Unpatched QuickTime Vulnerability Exploited

Discussion in 'MacRumors.com News Discussion' started by MacRumors, Dec 4, 2007.

  1. HyperZboy macrumors 65816

    Joined:
    Feb 7, 2007
    #26
    Apple should fix this, but for Mac users, as usual there is no need to panic.

    Since this is .EXE files, there is once again NOTHING out in the wild and there is no virus currently affecting Macs.

    Sure, the exploit is there, but we've been through these virus software seller proof of concept things for Macs for years now and almost nothing has ever seen the light of day. And it probably won't ever here either.

    Now back to the normal Mac FUD from Symantec...


    [False panic attack over]
    [Sleeping happily once again] :D
     
  2. nacengineer macrumors member

    Joined:
    Dec 26, 2006
    Location:
    San Francisco, CA, USA
    #27
    Wouldn't the easiest thing be...

    To block that port on your firewall? I mean I doubt the average user even uses RTSP!?
     
  3. twoodcc macrumors P6

    twoodcc

    Joined:
    Feb 3, 2005
    Location:
    Right side of wrong
    #28
    this does sound kinda bad. i'm sure Apple is working on it though
     
  4. jettredmont macrumors 68030

    Joined:
    Jul 25, 2002
    #29
    Well, I'm assuming that Symantec's advice is primarily aimed at Windows customers, who form their largest and most loyal user base. For Windows users, Quicktime is just another way of watching video, which is decidedly non-work-related for most Windows IT shops (I mean, if it was work-related, they'd be running Macs anyway, right?)

    For us Mac users, we can take temporary solace in the fact that the exploits all target Windows (so far), and take measures to cripple, rather than remove, Quicktime (ie, shut off the port using our built-in firewall). Also, the memory remapping schemes of both Vista and Leopard make this vector of attack less likely to work on those operating systems, so if you're on the bleeding edge of the OS wars, bully for you.
     
  5. jettredmont macrumors 68030

    Joined:
    Jul 25, 2002
    #30
    The non-blog-spamming link is:

    http://www.kb.cert.org/vuls/id/659761

    That's "cert.org" ... which I believe is quite trustable :)
     
  6. FX120 macrumors 65816

    FX120

    Joined:
    May 18, 2007
    #31
    Good thing I've refused to install Quicktime on any of my Windows machines.
     
  7. Analog Kid macrumors 601

    Analog Kid

    Joined:
    Mar 4, 2003
    #32
    I believe Safari runs with the permissions of the user who launched it, and therefore the embedded Quicktime would also run with those permissions. If you're an admin, any code the jumped the buffer would be admin.

    Makes me wonder if it would actually make more sense if Safari ran under its own user... Similarly, does anyone know how the "sandboxing" is supposed to work in Leopard?
    Little Snitch is one way-- it blocks outgoing connections, while the firewall blocks incoming. I just added the addresses to my filter list (not that it's those addresses I need to worry about, but it's a start). I've also told it to request permission before allowing Quicktime to connect to port 554.
     
  8. Analog Kid macrumors 601

    Analog Kid

    Joined:
    Mar 4, 2003
    #33
    Panic? No... But we should be aware of it and protect against it. Complacency is just as bad as panic, and anyone being complacent potentially hurts all of us.
    Real Time Streaming Protocol. This is the streaming video protocol.

    Anyone know if it's possible for a site to set up so QT starts streaming without someone hitting "play"?
     
  9. notjustjay macrumors 603

    notjustjay

    Joined:
    Sep 19, 2003
    Location:
    Canada, eh?
    #34
    I would use food as an example. Think of a plate as a "buffer" on which you place food which you are going to eat. If you have a 12" wide plate, then you can safely put down a foot long sub. If you try to put a 16" sub down, it's going to hang over the edge. If someone else's plate is right beside yours (it's a crowded table), then some of your food is going to overflow onto their plate.

    Most waiters are smart and will double-check the plate size is big enough for the food they're about to put down, but the occasional one forgets. If a hacker wishes to poison someone at the table, he only needs to arrange to sit beside them, and order a specially-prepared piece of poisoned food that intentionally overhangs onto the victim's plate.

    Memory randomization is akin to randomly changing the seating order at the table. It's harder to poison your victim if you don't know exactly where he's going to sit.

    Dang, now I'm hungry.
     
  10. Crager724 macrumors member

    Joined:
    Aug 9, 2005
    Location:
    God's Country
    #35
    I'm wondering, I noticed 3 new .exe files on my desktop today and just drug them into the trash. Do I need to do anything more?
     
  11. Templex macrumors regular

    Joined:
    Jul 12, 2007
    Location:
    Los Angeles, CA
    #36
    Wow, this seems like the first somewhat serious exploit.
    If, on the Mac side, you still need some sort of user confirmation, then it's not that bad, then.
     
  12. cohibadad macrumors 6502a

    cohibadad

    Joined:
    Jul 21, 2007
    #37
    I think I'll live on the edge and keep using Quicktime. I'm just that crazy.
     
  13. 123 macrumors 6502

    Joined:
    Mar 3, 2002
    #38
    sudo ipfw add 100 deny ip from any to 85.255.117.212, 85.255.117.213, 216.255.183.59, 69.50.190.135, 58.65.238.116, 208.113.154.34

    (undo command: sudo ipfw delete 100)
    (to see what rules are active: sudo ipfw list <= do this before adding a rule to prevent something else being overwritten)
    (learn more: man ipfw)

    Currently, these domains resolve to the IPs blocked above. if you think that they will point to different IPs in the future, add the following lines to /etc/hosts
    >>
    127.0.0.1 2005-search.com
    127.0.0.1 1800-search.com
    127.0.0.1 search-biz.org.com
    127.0.0.1 ourvoyeur.net
    >>
    to redirect all requests to the local host.

    sudo ipfw add 101 deny tcp from any to any 554 out

    (disables TCP RTSP)
    (undo command: sudo ipfw delete 101)
     
  14. dariusperkins macrumors newbie

    Joined:
    Sep 17, 2007
    #39
    best restaurant analogy ever man.
     
  15. nagromme macrumors G5

    nagromme

    Joined:
    May 2, 2002
    #40
    Talk more about the sub sandwiches--I like that :) Maybe french fries too? Maybe the french fries can be security researchers or something? And can we have pie?

    There have been exploits on QT for Windows before, I'm pretty sure. And there have been security FLAWS (non-exploited, later patched) under OS X many times. All software has bugs.

    At the moment, this is not the first Mac exploit because it's a Windows-only exploit. But we should be aware that until a patch arrives, something similar might be doable in OS X.
     
  16. MagnusVonMagnum macrumors 601

    MagnusVonMagnum

    Joined:
    Jun 18, 2007
    #41
    I'm amazed how so many people just dismiss it as a big deal kind of thing. My reaction is that this hole has been known for some time now and given it's just a header issue, the real question is why didn't Apple patch Quicktime immediately instead of sitting on their butts and waiting for someone to exploit a known security hole? It would take them, what, all of 10 minutes to patch Quicktime and avoid the bad publicity that comes along with such things? Thumbs down to Apple on dropping the ball on this one.
     
  17. joelovesapple macrumors 6502a

    joelovesapple

    Joined:
    Sep 25, 2006
    Location:
    UK
    #42
    I tend not to use QT as a rule, only with iTunes as iTunes relies on it to function. However recently I created a seperate Admin account and a managed guest account and also a user account for me, to run as a Standard User. This means that a password is required whenever I have to install something, right, so am I to worry if such a thing did occur?

    My Mac is also stealthed (running Leopard) Firewalled, behind a NAT router which is firewalled and stealthed so I'm keeping my fingers crossed. Also I like to make sure I have the most secure browser settings available...

    Someone convince me please?:apple:
     
  18. Heb1228 macrumors 68020

    Heb1228

    Joined:
    Feb 3, 2004
    Location:
    Virginia Beach, VA
    #43
    My mother-in-law called me yesterday telling me that 'firefox had taken over her computer and caused it to go to some strange website.' I'm wondering if this could be related somehow. I tried taking a look at her iMac using iChat's screen sharing but couldn't get very far... its cloudy and she uses satellite internet. I just noticed she had version 2.0.6 of firefox and not 2.0.11. But nothing else sent up any alarm bells. Strange.
     
  19. John Musbach macrumors regular

    Joined:
    Nov 8, 2007
    #44
    While this is a little scary I don't believe there currently is much to worry about at this time as while hackers may indeed take advantage of this exploit they most likely will only develop exploits that affect the windows side of things since windows exploit tools are easily purchased, more people are skilled at windows development rather then mac development and windows continues to have the most market share. So... I wouldn't worry just yet, however that doesn't mean that Apple should just do nothing. Apple definitely should still act on this and release a patch for this issue as soon as possible, if not for the mac side of things then for the poor windows folks who may fall victim to these exploits.
     
  20. John A macrumors member

    Joined:
    Mar 30, 2007
    #45
    I went about it the same way, but I just find it easier to understand when I see it laid out this way:

    01000 0 0 deny tcp from me to not me dst-port 554 out
    01100 0 0 deny tcp from me to 85.255.117.212 out
    01200 0 0 deny tcp from me to 85.255.117.213 out
    01300 0 0 deny tcp from me to 216.255.183.59 out
    01400 0 0 deny tcp from me to 69.50.190.135 out
    01500 0 0 deny tcp from me to 58.65.238.116 out
    01600 0 0 deny tcp from me to 208.113.154.34 out
     
  21. BagelTycoon macrumors member

    Joined:
    Apr 21, 2003
    Location:
    NY - Land of the free, home of the bagel
    #46
    Kills QuickTime Pro

    WTF - the upgrade kills prior versions of Paid Quicktime 7 Pro.

    Why should I have to pay twice for QT Pro when the necessity of the upgrade is 1) Apple's fault; and 2) I've already paid for and been using a flawed version?

    :mad:
     

Share This Page