NIST Site Search
Search NIST.GOV
Custom Search
[Official NIST.GOV TIME]
Product Research

Advertise on this site
Possible Cross-Platform 0Day in Apple's Quicktime Music Player
Apple's Quicktime music player in combination with Safari has been identified as the attack vector that won last week's $10,000 prize at the CanSecWest security conference in Vancouver. But it turns out that the vulnerability not only extends to other OSX browsers but also possibly to Windows and PPC Macs as well. Updated: Possible Exploit Released. Fix released on May 1st. See below.No Longer Supported
The Quicktime bug seems to be passed to it by a Java capable web browser using the Quicktime for Java interface (QT4J). Any web browser that supports Java will become a vulnerability vector if Quicktime is installed. If Java support is disabled in the browser it can no longer be used for an attack.

Currently Safari and Firefox are confirmed vectors on the MacIntel OSX platform. Currently it is known that Windows Quicktime is vulnerable as well. What is not known is to what degree. If the attack is a buffer overflow an actual "exploiting the box" type attack may be OS specific. In other words Quicktime under Windows may simply crash or hang the computer if the same exploit code is used. Converting a buffer overflow in to a full fledged exploit takes time and is not always possible. But they did it on the OSX platform so it is entirely possible that someone can do it on the Windows platform as well. However, if the exploit simply takes advantage of a function built-in to Quicktime than the current exploit may work on both platforms.

Details are still emerging and part of the contest rules gives 3COM (parent company of TippingPoint's Zero Day Initiative) control over what information is released. This will limit malicious use of the bug until someone else figures it out, or until the information leaks out. Either way there is probably a little time available to allow TippingPoint to update their firewall product and Apple to fix the problem.

The exploit requires that the user visit a malicious web page, either by chance or by clicking on a malicious link.

Mitigation:
  • Turn off Java support in your browser
  • Uninstall Quicktime
  • If you use Firefox use the NoScript plugin to disallow Java on a site by site basis. There is some confusion on how to turn "Java" in the NoScript plugin. This screen shot should help. Please keep in mind that Java and JavaScript are not the same thing. This problem involves "Java". If you use Firefox you can download the latest version of NoScript at NoScript.net
  • Apple Released a Fix to this on May 1st, QuickTime version 7.1.6


Discovery credit goes to Dino Di Zovie. "Think of it as a problem that can be triggered only if Java is enabled." said Thomas Ptacek on the group's Matasano blog.

More information as it becomes available.

UPDATES:
  • 4/25 PM: Matasano Security's Thomas Ptacek is quoting "multiple credible sources" that the entire contest took place over an unsecure wireless network. Why is that important? Because in a room full of hackers some of them were surely sniffing (monitoring) the whole thing. There are unconfirmed reports that someone in that room has recreated the exploit and is releasing it in to the wild. The contest organizers are disputing this saying that the wireless access point was only used to route traffic out to the internet and that the Macbooks involved were on a wired connection. But that doesn't mean that an exploit wasn't reverse engineered by other means. So if you haven't taken measures to protect your computers yet now is the time.
  • 4/25 PM: Secunia has released Secunia Advisory #SA25011 rated as "Highly Critical". The advisory states that the vulnerability affects Apple Quicktime versions 3.x through 7.x



Share or Bookmark this Article Using:
| furl | reddit | del.icio.us | magnoliacom | digg | newsvine | stumble it |



Google
WebNIST.org
NIST.govSecurityFocus.com






Posted by NIST.org on Wednesday 25 April 2007 - 16:11:18 | |printer friendly
Translate to: {GOOGLETRANS}
Google Ads




Headlines

»CVE-2014-3672 (libvirt, xen)
The qemu implementation in libvirt before 1.3.0 and Xen allows local guest OS users to cause a denia ...
»CVE-2015-7360 (fortisandbox_firmware)
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface (WebUI) in Fortinet Fo ...
»CVE-2015-8558 (qemu)
The ehci_process_itd function in hw/usb/hcd-ehci.c in QEMU allows local guest OS administrators to c ...
»CVE-2015-8853 (fedora, perl)
The (1) S_reghop3, (2) S_reghop4, and (3) S_reghopmaybe3 functions in regexec.c in Perl before 5.24.0 allow context-dependent attackers to cause a denial of service (infinite loop) via crafted utf-8 data, as demonstrated by "a\x80."
»CVE-2016-0264 (desktop_supplementary, enterprise_linux_desktop_supplementary, enterprise_linux_hpc_node_supplementary, enterprise_linux_server_supplementary, enterprise_linux_server_supplementary_eus, enterprise_linux_workstation_supplementary, java_sdk, linux_enterprise_server, linux_enterprise_software_development_kit, manager, manager_proxy, openstack, supplementary)
Buffer overflow in the Java Virtual Machine (JVM) in IBM SDK, Java Technology Edition 6 before SR16 ...
»CVE-2016-0718 (debian_linux, expat, ubuntu_linux)
Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute ar ...
»CVE-2016-1380 (web_security_appliance)
Cisco AsyncOS 8.0 before 8.0.6-119 on Web Security Appliance (WSA) devices allows remote attackers t ...
»CVE-2016-1381 (web_security_appliance)
Memory leak in Cisco AsyncOS 8.5 through 9.0 before 9.0.1-162 on Web Security Appliance (WSA) device ...
»CVE-2016-1382 (web_security_appliance_(wsa))
Cisco AsyncOS before 8.5.3-069 and 8.6 through 8.8 on Web Security Appliance (WSA) devices mishandle ...
»CVE-2016-1383 (web_security_appliance_(wsa))
Memory leak in Cisco AsyncOS through 8.8 on Web Security Appliance (WSA) devices allows remote attac ...
»CVE-2016-1385
The XML parser in Cisco Adaptive Security Appliance (ASA) Software through 9.5.2 allows remote authe ...
»CVE-2016-1400 (telepresence_video_communication_server)
Cisco TelePresence Video Communications Server (VCS) X8.x before X8.7.2 allows remote attackers to c ...
»CVE-2016-1406 (evolved_programmable_network_manager, prime_infrastructure)
The API web interface in Cisco Prime Infrastructure before 3.1 and Cisco Evolved Programmable Networ ...
»CVE-2016-1407 (ios_xr)
Cisco IOS XR through 5.3.2 mishandles Local Packet Transport Services (LPTS) mishandles flow-base en ...
»CVE-2016-1886 (freebsd)
Integer signedness error in the genkbd_commonioctl function in sys/dev/kbd/kbd.c in FreeBSD 9.3 befo ...


Date published: 2016-05-27T04:50:00Z
Details

»Google Releases Security Update for Chrome
Original release date: May 26, 2016 Google has released Chrome version 51.0.2704.63 to addres ...
»Adobe Releases Security Update for Adobe Connect
Original release date: May 23, 2016 Adobe has released a security update to address a vulnera ...
»VMware Releases Security Updates
Original release date: May 18, 2016 VMware has released security updates to address vulnerabi ...
»Cisco Releases Security Updates
Original release date: May 18, 2016 Cisco has released security updates to address vulnerabil ...
»Symantec Releases Security Update
Original release date: May 16, 2016 Symantec has released Anti-Virus Engine 20151.1.1.4 to ad ...
»Apple Releases Multiple Security Updates
Original release date: May 16, 2016 Apple has released security updates for tvOS, iOS, watchO ...
»Adobe Releases Security Updates for Flash Player
Original release date: May 12, 2016 Adobe has released security updates to address vulnerabil ...
»Google Releases Security Update for Chrome
Original release date: May 11, 2016 Google has released Chrome version 50.0.2661.102 to addre ...
»Adobe Releases Security Updates
Original release date: May 10, 2016 | Last revised: May 11, 2016 Adobe has released security ...
»Microsoft Releases May 2016 Security Bulletin
Original release date: May 10, 2016 Microsoft has released 16 updates to address vulnerabilit ...


Date published: not known
Details

»Virus Bulletin's job site for recruiters and job seekers
Virus Bulletin has relaunched its security job vacancy service and ...
»Throwback Thursday: One_Half: The Lieutenant Commander?
In October 1994, a new multi-partite virus appeared, using some of ...
»Advertisements on Blogspot sites lead to support scam
Support scam pop-ups presented through malicious advertisements sho ...
»To make Tor work better on the web, we need to be honest about it
Many websites put barriers in front of visitors who use the Tor net ...
»Paper: How It Works: Steganography Hides Malware in Image Files
A new paper by CYREN researcher Lordian Mosuela takes a close look ...
»Paying a malware ransom is bad, but telling people to never do it is unhelpful advice
The current ransomware plague is one of the worst threats the Inter ...
»VB2015 paper: VolatilityBot: Malicious Code Extraction Made by and for Security Researchers
In his VB2015 paper, Martin Korman presented his 'VolatilyBot' tool ...
»VB2016 programme announced, registration opened
We have announced 37 papers (and four reserve papers) that will be ...
»New tool helps ransomware victims indentify the malware family
The people behind the MalwareHunterTeam have released a tool that h ...


Date published: not known
Details
Main Menu
· Home
Current Security News
 
US-CERT Current Activity

» Google Releases Security Update for Chrome
[26 May 2016 11:15am]

» Adobe Releases Security Update for Adobe Connect
[23 May 2016 01:44pm]

» VMware Releases Security Updates
[18 May 2016 03:20pm]

» Cisco Releases Security Updates
[18 May 2016 12:30pm]

» Symantec Releases Security Update
[16 May 2016 09:37pm]

» Apple Releases Multiple Security Updates
[16 May 2016 04:32pm]

» Adobe Releases Security Updates for Flash Player
[12 May 2016 11:39am]

» Google Releases Security Update for Chrome
[11 May 2016 03:59pm]

» Adobe Releases Security Updates
[10 May 2016 01:10pm]

» Microsoft Releases May 2016 Security Bulletin
[10 May 2016 01:07pm]

***
US-CERT Alerts

» TA16-144A: WPAD Name Collision Vulnerability
[23 May 2016 05:38am]

» TA16-132A: Exploitation of SAP Business Applications
[11 May 2016 05:31am]

» TA16-105A: Apple Ends Support for QuickTime for Windows; New Vulnerabilities Announced
[14 Apr 2016 01:48pm]

» TA16-091A: Ransomware and Recent Variants
[31 Mar 2016 04:00pm]

» TA15-337A: Dorkbot
[03 Dec 2015 04:40pm]

» TA15-314A: Compromised Web Servers and Web Shells - Threat Awareness and Guidance
[10 Nov 2015 06:12pm]

» TA15-286A: Dridex P2P Malware
[13 Oct 2015 05:23am]

» TA15-240A: Controlling Outbound DNS Access
[28 Aug 2015 11:31am]

» TA15-213A: Recent Email Phishing Campaigns – Mitigation and Response Recommendations
[01 Aug 2015 04:01pm]

» TA15-195A: Adobe Flash and Microsoft Windows Vulnerabilities
[14 Jul 2015 05:13pm]

***
Computerworld Security

» Malware links SWIFT breaches at banks to N. Korean hackers
[27 May 2016 11:01am]

» Senate proposal to require encryption workarounds may be dead
[27 May 2016 10:25am]

» New JavaScript spam wave distributes Locky ransomware
[27 May 2016 08:19am]

» What is MAREA? Oh, just an epic shift that changes everything [updated]
[27 May 2016 05:18am]

» Up to a dozen banks are reportedly investigating potential SWIFT breaches
[26 May 2016 02:14pm]

» Senators want warrant protections for U.S. email stored overseas
[26 May 2016 11:57am]

» Celebrity hacker Guccifer's confession gives us all a lesson in security
[26 May 2016 11:14am]

» IoT security is getting its own crash tests
[26 May 2016 05:09am]

» IDG Contributor Network: Are you buried under your security data?
[25 May 2016 01:00pm]

» Faception can allegedly tell if you're a terrorist just by analyzing your face
[25 May 2016 09:56am]

» Top-level domain expansion is a security risk for business computers
[25 May 2016 08:32am]

» Apple hires mobile encryption pioneer amid encryption debate
[25 May 2016 04:49am]

» Do we need vendor allies in the malware arms race?
[24 May 2016 12:35pm]

» State officials worry about their ability to fight cyberattacks
[24 May 2016 10:32am]

» New DMA Locker ransomware is ramping up for widespread attacks
[24 May 2016 09:22am]

***
Microsoft Security Advisories

» 2880823 - Deprecation of SHA-1 Hashing Algorithm for Microsoft Root Certificate Program - Version: 2.0
[18 May 2016 11:00am]

» 3155527 - Update to Cipher Suites for FalseStart - Version: 1.0
[10 May 2016 11:00am]

» 3152550 - Update to Improve Wireless Mouse Input Filtering - Version: 1.1
[22 Apr 2016 11:00am]

» 3137909 - Vulnerabilities in ASP.NET Templates Could Allow Tampering - Version: 1.1
[10 Feb 2016 11:00am]

» 2871997 - Update to Improve Credentials Protection and Management - Version: 5.0
[09 Feb 2016 11:00am]

» 3123479 - Deprecation of SHA-1 Hashing Algorithm for Microsoft Root Certificate Program - Version: 1.0
[12 Jan 2016 11:00am]

» 3109853 - Update to Improve TLS Session Resumption Interoperability - Version: 1.0
[12 Jan 2016 11:00am]

» 3118753 - Updates for ActiveX Kill Bits 3118753 - Version: 1.0
[12 Jan 2016 11:00am]

» 2755801 - Update for Vulnerabilities in Adobe Flash Player in Internet Explorer and Microsoft Edge - Version: 53.0
[05 Jan 2016 11:00am]

» 3123040 - Inadvertently Disclosed Digital Certificate Could Allow Spoofing - Version: 1.0
[08 Dec 2015 11:00am]

» 3057154 - Update to Harden Use of DES Encryption - Version: 1.1
[08 Dec 2015 11:00am]

» 3119884 - Inadvertently Disclosed Digital Certificates Could Allow Spoofing - Version: 1.0
[30 Nov 2015 11:00am]

» 3108638 - Update for Windows Hyper-V to Address CPU Weakness - Version: 1.0
[10 Nov 2015 11:00am]

» 3097966 - Inadvertently Disclosed Digital Certificates Could Allow Spoofing - Version: 2.0
[13 Oct 2015 11:00am]

» 2960358 - Update for Disabling RC4 in .NET TLS - Version: 2.0
[13 Oct 2015 11:00am]

***
WIRED

» This Map Tracks Where Governments Hack Activists and Reporters
[26 May 2016 05:00am]

» A Car’s Computer Can ‘Fingerprint’ You in Minutes Based on How You Drive
[25 May 2016 10:24am]

» Security News This Week: Russia’s FindFace Face-Recognition App Is a Privacy Nightmare
[21 May 2016 05:00am]

» Gay Dating Apps Promise Privacy, But Leak Your Exact Location
[20 May 2016 05:00am]

» Chelsea Manning’s Appeal Took Three Years to File. Here’s Why
[19 May 2016 05:49pm]

» New Surveillance System May Let Cops Use All of the Cameras
[19 May 2016 05:00am]

» With Allo and Duo, Google Finally Encrypts Conversations End-to-End
[18 May 2016 01:23pm]

» That Insane, $81M Bangladesh Bank Heist? Here’s What We Know
[17 May 2016 05:00am]

» Everything We Know About How the FBI Hacks People
[15 May 2016 05:00am]

» Security News This Week: It’s Tech Versus the Government, Yet Again
[14 May 2016 05:00am]

***
Network World Security

» Shared malware code links SWIFT-related breaches at banks and North Korean hackers
[27 May 2016 10:01am]

» Senate proposal to require encryption workarounds may be dead
[27 May 2016 08:37am]

» New JavaScript spam wave distributes Locky ransomware
[27 May 2016 07:46am]

» DARPA wants to find the vital limitations of machine learning
[26 May 2016 08:22pm]

» SIEM review: Splunk, ArcSight, LogRhythm and QRadar
[09 May 2016 02:00pm]

» What users love (and hate) about 4 leading firewall solutions
[25 Apr 2016 01:48pm]

» 10 no-cost home security mobile apps worth a download
[01 Apr 2016 06:39am]

» 7 VPN services for hotspot protection
[14 Mar 2016 04:00am]

» Review: Consider VPN services for hotspot protection
[14 Mar 2016 04:00am]

» Review: 5 application security testing tools compared
[01 Mar 2016 01:29pm]

» Skyport eases the pain of deploying and securing remote servers
[29 Feb 2016 04:00am]

» Review: 8 password managers for Windows, Mac OS X, iOS, and Android
[24 Feb 2016 05:58am]

» What users love (and hate) about 4 leading identity management tools
[22 Feb 2016 06:52am]

» Senate proposal to require encryption workarounds may be dead
[27 May 2016 08:37am]

» New JavaScript spam wave distributes Locky ransomware
[27 May 2016 07:46am]

***


More IT Security
News Feeds
More Sponsors

Advertise on this site
RSS Feeds
Our news can be syndicated by using these rss feeds.
rss1.0
rss2.0
rdf

NIST.org is in no way connected to the U.S. government site NIST.gov

This site is © John Herron, CISSP. All Rights Reserved.

Please visit daily to stay up to date on all your IT Security compliance issues.

http://www.nist.org -
Hosted by BlueHost. We've never had a better hosting company.
{THEMEDISCLAIMER}