Old Apple QuickTime code puts IE users in harm's way

Exploit bypasses Windows' DEP, ASLR defenses, can be used in drive-by attacks

Apple's failure to clean up old code in QuickTime leaves people running Internet Explorer (IE) vulnerable to drive-by attacks, a Spanish security researcher said today.

Ruben Santamarta, a researcher at Madrid-based Wintercore who revealed a bug in IE8 last month, today outlined the QuickTime plug-in vulnerability.

Hackers only need to dupe users into visiting a malicious site hosting exploit code, said Santamarta, who added that his attack code works when someone browses with IE on a machine running Windows XP, Vista or Windows 7 that has QuickTime 7.x or the older QuickTime 6.x installed.

Santamarta's exploit works because Apple didn't tidy up QuickTime's code after developers dropped the "_Marshaled_pUnk" function.

"Although this functionality was removed in newer versions, the parameter is still present," Santamarta wrote in his advisory. "Why? I guess someone forgot to clean up the code."

His attack code also bypasses a pair of important security measures Microsoft has added to Windows: DEP (data execution prevention) and ASLR (address space layout randomization).

DEP and ASLR sidestepping isn't new: In late March, Dutch researcher Peter Vreugdenhil exploited a vulnerability in IE8 running on Windows 7 with attack code that evaded DEP and ASLR to win $10,000 at the fourth-annual Pwn2Own contest. And last month, Santamarta said that the IE8 bug he published could also be used to bypass the technologies.

"This issue can be used in a drive-by attack, as QuickTime is widely deployed, and for some reason people still [use] IE," said HD Moore, chief security officer at Rapid7 and the creator of the Metasploit penetration testing framework, in an e-mail. "Unlike other browser -based exploits, Windows 7 with ASLR/DEP will not make an appreciable difference due to the presence of an unprotected DLL within QuickTime itself."

In his advisory, Santamarta said he had sent details of his exploit to Metasploit. Moore confirmed that Metasploit developers are working on a module for the hacking toolkit, and are shooting for a Tuesday release of a reliable exploit.

Like Santamarta, Moore believes that the bug was an oversight, not an intentional back door left by an Apple programmer.

Attacks that leverage Santamarta's bug will probably pop up soon, Moore added.

"This exploit will likely make it into the wild; the complete exploit details were provided as part of the initial blog post and with the QuickTime install base being what it is, there is incentive to include this vulnerability into the various [exploit] kits," Moore said.

Until Apple issues a patch, users can stymie attacks by uninstalling or disabling the QuickTime plug-in. Symantec recommended that users set the killbit for the QuickTime ActiveX control or rename the plug-in.

Instructions for setting an ActiveX control's killbit can be found on Microsoft's support site .

Apple last patched QuickTime for Windows on Aug. 11 when it shipped version 7.6.7 to fix a different bug in the program's error logging.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@ix.netcom.com .

Read more about security in Computerworld's Security Topic Center.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags AppleMicrosoftsecurityWindowssoftwareMalware and Vulnerabilitiesoperating systems

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?