Old Apple QuickTime code puts IE users in harm's way
Exploit bypasses Windows' DEP, ASLR defenses, can be used in drive-by attacks
Computerworld - Apple's failure to clean up old code in QuickTime leaves people running Internet Explorer vulnerable to drive-by attacks, a Spanish security researcher said today.
Ruben Santamarta, a researcher at Madrid-based Wintercore who revealed a bug in IE8 last month, today outlined the QuickTime plug-in vulnerability.
Hackers only need to dupe users into visiting a malicious site hosting exploit code, said Santamarta, who added that his attack code works when someone browses with IE on a machine running Windows XP, Vista or Windows 7 that has QuickTime 7.x or the older QuickTime 6.x installed.
Santamarta's exploit works because Apple didn't tidy up QuickTime's code after developers dropped the "_Marshaled_pUnk" function.
"Although this functionality was removed in newer versions, the parameter is still present," Santamarta wrote in his advisory. "Why? I guess someone forgot to clean up the code."
His attack code also bypasses a pair of important security measures Microsoft has added to Windows: DEP (data execution prevention) and ASLR (address space layout randomization).
DEP and ASLR sidestepping isn't new: In late March, Dutch researcher Peter Vreugdenhil exploited a vulnerability in IE8 running on Windows 7 with attack code that evaded DEP and ASLR to win $10,000 at the fourth-annual Pwn2Own contest. And last month, Santamarta said that the IE8 bug he publicized could also be used to bypass the technologies.
"This issue can be used in a drive-by attack, as QuickTime is widely deployed, and for some reason people still [use] IE," said HD Moore, chief security officer at Rapid7 and the creator of the Metasploit penetration testing framework, in an e-mail. "Unlike other browser-based exploits, Windows 7 with ASLR/DEP will not make an appreciable difference due to the presence of an unprotected DLL within QuickTime itself."
In his advisory, Santamarta said he had sent details of his exploit to Metasploit. Moore confirmed that Metasploit developers are working on a module for the hacking tool kit and are shooting for a Tuesday release of a reliable exploit.
Like Santamarta, Moore believes that the bug was an oversight, not an intentional back door left by an Apple programmer.
Attacks that leverage Santamarta's bug will probably pop up soon, Moore added.
"This exploit will likely make it into the wild; the complete exploit details were provided as part of the initial blog post and with the QuickTime install base being what it is, there is incentive to include this vulnerability into the various [exploit] kits," Moore said.
Until Apple issues a patch, users can stymie attacks by uninstalling or disabling the QuickTime plug-in. Symantec recommended that users set the killbit for the QuickTime ActiveX control or rename the plug-in.
Instructions for setting an ActiveX control's killbit can be found on Microsoft's support site.
Apple last patched QuickTime for Windows on Aug. 11 when it shipped Version 7.6.7 to fix a different bug in the program's error logging.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org.
- Hands on: Apple's Mac Pro is the fastest Mac ever
- Apple CFO to retire in September after he cashes in $53M stock award
- Apple's CarPlay to spark mobile apps war in your car
- Apple retires Snow Leopard from support, leaves 1 in 5 Macs vulnerable to attacks
- Apple patches critical 'gotofail' bug with Mavericks update
- Why Apple needs a $700 MacBook Air
- Apple takes top spot in brand value computation
- Apple gets a patent for health-monitoring ear buds
- Apple shifts to hardware-first TV strategy with revamped set-top box
- iTunes is almost as big a biz as OEM Windows
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts