permission?

No. This is still mostly a Window problem.

Mac users should, of course, continue to be careful. Also, it's still very bad news for Apple...putting out insecure Windows software sure doesn't make them look good. Why should potential switchers think Mac are safer if the Apple software on their current PC isn't safe?
 

notjustjay

macrumors 603
Sep 19, 2003
6,054
162
Canada, eh?
I was gonna say, even though it is a vulnerability in Apple software, it is at least only targeting (so far) Windows binaries.

At least, knowing Apple, they will hopefully have a patch released quite quickly.
 

nbs2

macrumors 68030
Mar 31, 2004
2,719
491
A geographical oddity
Pardon my language but this is hysterical and outrageously funny!

I can't wait to see the next Windows exploit in action and this;

Symantec also suggests that as a last step, users and IT managers consider uninstalling Windows until a patch is released.

Why is it so funny? I don't there are many businesses that need QT available on user machines for work to get done. If the exploit spreads or adapts, the current solutions may become ineffective. I would think that, if viable and as serious as SYMN makes it sound (of course, when you wait 10 days to make notice you have to wonder how serious it can be) it would be very responsible for most IT managers to lock down something as minor as QT until this can get sorted out.

I know nothing about whether buffer overflow is impossible in Leopard, but if that's not the case would this be the very first time a real, exploited vulnerability has been in the wild for OS X?

I can't remember if that old Leopard pics deal was an exploit - it's so far removed from my memory, that it's just a haze. But I wouldn't call this an OS X exploit yet. From what it sounds like, the situation could feed the "marketshare" defense, with OS X being overlooked for some reason (marketshare still too low?), as only Windows is actually being affected.
 

vassillios

macrumors 6502
Feb 1, 2005
340
0
Virginia
I was gonna say, even though it is a vulnerability in Apple software, it is at least only targeting (so far) Windows binaries.

At least, knowing Apple, they will hopefully have a patch released quite quickly.

did you miss this:

"however Symantec warns that the vulnerability affects both Windows and Mac operating systems."
 

Small White Car

macrumors G4
Aug 29, 2006
10,925
1,235
Washington DC
did you miss this:

"however Symantec warns that the vulnerability affects both Windows and Mac operating systems."

He didn't miss it. The point is that the Windows hole is being used to put Windows programs onto people's machines.

The Mac hole is being used for...well, nothing yet.

Once that changes, it's Mac problem. Until it does, it's not. (Of course, the flaw in and of itself is a problem...I've said that already. The point is that Windows users have an ACTUAL problem where Mac users have a potential problem. They're both bad, but one is worse than the other.)
 

brentg33

macrumors 6502a
Mar 5, 2007
553
0
Hey,
i was just reading on this site about the security hole in quicktime. I was wondering what exactly to look for to know whether or not you have been infected, now that the story indicates its "in the wild". Would something like clamXav be able to pick this up, and if so, what files would you need to scan?

thanks, (sorry to all for being so nervous)
brent
 

Small White Car

macrumors G4
Aug 29, 2006
10,925
1,235
Washington DC
Hey,
i was just reading on this site about the security hole in quicktime. I was wondering what exactly to look for to know whether or not you have been infected, now that the story indicates its "in the wild". Would something like clamXav be able to pick this up, and if so, what files would you need to scan?

thanks, (sorry to all for being so nervous)
brent

I don't know about scanning for past infections, but the safest thing to do right now is just not use Quicktime until Apple puts out an update for it.

That's not advice everyone can follow, I know, but if you can do it, go for it.
 

Snowy_River

macrumors 68030
Jul 17, 2002
2,519
0
Corvallis, OR
ZDNet reported on this. According to their report, that actual exploit that exists in the wild is rated as "Very Low Risk". So, it seems that this is nothing to get overly hyped about.

The one thing that I do see this as is a wake up call to Apple. This vulnerability has been present through several updates to QT. Maybe now we'll see a patch for it? One can only hope...
 

notjustjay

macrumors 603
Sep 19, 2003
6,054
162
Canada, eh?
He didn't miss it. The point is that the Windows hole is being used to put Windows programs onto people's machines.

The Mac hole is being used for...well, nothing yet.

Thank you, yes, that's what I meant. I think we're still taking advantage of the relatively low mind- and market-share... given an equal opportunity to target an exploit, people still go for the Windows one because of the higher potential for damage/publicity. It's almost like the malware writers don't want to hurt us :)

I've seen this a lot... there's always a new Windows vulnerability that is exposed and made public because the latest virus exploited it and thousands of people or companies are damaged. It's all over the news, people get paranoid, damage control happens.

While the Apple vulnerabilities tend to be discovered, illustrated with a single proof-of-concept, Apple engineers go "oopsies!" and fix it, and that's that, life goes on. Nobody gets hurt.

This may change, but so far the outlook is pretty good.
 

nagromme

macrumors G5
May 2, 2002
12,546
1,196
Hypothetically, if at some point this exploit affects Macs in addition to Windows, would Leopard's new firewall settings have a role in blocking it?
 

IJ Reilly

macrumors P6
Jul 16, 2002
17,889
1,478
Palookaville
A technical question: Symantec recommends blocking access to a number of IP addresses and domains. Assuming someone wanted to do this on their Mac or network, how would it be accomplished?
 

inkswamp

macrumors 68030
Jan 26, 2003
2,762
846
Isn't Leopard's library memory randomization supposed to make buffer overflow attacks like this impossible?

Difficult but not impossible. I'm no expert on the topic of memory randomization, but the way I understand it, then yes, it makes this kind of vulnerability very difficult to exploit.

For those of you who don't understand it, think of it this way. Imagine the memory of your computer like a map of your hometown. Some vandal wants to change some of the street names to mess with your map. In order for him to do that, he needs to know the exact longitude and latitude of those streets. It's easy for him because he can buy a map of your hometown and get that same information. What Leopard does is chops that map up into little squares and randomly arranges your map, but is also smart enough to know how to continue reading it like normal. Nobody is able to buy a map arranged exactly like that so nobody can get the exact information they need to vandalize your map. It doesn't mean they can't. They just can't quite zero in on exact targets anymore.

That's not a perfect analogy, but you get the idea.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.