Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Apple QuickTime potential vulnerability/backdoor - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Apple QuickTime potential vulnerability/backdoor

A vulnerability/backdoor in Apple Quicktime has been announced, and we are keeping an eye on it.

Adrien de Beaupré Inc.

Adrien de Beaupre

353 Posts
ISC Handler
Aug 30th 2010
Could this be mitigated with SlayOCX? If so, what is the CLSID?

6 Posts
Aug. 31, 2010 - "... Users may wish to disable the QuickTime plugin until a patch is available; this can be achieved by setting the killbit for the affected control (02BF25D5-8C17-4B23-BC80-D3488ABDDC6B) -or- renaming the plugin (QTPlugin.OCX)..."

30 August 2010 - "... exploit... works only against those who have Microsoft's Windows Live Messenger installed..."

160 Posts
From the above-mentioned Register article:

"While the exploit posted by Santamarta works only against those who have Microsoft's Windows Live Messenger installed, the researcher told The Reg that components that ship by default with QuickTime can be used to pull off the same ROP sleight of hand. Files called QuickTimeAuthoring.qtx and QuickTime.qts are two possibilities."

"Indeed, programmers with the open-source Metasploit project used by penetration testers and other hackers are in the process of building an attack module that does just that."

The exploit posted by Santamarta uses Windows Live Messenger because its DLLs don't use ASLR and DEP so the exploit has an easier time. But the underlying vulnerability and the approach used by Santamarta can take advantage of any DLL that doesn't use ASLR and DEP, and there are a lot of them on the typical system.
QuickTime 7.6.8 released - September 15, 2010

160 Posts

Sign Up for Free or Log In to start participating in the conversation!