BREAKING: MacBook Vuln In Quicktime, Affects Win32 Apple Code

Thomas Ptacek | April 23rd, 2007 | Category: Apple, New Findings, Uncategorized

New details emerging about Dino’s MacBook finding (don’t you just love vulnerability markets?)

  • Dino’s finding targets Java handling in QuickTime.

  • Any Java-enabled browser is a viable attack vector, if QuickTime is installed.

  • Apple’s vulnerable code ships by default on MacOSX (obviously) and is extremely popular on Windows, where this code introduces a third-party vulnerability. (Irony!)

  • Firefox and Safari are confirmed vectors on MacIntel. Users of both browsers are placed at risk by this vulnerability in Apple’s code.

  • Firefox is a presumed vector on Win32, if Apple’s QuickTime code is installed. Users of Firefox on Windows are presumed to be at risk because of this vulnerability in Apple’s code.

  • Disabling Java stops the vulnerability.

42 Comments so far

  1. Yuda April 23rd, 2007 6:19 pm

    Are PPC Macs vulnerable as well, or just MacIntels?

  2. Thomas Ptacek April 23rd, 2007 6:27 pm

    PPC hasn’t been confirmed vulnerable yet. You are dependent on the 3Com Zero Day Initiative to “clear” details like that for distribution, and I don’t like it any more than you do.

  3. Matasano Chargen » Hot Off The Matasano SMS Queue: CanSec Macbook Challenge Won April 23rd, 2007 6:29 pm

    […] More details emerging —- vulnerability in QuickTime, may place Windows users at risk. […]

  4. Rosyna April 23rd, 2007 6:45 pm

    So the bug is in QuickTime for Java? or is it in Java itself?

  5. Thomas Ptacek April 23rd, 2007 6:48 pm

    QuickTime. Think of it as a problem that can be triggered only if Java is enabled.

  6. Problema de seguridad con Quicktime y Java April 23rd, 2007 7:19 pm

    […] Vía | Matasano. […]

  7. Tales of Being TJ » Blog Archive » Disable Java in Opera to avoid Quicktime bug April 23rd, 2007 7:38 pm

    […] News is coming out about the bug which allowed someone to exploit a MacBook with all the current (as of 2007-04-23) security updates. […]

  8. Drew Thaler April 23rd, 2007 8:04 pm

    Based on the statements so far it sounds like the vuln uses QT4J to call into the platform’s native QT APIs, where it triggers a bug of some sort. (Bad data, buffer overflow, etc.) That would mean QT4J is just the vector, and doing its job by passing the call through — it’s necessary to trigger the bug, but not at fault.

    That would explain why disabling Java will block the vuln, and also why it should readily affect other OSes.

  9. Ryan Russell April 23rd, 2007 8:17 pm

    So, if you guys are presumably not supposed to be leaking this information you’ve sold to 3com, what are the sources?

  10. Thomas Ptacek April 23rd, 2007 8:20 pm

    3Com clears the information piecemeal.

  11. tom ferris April 23rd, 2007 8:23 pm

    nice.. ;)

  12. myMacBUZZ » MacBook hacked in CanSecWest contest April 23rd, 2007 9:46 pm

    […] Update: Thomas Ptacek of Matasano Chargen sheds a few more details of the vulnerability. The culprit is Quicktime, and Java-enabled browser is a viable attack vector, if QuickTime is installed. This means Windows users are vulnerable too. Tagged: jibone, News, OSX, quicktime, rant, security Share This Advertisements Sponsored Links […]

  13. John Herron April 23rd, 2007 10:54 pm

    Wow, effectively its cross-platform. If the bug exploits a built-in OS interface feature then the current attack may work as-is against a Windows based computer. But I assume that if its causing a buffer overflow condition that right now its probably DoSing Windows. In which case this may or may not lead to a Windows exploit.

    Nice discovery, will certainly keep Apple awake for a few nights.

  14. Safari Vulnerability - Page 2 - The Apple Blog Community April 23rd, 2007 11:23 pm

    […] I thought this was interesting, so I’ll share this with you guys. The security exploit on Safari can affect Windows machines using Firefox with Quicktime installed. Interesting. Another Quicktime hole that needs patching. Source. __________________ My Mac(s): MacBook, white - 2.0 GHz, 1 GB RAM, 80 GB HDD The Macversity - The tales of a University student and his Macintosh. […]

  15. „ shiftzwei » Blog Archive » Mac OS X - Sicherheitslücke Safari II - Quicktime April 24th, 2007 2:58 am

    […] So soll laut Matasano Blog die Sicherheitslücke in Quicktimes Umgang mit Java liegen. Somit sind sowohl Firefox und Safari unter Mac OS X, las auch Firefox in Kombination mit Quicktime unter Windows betroffen. Aus dem Matasano Blog: • Dino’s finding targets Java handling in QuickTime. […]

  16. Memoria de Acceso Aleatorio » La reciente vulnerabilidad del Mac OS X también funciona contra Windows April 24th, 2007 6:37 am

    […] Matasano Chargen: BREAKING: MacBook Vuln In Quicktime, Affects Win32 Apple Code […]

  17. Time to Secure Your Browser : Bart Busschots April 24th, 2007 7:52 am

    […] What started off as a hack of a MacBook Pro at a security conferences has now been revealed to be a hack exploiting a vulnerability in the way Quicktime talks to Java. What does this mean? It means that this is not just an issue for Mac users, Windows users are vulnerable too! Thankfully the solution is simple, turn off Java (not JavaScript) in your web browser. […]

  18. Giorgio Maone April 24th, 2007 8:27 am

    Either if it is JS, Java, QuickTime or any other plugin, just another job for NoScript :)

    http://noscript.net

  19. Security Bytes » Reports of a Safari zero-day April 24th, 2007 8:38 am

    […] New York consultancy Matasano Security LLC. said in its Matasano Chargen blog that the QuickTime flaw is also a threat to those who use Safari, Firefox and Windows. […]

  20. unclesmrgol April 24th, 2007 11:24 am

    Is it Java, or Javascript?

  21. flyingpenguin » Blog Archives » Quicktime/Java remote exploit announced April 24th, 2007 11:40 am

    […] This is still in the early phases of discussion, but it seems Apple QuickTime has a vulnerability that may be remotely exploited to take complete control of an affected system. The flaw is related to Java processing and is exploitable by attackers to execute arbitrary commands on a vulnerable Apple OS X or Microsoft Windows system. Safari and Firefox have been confirmed on MacIntel. The attack vector simply requires a user to visit a malicious HTML page via a web-browser. […]

  22. Thomas Ptacek April 24th, 2007 11:51 am

    It involves Java, not Javascript.

  23. unclemac April 24th, 2007 2:38 pm

    Is this threat viable for all level of users? If a machine is being run from a managed (non-admin) account can the code still be executed and access gained?

    Thanks for the info!

  24. Thomas Ptacek April 24th, 2007 2:41 pm

    Yes. Yes.

  25. John Herron April 24th, 2007 6:54 pm

    1) I think some people are confused by the suggestion to use NoScript to mitigate this risk. The Quicktime vulnerability involves ‘Java’ (passed to it by the browser). NoScript can be set to stop JavaScript, Java, and browser plugins on a (allow/deny) site by site basis. The new version also has some protection for XSS. If you use Firefox it is a must have layer of protection.

    2) Still waiting for information as to whether this vuln takes advantage of a poorly thought out built-in Quicktime function or executes after a buffer overflow. This information greatly affects how this affects Windows. This info is probably still embargoed.

  26. Mike Davis April 24th, 2007 10:24 pm

    It is my understanding that this exploit only gains the privilage level of the user running the browser (not full root access, otherwise the other prize would have been claimed as well). If this is the case, then it should be possible to create a “sandbox” account on the Mac where only the Safari Application can be run, and only the “sandbox” user’s directory can be written to. This should be able to restrict the damage that this potential exploit can do to this specific account. This might be an acceptable work around (when combined with fast user switching) for those that need java for the sites they are using. Ideas?

  27. Thomas Ptacek April 24th, 2007 11:38 pm

    Mike, you could do that. Nobody else does it. More importantly, as funny as it is to point out how bad this vulnerability is, and how ironic it is, it doesn’t really put anyone at risk (until Rosyna from Unsanity reverses it entirely from the trickle of information 3Com is letting out).

    So I recommend doing, uh, nothing.

  28. Billy April 25th, 2007 10:33 am

    I really do not belive this at all. I have had Macintosh Computers running on the internet serving Websites / Mail / and FTP and they have been running for over two years now and a ton of people Hacking at it and still no one has ever got into them. Wish people like this show us step by step instead of telling that is has happen. Prove it people.

  29. Billy April 25th, 2007 10:36 am

    I think that is is only a JAVA Issue not a Apple Issue.

  30. Tom Matheson April 25th, 2007 10:50 am

    But still no access to root, correct?

  31. Thomas Ptacek April 25th, 2007 12:23 pm

    Billy: it’s weird that you think that just because you want it to be a Java issue it will be a Java issue. The wishfulness of much of the Mac pundit community is pretty fascinating. It’s not a Java issue; it’s a vulnerability in Apple’s QuickTime code. Java is just the vector that exposes it.

    Tom: on the overwhelming majority of deployed Macs, breaking Safari puts you one move away from checkmate — “admin” users are root-equivalent.

    But who cares? Read this:

    http://www.matasano.com/log/809/a-little-challenge-to-our-mac-advocate-friends/

    Especially the comments.

    Worrying about “root” on a single-user machine is like worrying about a bank robber stealing the doors and the chairs.

  32. Liquidmatrix Security Digest » Apple QuickTime Java Handling Unspecified Code Execution April 25th, 2007 12:42 pm

    […] Straight out of CanSecWest we now have a advisory posted for Quicktime. This covers the hack that allowed Dino Dai Zovi to pwn a MacBook in a hacking contest at CanSecWest. This was previously erroneously attributed to a Safari hack. […]

  33. A security weakness found on Mac OS X | Apple in Zoom April 25th, 2007 2:20 pm

    […] You can find more here. digg_url=’http://applezoom.com/2007/04/25/a-security-weakness-found-on-mac-os-x/’; digg_skin = ‘compact’; digg_bgcolor = ‘#FFFFFF’; digg_title = ‘A+security+weakness+found+on+Mac+OS+X’; digg_bodytext = ”; digg_topic = ”; Powered by Gregarious (21) […]

  34. Dave April 25th, 2007 2:36 pm

    Has this been reported directly to Apple? If so, please provide a reference.

    If this hasn’t been reported to Apple, this notice is dubious at best. To release a notice about a vulnerability and not report it to the accountable parties is irresponsible rumor-mongering. I would hope this isn’t the kind of thing matasano is participating in.

  35. Billy April 25th, 2007 2:46 pm

    Thomas: It is not Weird that I think Java is at fault, I know that Java is a tool that allow control over alot of things both on the Macintosh and on the Windows Computers as well. Maybe there might be a hole in Quicktime that Java the Transport used. Also to answer your quote to Tom: “admin” users are root-equivalent. Only a real Administrator like me and others Know not to set users to have ADMIN privileges. I still would like to be show. Talk is nothing but talk until it can be proven. We hear about exploits all of the time, most of us would like to see the proof. Most users like myself are security aware of problems and I myself would like to see the proof. At least I don’t have users called test of admin or even root on my computers. You can hack at those accounts all day and never get in.

  36. Thomas Ptacek April 25th, 2007 2:51 pm

    Billy, what’s weird is that you clearly have no information about what the details of the exploit are, but you’re speaking with some authority about what those details are. You’ve made your point; if you have another point to make, go ahead. I’m going to delete any comments that suggest “facts” about the vulnerability that I know to be false.

  37. David Schor April 25th, 2007 7:57 pm

    PowerBook user here still waiting to hear if this is an intel-only issue. It seems to me the Apple PowerPC based machines have significant security advantages over both MacIntels and Windows machines, for obvious reasons.

    PPC forever (or at least until the warranty runs out).

  38. JohnGruberIsARobot April 26th, 2007 2:13 am

    Thomas:
    Oh ye of infinite patience.

  39. J.M. April 26th, 2007 5:47 pm

    If only people read this at face value.

    If this was a Java vulnerability, then it would be a Java bug, not a Quicktime bug. This would put Linux, *BSD, etc. at risk as well. But this is not just a drive-by download via Java (haven’t heard of any drive-by downloading via Java, except if malware is already installed), it’s Quicktime’s handling of it.

    Just for future reference people, if “Java” is said, then take it as Java, not “Javascript,” they are two totally different things.

  40. Anomalyous April 27th, 2007 12:28 pm

    - Disabling Java stops the vulnerability.

    Uninstalling Quicktime seems to stop the vulnerability as well. ;)

  41. Richard April 29th, 2007 11:15 pm

    I,m a home PC user and use WIndows 98 SE on an
    AMD 1800 XP (like a Pent 4) and have QuickTime 6.4

    The Apple site said I can’t upgrade/Patch unless
    I have an NT type O/S.

    What are my options, Please?

    Regards, Richard dickie@pobox.com

    ps how to disable Java, if that’s what I must do or
    uninstal QuickTime? What about those 3rd party programs with Codecs packages that esentially compete with QT & Real player?? rrrr

  42. Tonio Loewald’s Blog » Article » If only it had market share, it would have Security Vulnerabilities May 5th, 2008 8:26 pm

    […] revelation that the security flaw exploited to win a hacking competition last week was related to Java applets that used QuickTime is […]

Leave a reply