Matasano Chargen - Latest Comments in BREAKING: MacBook Vuln In Quicktime, Affects Win32 Apple Code

Re: BREAKING: MacBook Vuln In Quicktime, Affects Win32 Apple Code

Richard — Sun, 29 Apr 2007 23:15:41 -0000

I,m a home PC user and use WIndows 98 SE on an
AMD 1800 XP (like a Pent 4) and have QuickTime 6.4

The Apple site said I can't upgrade/Patch unless
I have an NT type O/S.

What are my options, Please?

Regards, Richard dickie@pobox.com

ps how to disable Java, if that's what I must do or
uninstal QuickTime? What about those 3rd party programs with Codecs packages that esentially compete with QT & Real player?? rrrr

Re: BREAKING: MacBook Vuln In Quicktime, Affects Win32 Apple Code

Anomalyous — Fri, 27 Apr 2007 12:28:20 -0000

- Disabling Java stops the vulnerability.

Uninstalling Quicktime seems to stop the vulnerability as well. ;)

Re: BREAKING: MacBook Vuln In Quicktime, Affects Win32 Apple Code

J.M. — Thu, 26 Apr 2007 17:47:59 -0000

If only people read this at face value.

If this was a Java vulnerability, then it would be a Java bug, not a Quicktime bug. This would put Linux, *BSD, etc. at risk as well. But this is not just a drive-by download via Java (haven't heard of any drive-by downloading via Java, except if malware is already installed), it's Quicktime's handling of it.

Just for future reference people, if "Java" is said, then take it as Java, not "Javascript," they are two totally different things.

Re: BREAKING: MacBook Vuln In Quicktime, Affects Win32 Apple Code

JohnGruberIsARobot — Thu, 26 Apr 2007 02:13:48 -0000

Thomas:
Oh ye of infinite patience.

Re: BREAKING: MacBook Vuln In Quicktime, Affects Win32 Apple Code

David Schor — Wed, 25 Apr 2007 19:57:54 -0000

PowerBook user here still waiting to hear if this is an intel-only issue. It seems to me the Apple PowerPC based machines have significant security advantages over both MacIntels and Windows machines, for obvious reasons.

PPC forever (or at least until the warranty runs out).

Re: BREAKING: MacBook Vuln In Quicktime, Affects Win32 Apple Code

Thomas Ptacek — Wed, 25 Apr 2007 14:51:50 -0000

Billy, what's weird is that you clearly have no information about what the details of the exploit are, but you're speaking with some authority about what those details are. You've made your point; if you have another point to make, go ahead. I'm going to delete any comments that suggest "facts" about the vulnerability that I know to be false.

Re: BREAKING: MacBook Vuln In Quicktime, Affects Win32 Apple Code

Billy — Wed, 25 Apr 2007 14:46:19 -0000

Thomas: It is not Weird that I think Java is at fault, I know that Java is a tool that allow control over alot of things both on the Macintosh and on the Windows Computers as well. Maybe there might be a hole in Quicktime that Java the Transport used. Also to answer your quote to Tom: “admin” users are root-equivalent. Only a real Administrator like me and others Know not to set users to have ADMIN privileges. I still would like to be show. Talk is nothing but talk until it can be proven. We hear about exploits all of the time, most of us would like to see the proof. Most users like myself are security aware of problems and I myself would like to see the proof. At least I don't have users called test of admin or even root on my computers. You can hack at those accounts all day and never get in.

Re: BREAKING: MacBook Vuln In Quicktime, Affects Win32 Apple Code

Dave — Wed, 25 Apr 2007 14:36:16 -0000

Has this been reported directly to Apple? If so, please provide a reference.

If this hasn't been reported to Apple, this notice is dubious at best. To release a notice about a vulnerability and not report it to the accountable parties is irresponsible rumor-mongering. I would hope this isn't the kind of thing matasano is participating in.

Re: BREAKING: MacBook Vuln In Quicktime, Affects Win32 Apple Code

Thomas Ptacek — Wed, 25 Apr 2007 12:23:25 -0000

Billy: it's weird that you think that just because you want it to be a Java issue it will be a Java issue. The wishfulness of much of the Mac pundit community is pretty fascinating. It's not a Java issue; it's a vulnerability in Apple's QuickTime code. Java is just the vector that exposes it.

Tom: on the overwhelming majority of deployed Macs, breaking Safari puts you one move away from checkmate --- "admin" users are root-equivalent.

But who cares? Read this:

http://www.matasano.com/log...

Especially the comments.

Worrying about "root" on a single-user machine is like worrying about a bank robber stealing the doors and the chairs.

Re: BREAKING: MacBook Vuln In Quicktime, Affects Win32 Apple Code

Tom Matheson — Wed, 25 Apr 2007 10:50:10 -0000

But still no access to root, correct?

Re: BREAKING: MacBook Vuln In Quicktime, Affects Win32 Apple Code

Billy — Wed, 25 Apr 2007 10:36:10 -0000

I think that is is only a JAVA Issue not a Apple Issue.

Re: BREAKING: MacBook Vuln In Quicktime, Affects Win32 Apple Code

Billy — Wed, 25 Apr 2007 10:33:29 -0000

I really do not belive this at all. I have had Macintosh Computers running on the internet serving Websites / Mail / and FTP and they have been running for over two years now and a ton of people Hacking at it and still no one has ever got into them. Wish people like this show us step by step instead of telling that is has happen. Prove it people.

Re: BREAKING: MacBook Vuln In Quicktime, Affects Win32 Apple Code

Thomas Ptacek — Tue, 24 Apr 2007 23:38:03 -0000

Mike, you could do that. Nobody else does it. More importantly, as funny as it is to point out how bad this vulnerability is, and how ironic it is, it doesn't really put anyone at risk (until Rosyna from Unsanity reverses it entirely from the trickle of information 3Com is letting out).

So I recommend doing, uh, nothing.

Re: BREAKING: MacBook Vuln In Quicktime, Affects Win32 Apple Code

Mike Davis — Tue, 24 Apr 2007 22:24:07 -0000

It is my understanding that this exploit only gains the privilage level of the user running the browser (not full root access, otherwise the other prize would have been claimed as well). If this is the case, then it should be possible to create a "sandbox" account on the Mac where only the Safari Application can be run, and only the "sandbox" user's directory can be written to. This should be able to restrict the damage that this potential exploit can do to this specific account. This might be an acceptable work around (when combined with fast user switching) for those that need java for the sites they are using. Ideas?

Re: BREAKING: MacBook Vuln In Quicktime, Affects Win32 Apple Code

John Herron — Tue, 24 Apr 2007 18:54:22 -0000

1) I think some people are confused by the suggestion to use NoScript to mitigate this risk. The Quicktime vulnerability involves 'Java' (passed to it by the browser). NoScript can be set to stop JavaScript, Java, and browser plugins on a (allow/deny) site by site basis. The new version also has some protection for XSS. If you use Firefox it is a must have layer of protection.

2) Still waiting for information as to whether this vuln takes advantage of a poorly thought out built-in Quicktime function or executes after a buffer overflow. This information greatly affects how this affects Windows. This info is probably still embargoed.

Re: BREAKING: MacBook Vuln In Quicktime, Affects Win32 Apple Code

Thomas Ptacek — Tue, 24 Apr 2007 14:41:48 -0000

Yes. Yes.

Re: BREAKING: MacBook Vuln In Quicktime, Affects Win32 Apple Code

unclemac — Tue, 24 Apr 2007 14:38:57 -0000

Is this threat viable for all level of users? If a machine is being run from a managed (non-admin) account can the code still be executed and access gained?

Thanks for the info!

Re: BREAKING: MacBook Vuln In Quicktime, Affects Win32 Apple Code

Thomas Ptacek — Tue, 24 Apr 2007 11:51:31 -0000

It involves Java, not Javascript.

Re: BREAKING: MacBook Vuln In Quicktime, Affects Win32 Apple Code

unclesmrgol — Tue, 24 Apr 2007 11:24:58 -0000

Is it Java, or Javascript?

Re: BREAKING: MacBook Vuln In Quicktime, Affects Win32 Apple Code

Giorgio Maone — Tue, 24 Apr 2007 08:27:43 -0000

Either if it is JS, Java, QuickTime or any other plugin, just another job for NoScript :)

http://noscript.net

Re: BREAKING: MacBook Vuln In Quicktime, Affects Win32 Apple Code

John Herron — Mon, 23 Apr 2007 22:54:34 -0000

Wow, effectively its cross-platform. If the bug exploits a built-in OS interface feature then the current attack may work as-is against a Windows based computer. But I assume that if its causing a buffer overflow condition that right now its probably DoSing Windows. In which case this may or may not lead to a Windows exploit.

Nice discovery, will certainly keep Apple awake for a few nights.

Re: BREAKING: MacBook Vuln In Quicktime, Affects Win32 Apple Code

tom ferris — Mon, 23 Apr 2007 20:23:53 -0000

nice.. ;)

Re: BREAKING: MacBook Vuln In Quicktime, Affects Win32 Apple Code

Thomas Ptacek — Mon, 23 Apr 2007 20:20:47 -0000

3Com clears the information piecemeal.

Re: BREAKING: MacBook Vuln In Quicktime, Affects Win32 Apple Code

Ryan Russell — Mon, 23 Apr 2007 20:17:20 -0000

So, if you guys are presumably not supposed to be leaking this information you've sold to 3com, what are the sources?

Re: BREAKING: MacBook Vuln In Quicktime, Affects Win32 Apple Code

Drew Thaler — Mon, 23 Apr 2007 20:04:13 -0000

Based on the statements so far it sounds like the vuln uses QT4J to call into the platform's native QT APIs, where it triggers a bug of some sort. (Bad data, buffer overflow, etc.) That would mean QT4J is just the vector, and doing its job by passing the call through -- it's necessary to trigger the bug, but not at fault.

That would explain why disabling Java will block the vuln, and also why it should readily affect other OSes.