Monday, January 14, 2008

New Apple Quicktime Problem – UPDATE

On Thursday an advisory was released to several security research mailing lists with an advisory for an unpatched flaw in Quicktime as well as a simple Proof-Of-Concept(PoC). Over the weekend, that simple PoC morphed into a much more robust attack tool. The current PoC, which is really a weaponized attack tool in sheep’s clothing, will cause memory corruption in both Vista and OSX 10.5.

Quicktime has had a rough time recently with a number of flaws putting both Windows and OSX users at risk. You can’t fault them for having flaws in their software, everybody does. The problem I have with Apple is that these attacks would not be exploitable if they took advantage of advanced security features in Vista. This exploit requires an attacker to know a static offset in the process space that they can use to their advantage. Taking advantage of ASLR in Vista would mitigate this risk and keep millions of Windows users safe. In the update form the last problem, ASLR was not enabled and as I have previously shown it is nothing more than changing a bit a QA cycle.

Due to Apples lack of adoption of these features or a secure development cycle, I have recommended to our customers that all Apple software should be removed from Windows machines. That is Quicktime, iTunes, and Safari.

What the exploit looks like running with default options.
The OSX 10.5 crash.

The WinDBbg output on Vista.

No comments: