URGENT: Unconfirmed Reports QuickTime Exploit Capture Is Circulating

Thomas Ptacek | April 25th, 2007 | Filed Under: Apple, Uncategorized

Remember what I said about “living dangerously”? Stop living dangerously, right now. Turn Java off in your browser. Watch this space for more details.

[Update: 1:43 EST]

There are unconfirmed reports, from multiple credible sources, that the challenge MacBooks from the contest were exposed to an unprotected wireless network, and that raw packet captures of the successful exploit have been taken by parties unknown to us.

We’re looking for comments from people involved with the contest for more details about the network topology so we can confirm this.

There’s a difference between the exploit being captured and the exploit being successfully hosted by attackers in the wild. Even so, this is a particularly virulent problem. It affects every mainstream browser on every mainstream desktop platform —- possibly excepting Vista. Disable Java in your browser until you’ve received a patch.

[Update: 1:30 EST]

InfoSec Sellout is blogging that they’ve reversed the vulnerability and also captured all the packets from the conference. Those claims have not been verified. InfoSec Sellout is not one of our sources. Their claims aren’t corroborated by any of the public record about the vulnerability, which, contrary to their report, doesn’t appear to involve “the way QuickTime handles Javascript”.

[Update: 2:30 EST]

Comment reprinted in its entirety, contradicting claims that the exploit could have been captured off the CanSec wireless network:

Someone may have reverse-engineered the vulnerability but they didn’t pull it off the network there. The network was very simple: a WAP that was connected to a hub and to the router to provide Internet access. The Macs sat on the hub and the only other systems on there were the ones we used to monitor the network to ensure rules were followed and then K2’s when he ran the exploit. The WAP was routing traffic from the hub to the Internet, not sending it out over the wireless network.

We were sniffing the traffic on the wireless network and would have noticed if it had been getting traffic from the wired side.

Y’all know routing & switching protocols well enough to know that traffic destined for the Internet wouldn’t end up on the pocket wireless network. The AP doesn’t have enough smarts to mess up routing that way unless someone owned it (which is admittedly possible).

The point is, no one sitting on the wireless network would have been able to sniff the traffic from the wired network to the Internet.

[Update: 2:40EST]

This is turning into a game of telephone. We’re tracking a variety of reports both confirming and denying that information about the exploit has leaked. We have no confirmation that anybody besides 3Com and the affected vendors have details about this exploit. We think it’s important to be aware that there’s controversey about whether that’s the situation: if this exploit has leaked to the wild, it is very important that you update your browser configuration.

We’re going to ratchet down the up-to-the-minute Drudge Report updates on this aspect of the story until we can confirm more details, but we’ll update this post as soon as we have something conclusive.

[Update: 6:55EST]

The bulk of the “it leaked!” leads in this soap opera are not panning out, fortunately for all involved. We’ll post a round-up of the stuff that did happen later on.

Viewing 25 Comments

Trackbacks

close Reblog this comment
Powered by Disqus · Learn more
blog comments powered by Disqus