Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New QuickTime Flaw Bypasses ASLR, DEP

Soulskill posted about 4 years ago | from the once-more-unto-the-breach dept.

Security 162

Trailrunner7 writes "A Spanish security researcher has discovered a new vulnerability in Apple's QuickTime software that can be used to bypass both ASLR and DEP on current versions of Windows and give an attacker control of a remote PC. The flaw apparently results from a parameter from an older version of QuickTime that was left in the code by mistake. It was discovered by Ruben Santamarta of Wintercore, who said the vulnerability can be exploited remotely via a malicious Web site. On a machine running Internet Explorer on Windows 7, Vista or XP with QuickTime 7.x or 6.x installed, the problem can be exploited by using a heap-spraying technique. In his explanation of the details of the vulnerability and the exploit for it, Santamarta said he believes the parameter at the heart of the problem simply was not cleared out of older versions of the QuickTime code. 'The QuickTime plugin is widely installed and exploitable through IE; ASLR and DEP are not effective in this case and we will likely see this in the wild,' said HD Moore, founder of the Metasploit Project."

cancel ×

162 comments

Sorry! There are no comments related to the filter you selected.

ew quicktime? (1, Insightful)

w00tsauce (1482311) | about 4 years ago | (#33423246)

People still use that garbage? That's like installing real player.

Re:ew quicktime? (4, Funny)

Anonymous Coward | about 4 years ago | (#33423270)

Closed source.
Apple's evil.
Wait.
Microsoft's evil.
Wait.
It's Google.
No. Apple.
No. Microsoft.
Damn you evil closed source! You have me so confused as to who to hate .....

Re:ew quicktime? (2, Informative)

Idiomatick (976696) | about 4 years ago | (#33423710)

MS is bad for OSS' ideals and goals most of the time.

Apple is bad for OSS' ideals and goals. Also bad for nerd ideals and goals. And bad for computers in general. Seriously, iTunes in past has acted like malware same w/ quicktime.

Google is actually good. BUT the potential for evil that they have is so incredibly huge that it would make anyone paranoid. So people keep their eyes on it.

Re:ew quicktime? (0)

Anonymous Coward | about 4 years ago | (#33424588)

Apple fanboys downvoting the truth because they can't accept it? How surprising.

Re:ew quicktime? (1)

DJRumpy (1345787) | about 4 years ago | (#33425572)

Why do you say that? The exposure is in the OS. Although the software may have exposed it, the vulnerability lies with MS to fix.

Apple fanboys downvoting the truth because they can't accept it? How surprising.

Re:ew quicktime? (1)

initdeep (1073290) | about 4 years ago | (#33425634)

are you seriously that stupid?

you think that the exploit, which is in Quicktime, is MS's fault?

so do you say the same thing about it being apple's fault when a program by adobe is used to exploit OSX in the yearly pwn2own?

newsflash.

it's an apple problem, regardless of the desires of the apple fandom.

Re:ew quicktime? (0, Troll)

node_chomsky (1830014) | about 4 years ago | (#33425136)

It's interesting that my apple (running quick time) has none of these problems. I guess it's their shitty engineering that makes my computer so stable and operational. If you think Apples are less conducive to nerdery and functionality compared to most other options, you are amazingly unobservant. If you think Microsoft has any advantage to either of those two qualities, you are stupid and gullible. If you think 90% of the world's population has any chance of successfully installing, using, and maintaining any stable distro of Linux, you should try to help my grandmother find the word count on her computer sometimes, it will open your eyes to what level most of the worlds people compute on.

Re:ew quicktime? (2, Insightful)

darkpixel2k (623900) | about 4 years ago | (#33425518)

I guess it's their shitty engineering that makes my computer so stable and operational.

Yeah. Yesterday, I plugged a Mac laptop into a projector. Apparently the Mac needs to reboot after detecting new hardware or something--so it immediately rebooted without prompting, notifying, or even asking me to save. Apple is so awesomely user-friendly. That must be their engineering commitment to build a stable and operational computer.
Anyways--while the mac was busy rebooting, I plugged my linux laptop in. It immediately started working.

Re:ew quicktime? (4, Informative)

jonwil (467024) | about 4 years ago | (#33423294)

Considering that QuickTime is a core component of iTunes, if you own an iPhone, iPod or iPad, its fairly hard to avoid QuickTime and still get full advantage of your device.

Re:ew quicktime? (0, Troll)

Mr. Slippery (47854) | about 4 years ago | (#33423366)

Considering that QuickTime is a core component of iTunes, if you own an iPhone, iPod or iPad, its fairly hard to avoid QuickTime

Another outstanding reason to avoid shiny geegaws from an evil company.

Seriously, WTF?

Re:ew quicktime? (3, Interesting)

vlueboy (1799360) | about 4 years ago | (#33423878)

Another outstanding reason to avoid shiny geegaws from an evil company.

To be fair, the flaw is almost a first for Quicktime --an ancient product line predating iProducts, back when "multimedia" came in big letters on all home computers and all videos on the web were MPEG or MOV downloads. What is so bad is how we sleep in our laurels and wake up to find that we falsely associated safety with it because QT ran on a little targetted OS before it was ported to Windows...

IIRC, Apple isn't the number one seller of smartphones nor MP3 players, or distributor of Windows Multimedia readers. Yet it's generating enough attention to get exploited. Even if you and I don't own recent apple products, we have been falling in a parallel situation and taking it for granted again: all those free Google clients downloaded over the years have become a juicy target. All we need is someone to find a weak spot.

Scratch that! All we need is an unlikely "someone" among that small group who will PUBLISH the weak spot of that juicy target. All the others just exploit it for months without us being the wiser.

Re:ew quicktime? (1)

Gilmoure (18428) | about 4 years ago | (#33425502)

Apple kicked my dog and slept with my girl friend.

Full advantage? (1, Funny)

Anonymous Coward | about 4 years ago | (#33423522)

If you own an iPhone, iPod, or iPad, it's fairly hard to get full advantage of your money.

Re:Full advantage? (1)

sortadan (786274) | about 4 years ago | (#33424058)

If apple would stop forcing people to install their stupid software just to use a phone maybe 'pc' [youtube.com] wouldn't have such a hard time of it...

for a default itunes+quicktime install on 64bit windows open cmd.exe as admin (right click is your friend) and type this:

regsvr32 /u "C:\Program Files (x86)\QuickTime\QTPlugin.ocx"

Re:Full advantage? (2, Interesting)

TheRaven64 (641858) | about 4 years ago | (#33425082)

The thing I love about the iPhone is the lack of OS X integration. It works via iTunes, just like an iPod, meaning that you have to plug in a cable to sync. Meanwhile, almost every other phone (including my last four, two from Ericsson and two from Nokia), sync via bluetooth in iSync, so you just put them in the same room as the Mac and click on the 'sync now' button in the top-right of the menu bar. All of your calendars, contacts, and notes are sync'd. You can transfer photographs and other files by browsing the device in the Bluetooth File Transfer thing and dragging them to or from Finder windows, or you can send them via OBEX from the phone and have them appear automatically in a folder that you designate.

It's almost like the iPhone team had never actually used a Mac.

Re:Full advantage? (1, Funny)

Anonymous Coward | about 4 years ago | (#33425288)

open cmd.exe as admin (right click is your friend) and type this:

Opening command prompts and typing weird commands? Nobody's going to remember this crap. Windows has a long way to go before it's ready for the desktop!

Re:ew quicktime? (2, Interesting)

Techman83 (949264) | about 4 years ago | (#33423616)

iTunes without QuickTime Get iTune [msfn.org] Not necessarily. I don't own one, but a few of my friends have iDevices and the only way I'll support them is if they let me install itunes this way!

Re:ew quicktime? (2, Insightful)

profplump (309017) | about 4 years ago | (#33423866)

Is QuickTime really that bad? I understand the objection to "claim all file types", but that's true of all commercial A/V systems. Beyond that, is there anything in particular I should object to about QuickTime, or is it just random Apple hate?

Re:ew quicktime? (3, Informative)

Techman83 (949264) | about 4 years ago | (#33423908)

IMO Opinion quicktime causes windows to slow down and also likes to install background services. The Quicktime Alternative is just far less bloated and seems to work just as well. Also you aren't forced to use the quicktime player, it just behaves like any other normal video codec.

Re:ew quicktime? (0, Offtopic)

Techman83 (949264) | about 4 years ago | (#33423914)

Offtopic note: Answering slashdot posts whilst taking hell desk calls doesn't always work as expected ;)

Re:ew quicktime? (0)

Anonymous Coward | about 4 years ago | (#33424930)

Offtopic note: Answering slashdot posts whilst taking hell desk calls doesn't always work as expected ;)

hell desk??? are your users that bad?

Re:ew quicktime? (0)

Anonymous Coward | about 4 years ago | (#33424620)

Yes.

I used to think that it is just the windows version, but when I had the displeasure of using it on a mac it turned out to be the same obnoxious slow bloated pile of shit.

Re:ew quicktime? (2, Informative)

Stupendoussteve (891822) | about 4 years ago | (#33423896)

Good thing they're not running Windows or Internet Explorer.

Victim prerequisites:

* Internet Explorer.
* XP,Vista,W7.
* Apple Quicktime 7.x, 6.x ( 2004 versions are also vulnerable, older versions not checked )

Re:ew quicktime? (1)

Stupendoussteve (891822) | about 4 years ago | (#33423920)

Misread parent, although not using IE is still pretty standard, no?

Re:ew quicktime? (0)

Anonymous Coward | about 4 years ago | (#33423956)

iTunes is garbage. Use a real media organiser/player.

Itunes requires quicktime (2, Informative)

rsborg (111459) | about 4 years ago | (#33423296)

I'd say it's almost as widely installed as Adobe Reader. Here's a guesstimate answer as to how many copies there are [google.com] (numbers are old)

Re:Itunes requires quicktime (4, Insightful)

Lehk228 (705449) | about 4 years ago | (#33423304)

bonzi buddy was pretty widely installed too.

not the plugin (1)

YesIAmAScript (886271) | about 4 years ago | (#33423424)

You can turn off the browser plugin.

Re:ew quicktime? (1, Funny)

Anonymous Coward | about 4 years ago | (#33423470)

People still use that garbage? That's like installing real player.

It's quite green to use garbage. And yes I'm a real player, and you can install me for a small fee.

Re:ew quicktime? (-1, Offtopic)

Anonymous Coward | about 4 years ago | (#33423528)

Lately my penis has been getting hard. What does that mean?

Re:ew quicktime? (0)

Anonymous Coward | about 4 years ago | (#33423554)

For Slashdot a troll?

Most likely keloid scarring.

Re:ew quicktime? (1)

pspahn (1175617) | about 4 years ago | (#33424522)

Well someone has figured out the purpose of a double rainbow.

This is why people love Apple! (1, Funny)

Anonymous Coward | about 4 years ago | (#33423740)

People love Apple for this stuff, though.

No more screwing around bypassing ASLR or DEP, even the exploit code Just Works.

Re:ew quicktime? (1)

Vectormatic (1759674) | about 4 years ago | (#33424934)

try updating itunes without getting all sorts of apple crapware on your system...

My GF updated itunes a while back on my laptop to sync her iphone, and suddenly i had safari installed...

and yes, i know my own flaws here:
1) let my GF on my laptop
2) own an ipod, thus needing itunes
3) running windows on my laptop

at the very least 2 will be corrected pretty soon (same for her iphone, she wants android now..)

Quick! (0, Offtopic)

schmidt349 (690948) | about 4 years ago | (#33423262)

Can someone please print out and mail this article to Alanis Morissette so she knows what irony is?

Re:Quick! (1)

Concerned Onlooker (473481) | about 4 years ago | (#33423370)

It's like 10,000 PCs when all you need is a Mac.

Re:Quick! (3, Funny)

MichaelSmith (789609) | about 4 years ago | (#33423448)

Or free software when you've already paid.

Re:Quick! (1)

Vectormatic (1759674) | about 4 years ago | (#33424946)

it is a critical vulnerability fix, two minutes to late

joder (-1, Offtopic)

Anonymous Coward | about 4 years ago | (#33423274)

jolines!

PS (1)

schmidt349 (690948) | about 4 years ago | (#33423278)

From the article: "The result of the problem is the creation of what amounts to a backdoor in the QuickTime code, Santamarta said. 'WATCH OUT! Do not hype this issue beyond it deserves...'"

Looks like we already missed the boat on that one.

Quicktime Uninstalled (1)

dustinsherrill (1287554) | about 4 years ago | (#33423298)

I have now uninstalled the Quicktime player. Would Quicktime Alternative be any safer? Seems Apple has had a rash of security issues lately.

Re:Quicktime Uninstalled (1)

bakamorgan (1854434) | about 4 years ago | (#33423340)

There was a news article a ways back that stated that apple had more security holes then M$. Guess no one got the hint.

Re:Quicktime Uninstalled (1, Informative)

Anonymous Coward | about 4 years ago | (#33423342)

Would Quicktime Alternative be any safer?

"QuickTime Alternative consists of codec libraries extracted from the official distribution, including the official QuickTime plugin required for playing QuickTime files (.MOV and others)"

Re:Quicktime Uninstalled (0)

Anonymous Coward | about 4 years ago | (#33424376)

Would Quicktime Alternative be any safer?

"QuickTime Alternative consists of codec libraries extracted from the official distribution, including the official QuickTime plugin required for playing QuickTime files (.MOV and others)"

Without the IE plugin, this bug is far harder to exploit. IIRC, QT Alt doesn't install this by default.
It also doesn't make your system crawl by installing lots of services.

Re:Quicktime Uninstalled (0)

Anonymous Coward | about 4 years ago | (#33423360)

QT Alternative & Lite seem to be dead and outdated now. I installed Alternative once in 2007 and IIRC it allowed you to choose the plugins to install (IE, Mozilla, WMP). Anyway, I imagine you can just manually delete the browser plugins for QT if you desired to keep it.

Re:Quicktime Uninstalled (1)

SheeEttin (899897) | about 4 years ago | (#33423560)

I'm gonna plug VLC [videolan.org] here.
Free, open-source, plays just about everything. Files, streams, discs, you name it. Also does conversion (apparently, never really tried it), streaming (VLC as the stream server, that is), and minor video editing (hue, brightness, rotation, filters, etc.; but I don't know if this is just for viewing or what). Also subtitles.

Re:Quicktime Uninstalled (3, Informative)

hairyfeet (841228) | about 4 years ago | (#33423884)

The problem is nobody uses Quicktime for actually playing media files (BTW on Windows I'd prefer Kantaris [kantaris.org] as it has the VLC core but a MUCH nicer UI IMHO) anymore but like Safari Windows users get stuck with it if they want to use their iStuff.

That is why I've told customers unless they want a really shitty experience if they want to play with iStuff they better be ready to shell out for a Mac. The Windows version has always been completely shitty, the red headed stepchild of Apple. Sure it'll work, but it is buggier, slower, and generally more crappy in every way than the native Mac version. Personally I'll stick with my Sandisk and if I wanted all the bling bling I'd get a Cowon and since funnily enough I prefer my phone to just make phone calls and actually like typing on a keyboard I don't think I'm in any danger of getting an iPhone or iPad (damn that is the WORST name, I still can't believe Steve came up with that.)

Re:Quicktime Uninstalled (1)

LordLucless (582312) | about 4 years ago | (#33424694)

It's probably Apple getting it's own back after dealing with IE and MS Office for Mac.

Re:Quicktime Uninstalled (1)

clone53421 (1310749) | about 4 years ago | (#33425462)

I used to use VLC exclusively, but now I really only use it for media files that SMPlayer doesn’t like.

I initially made the switch after somebody said that SMPlayer could be configured to require very little resources – it was about the only way I could get videos to play halfway decently on a particular computer that I was stuck using for a while. VLC wouldn’t play anything without it skipping badly on that computer even after I tried to configure it to be as minimalistic as possible.

Main reasons for using SMPlayer now: Interface looks better; default pixel-smoothing video filter looks better; subtitles look better. Of course it has most of the same selling features as VLC... free, plays just about anything, doesn’t invade my PC with crap I don’t want, hotkeys (though different from VLC’s), lots of options. It also has a portable version.

Come to think of it, about the only feature I’d really point out that VLC has and SMPlayer lacks is the ability to transcode media. SMPlayer does have a nice feature which dumps every frame to an image while playing (shift-D starts/stops it), which is handy for making animated gifs.

Re:Quicktime Uninstalled (1, Interesting)

Anonymous Coward | about 4 years ago | (#33423846)

I have now uninstalled the Quicktime player. Would Quicktime Alternative be any safer? Seems Apple has had a rash of security issues lately.

Depends on what you want it for, but VLC is always a good alternative.

Windows 7 have basic support for playing mov files, without having to install Quicktime (and yay! for that). If you think upgrading to Win7 just for that is a bit overkill (it is of course :), your concern was security and Windows 7 is significantly better than XP overall in that regard.

Re:Quicktime Uninstalled (1)

tokul (682258) | about 4 years ago | (#33424198)

Would Quicktime Alternative be any safer?

Quicktime alternative does not install alternative. IMHO it installs original Apple codecs and plugin without player/editor nagware. Probably some versions behind official Apple QT. It might have more bugs than Apple QT.

Re:Quicktime Uninstalled (1)

arth1 (260657) | about 4 years ago | (#33425158)

The issues with QuickTime is why I banned iTunes several years ago, and have no intentions of reverting the ban until Apple releases an iTunes that doesn't sneak-install apps that work on a system level and are accessible even when iTunes isn't running.

Just because Microsoft is evil doesn't make Apple good. Far from it -- they're quite often one of the most rotten fruits in the barrel. Quicktime isn't just proprietary, but unsafe by design, and comes with a preferences interface that is designed to trick the user into inadvertently both "updating" and installing other software, and with planned obsolescence preventing newer version QT codecs from working with old apps (so you have to upgrade the other apps too, or replace them with alternatives from e.g. Apple).

Well duh. (1)

Securityemo (1407943) | about 4 years ago | (#33423306)

This attack doesn't belong to the class of "smashing" attacks ASLR and DEP is designed to prevent. It's like expecting salted passwords to help you defend against misconfigured NFS shares.

Re:Well duh. (4, Interesting)

blueg3 (192743) | about 4 years ago | (#33423352)

This boils down to doing a heap spraying attack, and those are in the general class of exploits that ASLR (and to a lesser extent, DEP) are designed to prevent. However, it's fairly well-known at this point that ASLR can be defeated (sometimes) by well-crafted heap-spraying attacks. (Likewise, DEP can be defeated by stack-smashing using return-oriented programming.)

Re:Well duh. (1)

shutdown -p now (807394) | about 4 years ago | (#33423444)

those are in the general class of exploits that ASLR (and to a lesser extent, DEP) are designed to prevent

To be pedantic, neither of those is designed to "prevent" so much so as to minimize the likelihood of successful attack. It's not like, say PHP magic quotes, rather just something to make life significantly harder for exploit writers.

Re:Well duh. (1)

M. D. Kristopeit (1890086) | about 4 years ago | (#33423570)

To be pedantic, neither of those is designed to "prevent" [...] It's just something to make life significantly harder for exploit writers.

to be pedantic, life will only be significantly harder for a single exploit writer for a fixed amount of time... then the world will have access to a functioning exploit and anyone can copy it at their whim, and life is back to being significantly harder only for the architects of ASLR and DEP, who now have to explain why the preventative measures they were paid to create no longer prevent anything.

Re:Well duh. (1)

shutdown -p now (807394) | about 4 years ago | (#33423602)

Exploits get patched eventually. If this increases the time it takes between a patch and a new exploit, wouldn't you say it is still worth it?

Re:Well duh. (1)

M. D. Kristopeit (1890086) | about 4 years ago | (#33423750)

and now you're left with a product full of useless code that's only purpose was to delay something that has already happened... but at the same time, there are still users of the software that rely upon that code to work, so removing it is also not an option.... and what happens when software is forced to continue including deprecated procedural code that does nothing except not break the system as long as it isn't removed? the user experience suffers.

<schwartzenegger>it's a tumor.//

Re:Well duh. (1)

KiloByte (825081) | about 4 years ago | (#33424150)

In fact, neither ASLR nor DEP can ever prevent an attack. They can at most minimize the damage, turning running arbitrary code into a mere DoS.

With or without ASLR or DEP, you still need to fix the underlying security hole.

Re:Well duh. (1, Interesting)

Anonymous Coward | about 4 years ago | (#33423590)

Indeed, ROP is fun and the easiest technique to exploit classical buffer overflow bugs right now, but this is only because the compiler is too lax at implementing canaries and ASLR is crap.

ASLR when performed right is unbeatable in the same way as 256-bit key encryption is, and I think the final nail on the code execution coffin will be full ASLR rather than DEP and Stack protection. The problem is that ASLR as shipped right now in most systems is far too weak and in some places it doesn't exist at all, giving the attacker a known environment. In certain circumstances, data corruption is as good as data execution - if it can be done in a predictable way, the game is over.

Full heap randomization and good canary protection should be priorities for the OSes which aren't doing it right now. Linux, for all its security aura is particularly shameful. Apparently keeping your data from organized crime isn't worth a 10% speed-down in Phoronix.

Re:Well duh. (1)

fast turtle (1118037) | about 4 years ago | (#33425720)

From what I recently read in regards to DEP/ASLR testing, the Apple Devs are simply being effen lazy or stupid as quicktime doesn't even use ASLR according to the graphic on this page http://taosecurity.blogspot.com/2010/07/secunia-survey-of-dep-and-aslr [blogspot.com] . html

Note that I'd seen this graphic last week (don't recall if Eweek or other). I hate to say it but it's really bad when Adobe is actually responding to the issue by fixing their software unlike Apple. My understanding is that followin an ASLR design standard does not prevent software from using known address spaces. All it does is ensure that the software does not break when thrown into a mandatory ASLR environment.

Re:Well duh. (5, Informative)

cbhacking (979169) | about 4 years ago | (#33423600)

More to the point, this attack uses ROP (which, as you say, defeats DEP) but it does it using bits fo code, called "gadgets", that are part of a library which is loaded without ASLR. Even though the browser itself is using ASLR, some of its libraries will be loaded at known locations, which is what makes this attack work. That's not exactly defeating ASLR so much as it is taking advantage of the fact that it isn't universally used yet, kind of like the way some legacy programs aren't DEP-compatible.

For the time being, ASLR is only opt-in; if a library doesn't mark itself as ASLR-compatible, the loader will put it at its preferred base address. Or at least, it will try to. The fact is that dynamically linked libraries can never guarantee that their preferred address range is available, and therefore should never assume that they are at a given location in memory. In fact, most of them don't... but they still don't have the opt-in flag, either because they're old or because the developer didn't set it. I wonder how hard it would be to simply *force* ASLR by telling each library, as it loads, that its preferred address is simply unavailable and it's going to be stuck someplace else...

Re:Well duh. (1)

drinkypoo (153816) | about 4 years ago | (#33424674)

wonder how hard it would be to simply *force* ASLR by telling each library, as it loads, that its preferred address is simply unavailable and it's going to be stuck someplace else...

it would be real easy and this is probably precisely how it's done, at least, only libraries which are relocated at all get ASLR. It's not done universally because some [improperly written] libraries crap themselves when you do this.

Re:Well duh. (0, Offtopic)

Lorens (597774) | about 4 years ago | (#33423562)

So why aren't people more interested in OS like KeyKOS/Eros/Coyotos/CapROS [wikipedia.org] that are designed to prevent all and any attacks while simplifying programming and maintaining or even increasing usability?

Re:Well duh. (0)

Anonymous Coward | about 4 years ago | (#33423586)

I'm trying to follow along here, help me out.

1. Attack doesn't belong into the "smashing" class that ASLR and DEP help prevent.
2. ??????????????
3. Why aren't people interested in this <magic bullet>?

Re:Well duh. (0)

Anonymous Coward | about 4 years ago | (#33423716)

Because next to no one writes software for said platforms? It's a natural monopoly.

Steve Jobs says (0)

Anonymous Coward | about 4 years ago | (#33423420)

Just get a Mac. No big deal.

Re:Steve Jobs says (1, Funny)

iPhr0stByt3 (1278060) | about 4 years ago | (#33423544)

Just Get a Mac. And if you don't we'll keep "accidentally" leaving backdoors in our software for windows.

Re:Steve Jobs says (1)

vistapwns (1103935) | about 4 years ago | (#33424208)

Yea it's ironic how Apple talks so much about Windows malware, I wonder how much of it got in through Apple software that is poorly coded and/or doesn't opt-in to Windows security technologies.

Re:Steve Jobs says (0)

Anonymous Coward | about 4 years ago | (#33425038)

Of the two commercial PC OSes, Mac OS X is the one clearly ages behind in security technology.
All the technologies you hear about in this article? Apple started implementing half-cooked versions of them in Snow Leopard.
It isn't all that surprising of a company that shipped a cooperative-multitasking system until 2001 and is now selling a single-task OS.
One day, they'll reintroduce the Apple II with polished titanium casing and say it's technologically superior to IBM Quantum Computers, and the funny thing is it will outsell the latter.

Re:Steve Jobs says (1)

Rockoon (1252108) | about 4 years ago | (#33424370)

I dont understand why that is modified troll.

Apple bills itself as the quality option, so how can it be accidental that the Windows versions of each of their software products be so horrible on so many metrics?

The only question is, does the shitty shitness of their shit reflect intentional malice, or intentional apathy?

it'll probably be a while till this one's fixed... (0)

Anonymous Coward | about 4 years ago | (#33423460)

apple don't have too much interest in supporting their legacy stuff in windows.

hell, i ran a PC based grading system that quicktime update broke on several occasions. i've had to roll back quicktime installs more than a few times.

but if they do consider fixing this, while they've got everything open, they can look at the colour inaccuracies and implementing a ProRes encoder in windows.

i think this exploit will stay around indefinitely. there's not a mac fanboy in the world who wouldn't say this is actually a windows problem, not an apple one.

Re:it'll probably be a while till this one's fixed (1)

bell.colin (1720616) | about 4 years ago | (#33423708)

I don't like Apple products that much (especially QuickTime and the Shiny iWhatever products) but i fail to see why a grading system would need a Video/Audio decoder.

Re:it'll probably be a while till this one's fixed (1)

initdeep (1073290) | about 4 years ago | (#33425748)

you fail to see how a color grading system would need an a/v decoder?

ru kidding? (1)

4d3fect (1023141) | about 4 years ago | (#33423464)

Quicktime? Windows?

Kinda disappointed (1)

OneoFamillion (968420) | about 4 years ago | (#33423530)

At first I thought "Ruben Santamarta of Wintercore" was his name. I also considered this awesome.

Re:Kinda disappointed (0)

Anonymous Coward | about 4 years ago | (#33424094)

Your a moron how could someone be named the same as a company

Just get a PC. (-1, Offtopic)

Anonymous Coward | about 4 years ago | (#33423582)

I got a firewall.
I got an anti-virus program.
I got a anti-spyware program.
I got Firefox.

What does Macs have?

Steve Jobs to complain to, but it'll fall on deaf ears as it takes them months to patch anything.

Re:Just get a PC. (-1, Troll)

SuperKendall (25149) | about 4 years ago | (#33423624)

What does Macs have?

A complete lack of trojans and spyware and viruses that make all of the things you list pretty much needless (well except for Firefox)?

Or how about coming with a real firewall built in but not needing it because it also doesn't come with open ports.

Enjoy your zombie breeding ground! I'll be busy working.

Steve Jobs to complain to, but it'll fall on deaf ears as it takes them months to patch anything.

They might hurry more if there were any malware to prevent the spread of. They certainly issue security fixes faster on the iPhone.

Re:Just get a PC. (0)

Anonymous Coward | about 4 years ago | (#33424060)

May want to type in the words mac and trojan in a search engine. If you are living under the delusion they don't exist you are the perfect target :-) I guess regardless of platforms there will always be the computer illiterates like yourself that actually believes the dribble sprouted by vendors.

Re:Just get a PC. (0)

Anonymous Coward | about 4 years ago | (#33424078)

AppleScript-THT
DNSChanger
Trojan.iServices.A

3 I can think of without searching. Ignorance is bliss I guess. I imagine a lot of infected windows users also spout off about how they never get infected so they don't need anti virus.

Re:Just get a PC. (0, Flamebait)

daveime (1253762) | about 4 years ago | (#33424106)

Why in God's name would you need any ports other than 80 open ?

The only thing you people connect to is *apple.com for your daily dose of Jobsology.

Yuo fa1l it (-1, Offtopic)

Anonymous Coward | about 4 years ago | (#33423648)

the problems FreeBSD is already gawker AT most Smith only serve

Penny Auction (http://pennyauctioninfo.com) (-1, Offtopic)

Anonymous Coward | about 4 years ago | (#33423652)

It's definitely perfect post!
Thanks a ton,
                      Penny Auction!

what the hell is quicktime! (0)

Anonymous Coward | about 4 years ago | (#33423702)

I've got a mac and I still don't use quicktime. VLC anyone?

Re:what the hell is quicktime! (3, Informative)

TheRaven64 (641858) | about 4 years ago | (#33425162)

If you've got a Mac, you almost certainly do use QuickTime. You may not use the QuickTime Player front-end, but a lot of other Mac apps use the underlying frameworks for media playback. Any time a Cocoa app goes beep, it's using the NSSound object (maybe wrapped in the NSBeep() function), and NSSound uses QuickTime for audio decoding. iTunes uses it for playing back music, Safari uses it for video and audio, iMovie uses it for playback and encoding, and so on. Unless you boot into single-user mode and then bring the machine up without launching the window server, odds are that you use QuickTime regularly.

inFormatived shitshit (-1, Offtopic)

Anonymous Coward | about 4 years ago | (#33423732)

correct netwoRk United States.

Working..somewhat (1)

Airborne-ng (1391105) | about 4 years ago | (#33423766)

Successfully created meterpreter session with XP test box but not against 7 box despite what TFA says. Anyone experiencing similar results?

late story (-1, Offtopic)

Anonymous Coward | about 4 years ago | (#33423808)

jduck comitted this shit and posted it on twitter almost 12 hours ago.

Every time Steve Jobs says something about Flash (-1, Troll)

Alistair Hutton (889794) | about 4 years ago | (#33424144)

I just think about Quicktime on Windows and laugh.

Re:Every time Steve Jobs says something about Flas (0)

Anonymous Coward | about 4 years ago | (#33424744)

Used to be that Quicktime on Windows + MIDI on a web page = quickest way to hang your web browser process. I've no idea if this is still the case because there's no way I'd ever install Quicktime on a Windows ever again, not even to see if it still sucks so bad.

Re:Every time Steve Jobs says something about Flas (1)

NJRoadfan (1254248) | about 4 years ago | (#33425274)

I hate that stupid plug-in, and if it didn't lock up, it made most MIDI files sound like crap. I have a real MIDI synth to play back those files, but Quicktime thinks it isn't good enough.

ebay ticket selling (-1, Troll)

lucypinder (1890534) | about 4 years ago | (#33424194)

This is exactly what I was looking for. Thanks for sharing this great article! That is very interesting Smile I love reading and I am always searching for informative information like this! You are bookmarked! Thanks. http://www.listeasy.net/ [listeasy.net]

Re:ebay ticket selling (1)

euyis (1521257) | about 4 years ago | (#33424248)

For some reasons I think I would Mod you funny if I had points.

MS should be more like Apple (1)

Monoman (8745) | about 4 years ago | (#33424426)

This might have been avoided if MS had a something like the App store for Windows. They could have taken their time before allowing this to be released .... just to be really really sure there something like this wouldn't happen.

I keeed, I keeed .... sorta. :-)

Misread Title (0)

Anonymous Coward | about 4 years ago | (#33424486)

ASL, DERP

*sigh*

queue another itunes update (0)

Anonymous Coward | about 4 years ago | (#33424490)

Great, another 100mb update for a one line bug coming soon.

Hold on (2, Interesting)

ledow (319597) | about 4 years ago | (#33424554)

If a badly-written program can circumvent ASLR and DEP for itself, then aren't DEP and ASLR a bit useless? The point of them is to prevent data execution, and to randomise the address space. How does a badly-written, ancient program "bypass" such measures? I can understand such measures not being applied (e.g. because ASLR or DEP on really-old code would break it because it was written with certain assumptions) but what that then assumes is that some administrator or Microsoft programmer has chosen at some point to disable DEP and ASLR for those old programs (if they have DEP and ASLR enabled at all). And if the code wasn't compiled without some DEP/ASLR magic enabled, then is this really surprising? What's to stop any other program similarly avoiding DEP/ASLR, or anyone exploiting such programs?

How is this a "Quicktime problem" when the code being attacked is years old, and yet the OS still lets it break basic security? Surely the problem is not the program, but the things that let it execute. Hell, I have used old Windows programs that refuse to work with DEP enabled because they make certain assumptions and I realised that because the DEP handler would prevent them working in XP - they were NOT compiled at a time when any knowledge of DEP or ASLR on Windows was around. That's the whole point of DEP, isn't it? To stop programs executing code they shouldn't? I had to force an override for them network-wide but that was my choice, and no I did not specifically enable DEP myself, the Windows XP install decided to do that for me.

Is this version of QuickTime whitelisted? Are DEP and ASLR really that worthless that "old programs" compiled before they came along are allowed to do anything? Isn't this the fault of an administrator running an outdated program rather than anything to do with DEP, ASLR, Quicktime or anything else? What's Quicktime doing differently to every other old, insecure program out there that makes it more of a risk?

Seems like a complete red herring to me. Don't run old software. Don't run insecure software. Don't run programs that you haven't authorised yourself. And, apparently, don't rely on DEP or ASLR to actually DO anything.

Re:Hold on (2, Insightful)

99BottlesOfBeerInMyF (813746) | about 4 years ago | (#33425146)

If a badly-written program can circumvent ASLR and DEP for itself, then aren't DEP and ASLR a bit useless?

In terms of preventing malware from running, no, they're an extra roadblock, but they are certainly not the hardest to overcome.

How does a badly-written, ancient program "bypass" such measures?

By linking the exploit to MS provided software included with Windows that does not use ASLR. From the article, "The gadgets come from Windows Live messenger dlls that are loaded by default on IE and have no ASLR flag,"

The Quicktime problem is that someone can get arbitrary code to try to execute on your box in the first place. That only happens because of the Quicktime flaw.

Are DEP and ASLR really that worthless that "old programs" compiled before they came along are allowed to do anything?

This isn't about old programs. This is the current version of Quicktime. This is about old code in the current version. Code that should never have shipped in the first place. But, until DEP and ASLR are applied to everything that is on a huge number of boxes and/or application level sandboxing or access control becomes robust DEP and ASLR are not very effective.

What's Quicktime doing differently to every other old, insecure program out there that makes it more of a risk?

The Quicktime part of this exploit isn't all that unusual. It's just run of the mill except for being the result of programmers' backdoor shortcut code that should never have gone out in the production release. The bypassing of ASLR in this case, was more interesting to me.

a vulnerability in QuickTime software ? (0)

Anonymous Coward | about 4 years ago | (#33425590)

Shouldn't that be a flaw in Memory Management Unit of the underlying Operating System. And never mind badly-written software, what's to stop anyone in deliberately porgramming in such flaws in order to bypass security.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>