NIST IT Security: Printer Friendly

LAN_PRINT_135: Possible Cross-Platform 0Day in Apple's Quicktime Music Player
(LAN_PRINT_86 Vulnerabilities)
LAN_PRINT_94 NIST.org
Wednesday 25 April 2007 - 16:11:18

Apple's Quicktime music player in combination with Safari has been identified as the attack vector that won last week's $10,000 prize at the CanSecWest security conference in Vancouver. But it turns out that the vulnerability not only extends to other OSX browsers but also possibly to Windows and PPC Macs as well. Updated: Possible Exploit Released. Fix released on May 1st. See below.

The Quicktime bug seems to be passed to it by a Java capable web browser using the Quicktime for Java interface (QT4J). Any web browser that supports Java will become a vulnerability vector if Quicktime is installed. If Java support is disabled in the browser it can no longer be used for an attack.

Currently Safari and Firefox are confirmed vectors on the MacIntel OSX platform. Currently it is known that Windows Quicktime is vulnerable as well. What is not known is to what degree. If the attack is a buffer overflow an actual "exploiting the box" type attack may be OS specific. In other words Quicktime under Windows may simply crash or hang the computer if the same exploit code is used. Converting a buffer overflow in to a full fledged exploit takes time and is not always possible. But they did it on the OSX platform so it is entirely possible that someone can do it on the Windows platform as well. However, if the exploit simply takes advantage of a function built-in to Quicktime than the current exploit may work on both platforms.

Details are still emerging and part of the contest rules gives 3COM (parent company of TippingPoint's Zero Day Initiative) control over what information is released. This will limit malicious use of the bug until someone else figures it out, or until the information leaks out. Either way there is probably a little time available to allow TippingPoint to update their firewall product and Apple to fix the problem.

The exploit requires that the user visit a malicious web page, either by chance or by clicking on a malicious link.

Mitigation:

Turn off Java support in your browser
Uninstall Quicktime
If you use Firefox use the NoScript plugin to disallow Java on a site by site basis. There is some confusion on how to turn "Java" in the NoScript plugin. This screen shot should help. Please keep in mind that Java and JavaScript are not the same thing. This problem involves "Java". If you use Firefox you can download the latest version of NoScript at NoScript.net
Apple Released a Fix to this on May 1st, QuickTime version 7.1.6

Discovery credit goes to Dino Di Zovie. "Think of it as a problem that can be triggered only if Java is enabled." said Thomas Ptacek on the group's Matasano blog.

More information as it becomes available.

UPDATES:

4/25 PM: Matasano Security's Thomas Ptacek is quoting "multiple credible sources" that the entire contest took place over an unsecure wireless network. Why is that important? Because in a room full of hackers some of them were surely sniffing (monitoring) the whole thing. There are unconfirmed reports that someone in that room has recreated the exploit and is releasing it in to the wild. The contest organizers are disputing this saying that the wireless access point was only used to route traffic out to the internet and that the Macbooks involved were on a wired connection. But that doesn't mean that an exploit wasn't reverse engineered by other means. So if you haven't taken measures to protect your computers yet now is the time.
4/25 PM: Secunia has released Secunia Advisory #SA25011 rated as "Highly Critical". The advisory states that the vulnerability affects Apple Quicktime versions 3.x through 7.x

{BLOGME}
{GOOGLESBOX=web firewall}

LAN_PRINT_303NIST IT Security
( http://www.nist.org/comment.php?comment.news.226 )