NIST Site Search
Search NIST.GOV
Custom Search
[Official NIST.GOV TIME]
Product Research

Advertise on this site
Possible Cross-Platform 0Day in Apple's Quicktime Music Player
Apple's Quicktime music player in combination with Safari has been identified as the attack vector that won last week's $10,000 prize at the CanSecWest security conference in Vancouver. But it turns out that the vulnerability not only extends to other OSX browsers but also possibly to Windows and PPC Macs as well. Updated: Possible Exploit Released. Fix released on May 1st. See below.No Longer Supported
The Quicktime bug seems to be passed to it by a Java capable web browser using the Quicktime for Java interface (QT4J). Any web browser that supports Java will become a vulnerability vector if Quicktime is installed. If Java support is disabled in the browser it can no longer be used for an attack.

Currently Safari and Firefox are confirmed vectors on the MacIntel OSX platform. Currently it is known that Windows Quicktime is vulnerable as well. What is not known is to what degree. If the attack is a buffer overflow an actual "exploiting the box" type attack may be OS specific. In other words Quicktime under Windows may simply crash or hang the computer if the same exploit code is used. Converting a buffer overflow in to a full fledged exploit takes time and is not always possible. But they did it on the OSX platform so it is entirely possible that someone can do it on the Windows platform as well. However, if the exploit simply takes advantage of a function built-in to Quicktime than the current exploit may work on both platforms.

Details are still emerging and part of the contest rules gives 3COM (parent company of TippingPoint's Zero Day Initiative) control over what information is released. This will limit malicious use of the bug until someone else figures it out, or until the information leaks out. Either way there is probably a little time available to allow TippingPoint to update their firewall product and Apple to fix the problem.

The exploit requires that the user visit a malicious web page, either by chance or by clicking on a malicious link.

Mitigation:
  • Turn off Java support in your browser
  • Uninstall Quicktime
  • If you use Firefox use the NoScript plugin to disallow Java on a site by site basis. There is some confusion on how to turn "Java" in the NoScript plugin. This screen shot should help. Please keep in mind that Java and JavaScript are not the same thing. This problem involves "Java". If you use Firefox you can download the latest version of NoScript at NoScript.net
  • Apple Released a Fix to this on May 1st, QuickTime version 7.1.6


Discovery credit goes to Dino Di Zovie. "Think of it as a problem that can be triggered only if Java is enabled." said Thomas Ptacek on the group's Matasano blog.

More information as it becomes available.

UPDATES:
  • 4/25 PM: Matasano Security's Thomas Ptacek is quoting "multiple credible sources" that the entire contest took place over an unsecure wireless network. Why is that important? Because in a room full of hackers some of them were surely sniffing (monitoring) the whole thing. There are unconfirmed reports that someone in that room has recreated the exploit and is releasing it in to the wild. The contest organizers are disputing this saying that the wireless access point was only used to route traffic out to the internet and that the Macbooks involved were on a wired connection. But that doesn't mean that an exploit wasn't reverse engineered by other means. So if you haven't taken measures to protect your computers yet now is the time.
  • 4/25 PM: Secunia has released Secunia Advisory #SA25011 rated as "Highly Critical". The advisory states that the vulnerability affects Apple Quicktime versions 3.x through 7.x



Share or Bookmark this Article Using:
| furl | reddit | del.icio.us | magnoliacom | digg | newsvine | stumble it |



Google
WebNIST.org
NIST.govSecurityFocus.com






Posted by NIST.org on Wednesday 25 April 2007 - 16:11:18 | |printer friendly
Translate to: French German Italian Spanish Portuguese GTM_LAN_DUTCH Russian Chinese Arabic Korean English
Google Ads




Headlines

»CVE-2015-1339 (linux_kernel)
Memory leak in the cuse_channel_release function in fs/fuse/cuse.c in the Linux kernel before 4.4 al ...
»CVE-2015-7515 (linux_kernel)
The aiptek_probe function in drivers/input/tablet/aiptek.c in the Linux kernel before 4.4 allows phy ...
»CVE-2015-8325
The do_setup_env function in session.c in sshd in OpenSSH through 7.2p2, when the UseLogin feature i ...
»CVE-2015-8812
drivers/infiniband/hw/cxgb3/iwch_cm.c in the Linux kernel before 4.5 does not properly identify erro ...
»CVE-2015-8816
The hub_activate function in drivers/usb/core/hub.c in the Linux kernel before 4.3.5 does not proper ...
»CVE-2015-8844
The signal implementation in the Linux kernel before 4.3.5 on powerpc platforms does not check for a ...
»CVE-2015-8845
The tm_reclaim_thread function in arch/powerpc/kernel/process.c in the Linux kernel before 4.4.1 on ...
»CVE-2016-0211
IBM DB2 9.7 through FP11, 9.8, 10.1 through FP5, and 10.5 through FP7 on Linux, UNIX, and Windows al ...
»CVE-2016-0774
The (1) pipe_read and (2) pipe_write implementations in fs/pipe.c in a certain Linux kernel backport ...
»CVE-2016-1111
Double free vulnerability in Adobe Reader and Acrobat before 11.0.14, Acrobat and Acrobat Reader DC ...
»CVE-2016-1199
The login page in the management screen in LOCKON EC-CUBE 3.0.0 through 3.0.9 allows remote attacker ...
»CVE-2016-1200
The management screen in LOCKON EC-CUBE 3.0.7 through 3.0.9 allows remote attackers to bypass intend ...
»CVE-2016-1201
Cross-site request forgery (CSRF) vulnerability in LOCKON EC-CUBE 3.0.0 through 3.0.9 allows remote ...
»CVE-2016-1205
Cross-site scripting (XSS) vulnerability in the shiro8 (1) category_freearea_ addition_plugin plugin ...
»CVE-2016-1343
The XML parser in Cisco Information Server (CIS) 6.2 allows remote attackers to read arbitrary files ...


Date published: 2016-05-01T04:50:00Z
Details

»FBI Releases Article on Ransomware
Original release date: April 29, 2016 The Federal Bureau of Investigation (FBI) has released ...
»Google Releases Security Update for Chrome
Original release date: April 28, 2016 Google has released Chrome version 50.0.2661.94 to addr ...
»Mozilla Releases Security Updates
Original release date: April 26, 2016 Mozilla has released security updates to address multip ...
»FTC Releases Alert on Earthquake Disaster Email Scams
Original release date: April 20, 2016 The Federal Trade Commission (FTC) has released an aler ...
»Cisco Releases Security Updates
Original release date: April 20, 2016 Cisco has released security updates to address vulnerab ...
»Oracle Releases Security Bulletin
Original release date: April 19, 2016 Oracle has released its Critical Patch Update for April ...
»Symantec Releases Security Updates
Original release date: April 19, 2016 Symantec has released security updates to address vulne ...
»VMWare Releases Security Updates
Original release date: April 14, 2016 VMware has released security updates to address a vulne ...
»IRS Warns Taxpayers About Scams as Tax Deadline Approaches
Original release date: April 13, 2016 The Internal Revenue Service (IRS) has issued a press r ...
»Google Releases Security Update for Chrome
Original release date: April 13, 2016 Google has released Chrome version 50.0.2661.75 to addr ...


Date published: not known
Details

»Paper: How It Works: Steganography Hides Malware in Image Files
A new paper by CYREN researcher Lordian Mosuela takes a close look ...
»Paying a malware ransom is bad, but telling people to never do it is unhelpful advice
The current ransomware plague is one of the worst threats the Inter ...
»VB2015 paper: VolatilityBot: Malicious Code Extraction Made by and for Security Researchers
In his VB2015 paper, Martin Korman presented his 'VolatilyBot' tool ...
»VB2016 programme announced, registration opened
We have announced 37 papers (and four reserve papers) that will be ...
»New tool helps ransomware victims indentify the malware family
The people behind the MalwareHunterTeam have released a tool that h ...
»It's fine for vulnerabilities to have names — we just need not to take them too seriously
The PR campaign around the Badlock vulnerability backfired when it ...
»Blog Throwback Thursday: The Number of the Beasts
The Virus Bulletin Virus Prevalence Table, which ran from 1992 unti ...
»Paper: All Your Meetings Are Belong to Us: Remote Code Execution in Apache OpenMeetings
Security researcher Andreas Lindh recently found a vulnerability in ...
»Throwback Thursday: 'In the Beginning was the Word...'
Word and Excel’s internal file formats used to be something in whic ...


Date published: not known
Details
Main Menu
· Home
Current Security News
 
US-CERT Current Activity

» FBI Releases Article on Ransomware
[29 Apr 2016 07:45pm]

» Google Releases Security Update for Chrome
[28 Apr 2016 06:31pm]

» Mozilla Releases Security Updates
[26 Apr 2016 12:53pm]

» FTC Releases Alert on Earthquake Disaster Email Scams
[20 Apr 2016 03:05pm]

» Cisco Releases Security Updates
[20 Apr 2016 11:12am]

» Oracle Releases Security Bulletin
[19 Apr 2016 02:33pm]

» Symantec Releases Security Updates
[19 Apr 2016 11:30am]

» VMWare Releases Security Updates
[14 Apr 2016 07:08pm]

» IRS Warns Taxpayers About Scams as Tax Deadline Approaches
[13 Apr 2016 04:42pm]

» Google Releases Security Update for Chrome
[13 Apr 2016 03:18pm]

***
US-CERT Alerts

» TA16-105A: Apple Ends Support for QuickTime for Windows; New Vulnerabilities Announced
[14 Apr 2016 01:48pm]

» TA16-091A: Ransomware and Recent Variants
[31 Mar 2016 04:00pm]

» TA15-337A: Dorkbot
[03 Dec 2015 04:40pm]

» TA15-314A: Compromised Web Servers and Web Shells - Threat Awareness and Guidance
[10 Nov 2015 06:12pm]

» TA15-286A: Dridex P2P Malware
[13 Oct 2015 05:23am]

» TA15-240A: Controlling Outbound DNS Access
[28 Aug 2015 11:31am]

» TA15-213A: Recent Email Phishing Campaigns – Mitigation and Response Recommendations
[01 Aug 2015 04:01pm]

» TA15-195A: Adobe Flash and Microsoft Windows Vulnerabilities
[14 Jul 2015 05:13pm]

» TA15-120A: Securing End-to-End Communications
[29 Apr 2015 10:00pm]

» TA15-119A: Top 30 Targeted High Risk Vulnerabilities
[28 Apr 2015 10:00pm]

***
Computerworld Security

» IBM offers advice on how to secure blockchain in the cloud
[29 Apr 2016 11:33am]

» Phishing apps posing as popular payment services infiltrate Google Play
[29 Apr 2016 09:44am]

» Toy maker's website pushed growing ransomware threat
[29 Apr 2016 08:43am]

» Supreme Court approves rule change that expands FBI computer search powers
[29 Apr 2016 04:14am]

» Devs leak Slack access tokens on GitHub, put sensitive business data at risk
[28 Apr 2016 11:53am]

» Estonian man gets 7 years in prison for role in global DNS hijacking botnet
[28 Apr 2016 09:58am]

» ISIS' cyberattack abilities remain unorganized and underfunded -- for now
[28 Apr 2016 09:16am]

» The post-acquisition blues
[28 Apr 2016 07:32am]

» FBI confirms it won't tell Apple how it unlocked terrorist's iPhone
[28 Apr 2016 07:24am]

» House unanimously passes bill to protect email and cloud privacy
[27 Apr 2016 01:50pm]

» IDG Contributor Network: The Humble Hacker’s Book Bundle
[27 Apr 2016 12:00pm]

» Most breaches are still caused by PEBKAC and ID10T errors like falling for phishing
[27 Apr 2016 09:44am]

» Group uses Windows hotpatching method for malware
[27 Apr 2016 07:45am]

» Report says criminals are better communicators than IT staffers
[26 Apr 2016 02:17pm]

» SWIFT banking network warns customers of cyberfraud cases
[26 Apr 2016 10:14am]

***
Microsoft Security Advisories

» 3152550 - Update to Improve Wireless Mouse Input Filtering - Version: 1.1
[22 Apr 2016 01:00am]

» 3137909 - Vulnerabilities in ASP.NET Templates Could Allow Tampering - Version: 1.1
[10 Feb 2016 12:00am]

» 2871997 - Update to Improve Credentials Protection and Management - Version: 5.0
[09 Feb 2016 12:00am]

» 3123479 - Deprecation of SHA-1 Hashing Algorithm for Microsoft Root Certificate Program - Version: 1.0
[12 Jan 2016 12:00am]

» 3109853 - Update to Improve TLS Session Resumption Interoperability - Version: 1.0
[12 Jan 2016 12:00am]

» 3118753 - Updates for ActiveX Kill Bits 3118753 - Version: 1.0
[12 Jan 2016 12:00am]

» 2755801 - Update for Vulnerabilities in Adobe Flash Player in Internet Explorer and Microsoft Edge - Version: 53.0
[05 Jan 2016 12:00am]

» 3123040 - Inadvertently Disclosed Digital Certificate Could Allow Spoofing - Version: 1.0
[08 Dec 2015 12:00am]

» 3057154 - Update to Harden Use of DES Encryption - Version: 1.1
[08 Dec 2015 12:00am]

» 3119884 - Inadvertently Disclosed Digital Certificates Could Allow Spoofing - Version: 1.0
[30 Nov 2015 12:00am]

» 3108638 - Update for Windows Hyper-V to Address CPU Weakness - Version: 1.0
[10 Nov 2015 12:00am]

» 3097966 - Inadvertently Disclosed Digital Certificates Could Allow Spoofing - Version: 2.0
[13 Oct 2015 01:00am]

» 2960358 - Update for Disabling RC4 in .NET TLS - Version: 2.0
[13 Oct 2015 01:00am]

» 3042058 - Update to Default Cipher Suite Priority Order - Version: 1.1
[13 Oct 2015 01:00am]

» 3083992 - Update to Improve AppLocker Publisher Rule Enforcement - Version: 1.0
[08 Sep 2015 01:00am]

***
WIRED

» Security News This Week: The FBI Gets Creative to Avoid Disclosing Its $1M iPhone Hack
[30 Apr 2016 05:00am]

» It May Soon Be a Lot Harder for the Law to Get Into Your Email
[29 Apr 2016 01:18pm]

» We’re Going HTTPS: Here’s How WIRED Is Tackling a Huge Security Upgrade
[28 Apr 2016 10:00am]

» The Critical Hole at the Heart of Our Cell Phone Networks
[28 Apr 2016 05:00am]

» Hacker Lexicon: What Is HTTPS?
[27 Apr 2016 08:00am]

» Two Tips to Keep Your Phone’s Encrypted Messages Encrypted
[26 Apr 2016 07:00am]

» Hack Brief: Site for ‘Beautiful’ People Suffers Ugly Million-Member Breach
[25 Apr 2016 12:38pm]

» Security This Week: If You Sue Ashley Madison, You’ll Have to Use Your Real Name
[23 Apr 2016 05:00am]

» The Ingenious Way Iranians Are Using Satellite TV to Beam in Banned Internet
[22 Apr 2016 05:00am]

» FBI Hints It Paid Hackers $1 Million to Get Into San Bernardino iPhone
[21 Apr 2016 02:26pm]

***
Network World Security

» Michigan utility shuts down systems, phone lines, email after ransomware attack
[01 May 2016 11:19am]

» Cybereason gains Lockheed Martin's Threat Intelligence to thwart cyberattacks
[30 Apr 2016 05:31pm]

» FBI: Ransomware threat at all-time high; how to protect company jewels
[29 Apr 2016 10:56am]

» IBM offers advice on how to secure blockchain in the cloud
[29 Apr 2016 09:07am]

» What users love (and hate) about 4 leading firewall solutions
[25 Apr 2016 01:48pm]

» 10 no-cost home security mobile apps worth a download
[01 Apr 2016 06:39am]

» 7 VPN services for hotspot protection
[14 Mar 2016 04:00am]

» Review: Consider VPN services for hotspot protection
[14 Mar 2016 04:00am]

» Review: 5 application security testing tools compared
[01 Mar 2016 01:29pm]

» Skyport eases the pain of deploying and securing remote servers
[29 Feb 2016 04:00am]

» Review: 8 password managers for Windows, Mac OS X, iOS, and Android
[24 Feb 2016 05:58am]

» What users love (and hate) about 4 leading identity management tools
[22 Feb 2016 06:52am]

» REVIEW: Cyphort makes advanced threat protection easier than ever
[25 Jan 2016 04:00am]

» Cybereason gains Lockheed Martin's Threat Intelligence to thwart cyberattacks
[30 Apr 2016 05:31pm]

» IBM offers advice on how to secure blockchain in the cloud
[29 Apr 2016 09:07am]

***


More IT Security
News Feeds
More Sponsors

Advertise on this site
RSS Feeds
Our news can be syndicated by using these rss feeds.
rss1.0
rss2.0
rdf
Symantec News

NIST.org is in no way connected to the U.S. government site NIST.gov

This site is © John Herron, CISSP. All Rights Reserved.

Please visit daily to stay up to date on all your IT Security compliance issues.

http://www.nist.org -
Hosted by BlueHost. We've never had a better hosting company.
{THEMEDISCLAIMER}