Apple QuickTime potential vulnerability/backdoor

Published: 2010-08-30
Last Updated: 2011-01-24 23:36:43 UTC
by Adrien de Beaupre (Version: 1)
4 comment(s)

A vulnerability/backdoor in Apple Quicktime has been announced, and we are keeping an eye on it.

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.

4 comment(s)

Comments

Could this be mitigated with SlayOCX? If so, what is the CLSID?
- http://www.symantec.com/security_response/threatconlearn.jsp
Aug. 31, 2010 - "... Users may wish to disable the QuickTime plugin until a patch is available; this can be achieved by setting the killbit for the affected control (02BF25D5-8C17-4B23-BC80-D3488ABDDC6B) -or- renaming the plugin (QTPlugin.OCX)..."

- http://www.theregister.co.uk/2010/08/30/apple_quicktime_critical_vuln/
30 August 2010 - "... exploit... works only against those who have Microsoft's Windows Live Messenger installed..."
.
From the above-mentioned Register article:

"While the exploit posted by Santamarta works only against those who have Microsoft's Windows Live Messenger installed, the researcher told The Reg that components that ship by default with QuickTime can be used to pull off the same ROP sleight of hand. Files called QuickTimeAuthoring.qtx and QuickTime.qts are two possibilities."

"Indeed, programmers with the open-source Metasploit project used by penetration testers and other hackers are in the process of building an attack module that does just that."

The exploit posted by Santamarta uses Windows Live Messenger because its DLLs don't use ASLR and DEP so the exploit has an easier time. But the underlying vulnerability and the approach used by Santamarta can take advantage of any DLL that doesn't use ASLR and DEP, and there are a lot of them on the typical system.
>> http://support.apple.com/kb/HT4339
QuickTime 7.6.8 released - September 15, 2010
___

Diary Archives