Tuesday, April 08, 2008

Update on Apple and QuickTime

I just read at the Infosec Blog that a new version of QuickTime has been released that contain fixes that should make QuickTime harder to exploit on Vista. I say should because although it is a good start Apple did not completely close the loop. The reason ASLR is important to thwarting hackers is that the memory space of an application is randomized, or as the king would say, they are all shook up. Since most buffer overflows rely on knowing where a piece of code or data is in memory, the randomization can turn a remotely exploitable bug into nothing more than a Denial-of-Service. Although targeted attacks against individuals may still be possible, widespread QuickTime exploits will be much harder to write.

Not to signal doom and gloom but there is a problem or two. The main problem with implementing ASLR is that is really is all or nothing venture. If you have even one static shared library you open yourself to compromise. Below are screenshots of the new QuickTime from a filesystem and a process point of view using LookingGlass. Although most of the files are now marked as ASLR enabled there are still a few binaries that are not and could still provide an attacker a static location to utilize.

Don’t let these few oversights detract you from the huge stride forward Apple is making Vista users safer. It is good to see Apple embracing these security enhancements and I encourage other vendors, like Adobe, to follow their lead. I also hope that Apple extends these improvements to the other products offered to Windows users.

QuickTime File system scan withLookingGlass.
QuickTime Process scan with LookingGlass.


cryptognome said...

Hey, the only contact info on your home page is for sales, so I thought I'd post here. I've ported ferret to OS X if you guys want to add it to the distribution. Only changes were to pcaplive.c, main.cpp (to fix a warning) and a new Makefile of course. Write back if you're interested, and thanks for making the source available!

David Maynor said...

sure, email me at dave@erratasec.com and we will merge the changes into the next release!