Matasano Chargen - Latest Comments in Details on Dino’s QuickTime Advisory (With Code Snippet)

Re: Details on Dino’s QuickTime Advisory (With Code Snippet)

David Schor — Tue, 22 May 2007 18:23:50 -0000

Not to beat a dead horse.. but did this ever have the potential to be exploited on PPC platforms?

Re: Details on Dino’s QuickTime Advisory (With Code Snippet)

The original someone who works — Thu, 03 May 2007 23:10:46 -0000

Ivan,

I understand what you're saying. I reacted pretty strongly to the claim that Vista (rather than Vista users) are vulnerable. From one perspective, that's splitting hairs. From another, it's saying please be accurate.

And speaking of not being clear, I didn't actually talk to any of my co-workers about this. So the royal we was expressing my impression of my co-workers opinions in the little corner I work in.

Re: Details on Dino’s QuickTime Advisory (With Code Snippet)

Thomas Ptacek — Thu, 03 May 2007 16:27:31 -0000

Our logs strongly suggest that he is in fact the Pope.

Re: Details on Dino’s QuickTime Advisory (With Code Snippet)

ivan — Thu, 03 May 2007 15:13:09 -0000

@original someone who works at MS:
I am not "knocking" you for someone else's mistake, I am pointing our that if I run Vista (or actually any Windows OS) and iTunes/Quicktime on it I'd still be vulnerable to attack. Seems to be a plausible and important scenario to mention given that the iPod sales are at least an order of magnitude higher than Apple PC sales... I'd assume that those owning an iPod and not owning an Apple are not running iTunes/Quicktime on Linux or Solaris right?

I am not at all interested in blaming vendors or pointing fingers at their mistakes (they manage to do that to each other quite well by themselves) I am interested in helping potentially affected users understand that disregarding what OS they run (even Vista) they are _still_ vulnerable to exploitable bugs in the applications they run. Although that seemed to be a fair, common sense statement (at least to me) some of your colleagues did not like to hear it. And since you used the royal "we" in your posts I assumed that you were not posting just your _personal_ opinions. Its either that or that you are some king or The Pope :)

Re: Details on Dino’s QuickTime Advisory (With Code Snippet)

Hash — Thu, 03 May 2007 11:27:45 -0000

Interesting that Apple's advisory
http://docs.info.apple.com/article.html?artnum=...
does NOT list Vista, just Windows XP SP2 and Windows 2000 SP4. Is Quicktime "technically" not yet supported on Vista?

Even the QT download page only states 2000/XP. There is a request for feedback on the bottom of the page for QT on Vista.

Re: Details on Dino’s QuickTime Advisory (With Code Snippet)

Chris — Thu, 03 May 2007 10:09:11 -0000

You can be vulnerable to something, but not be at fault.

There is no Vista-bashing going on here. If anything, I'd say the tone is one of respect for Dino's work.

Re: Details on Dino’s QuickTime Advisory (With Code Snippet)

Thomas Ptacek — Thu, 03 May 2007 02:15:14 -0000

This is a tricky situation given the timelines, scrutiny, and speculation --- particularly regarding Vista. It's hard to deny that this is Apple's fault, not Microsoft's.

Re: Details on Dino’s QuickTime Advisory (With Code Snippet)

The original someone who works — Wed, 02 May 2007 22:32:36 -0000

PS to Ivan:

No, I'm not Stepto. And I'll decline to answer further questions like that.

We're quite aware that other people write code on Vista. We even encourage it. I am objecting to ZDI's claim that the Windows OS is vulnerable based on a component that we didn't write, and don't ship.

Feel free to knock us for mistakes we actually make.

Re: Details on Dino’s QuickTime Advisory (With Code Snippet)

The original someone who works — Wed, 02 May 2007 22:29:45 -0000

So, what the ZDI advisory says is "This vulnerability affects the latest versions of both the MacOS and Windows operating systems, including MacOS 10.4.9 and Windows Vista."

(Emphasis added.)

So, ZDI, unlike Thomas, is saying that Vista, not 'quicktime on VIsta' is vulnerable. That is not accurate. "Vista in many installed configurations" might or might not be.

Sure, it would be great if Microsoft could invent things that would prevent all vulns. Save us and everyone else gobs of money. But defenses in depth are there for when the vuln gets missed. We don't find things, leave them in, and hope.

Re: Details on Dino’s QuickTime Advisory (With Code Snippet)

ivan — Wed, 02 May 2007 21:36:55 -0000

@thomas: exactly, sorry for the sarcasm. I'm just trying to point out what I've said earlier this year and that for which I've been 'ridiculed' by *some* folks at MSFT: All those expensive new security mechanisms in Vista are useless if third party applications do not "cooperate" and MSFT can't possibly expect users to just run MSFT code, thus there will be vulnerable (and exploitable) third party applications running on Vista for one or more years to come.

I suppose that GS, SEH and ALSR and a few more things (NX?!) could help if they imposed some severe constrains on the valid values of "addr". Hmm btw, does the Java VM run within a process with hardware NX on?

Re: Details on Dino’s QuickTime Advisory (With Code Snippet)

Thomas Ptacek — Wed, 02 May 2007 20:13:38 -0000

How would any of GS, SEH, or ASLR have helped in this case? The vulnerability gives you a Java method "write32(addr, word)".

Re: Details on Dino’s QuickTime Advisory (With Code Snippet)

ivan — Wed, 02 May 2007 19:36:05 -0000

someone who still works at MS:
Are you sure you're not Stephen Tooulouse? Or is it just part of your employeer's brainw^H^H^H^H^H^H indoctrination program to make you assume that the only software that anyone could possibly run on Vista must be developed and shipped by Microsoft. A toootally unrelated question: current versions of iTunes and Quicktime for Windows are compiled with VS 2005 SP1 using /GS, SafeSEH and /dynamicbase, yes? yeah right...I thought so.

Re: Details on Dino’s QuickTime Advisory (With Code Snippet)

Rosyna — Wed, 02 May 2007 18:02:12 -0000

Someone who still works at MS:

Out of which box? The box that contained their new PC? After all, that's how the majority of people acquire Windows, with a new PC (according to Microsoft's own press releases).

And the point is, Vista's fancy new whatsits and whoseits didn't prevent it. That's all that's being said. Don't look for FUD where none exists.

Re: Details on Dino’s QuickTime Advisory (With Code Snippet)

Thomas Ptacek — Wed, 02 May 2007 16:16:30 -0000

We report, you decide. I'm just parroting the advisory. =)

Re: Details on Dino’s QuickTime Advisory (With Code Snippet)

Someone who still works at MS — Wed, 02 May 2007 16:13:59 -0000

Vista doesn't ship with QuickTime nor does it ship with Java. Therefore, out of the box, this is another example of Microsoft being bashed for something that it shouldn't. Out of the box - Apple has this vuln and Vista doesn't. Point the finger in the right direction.

Re: Details on Dino’s QuickTime Advisory (With Code Snippet)

Someone who used to work at MS — Wed, 02 May 2007 15:18:29 -0000

To Someone who works at MS:
No, it means that if you install QuickTime on your Vista... like, oh say... to use itunes.. then you've got the goods, and you can get owned.

Sometimes no matter how hard MS tries to remove naughty things that they didn't "make themselves"... users download other software that Microsoft didn't ship on the box and therefor subject themselves to additonal vulnerabilities such as this one.

Re: Details on Dino’s QuickTime Advisory (With Code Snippet)

Matt — Wed, 02 May 2007 02:33:17 -0000

Oh good, I was hoping one of you would hook us up with a little more technical detail than the ZDI advisory had.

Re: Details on Dino’s QuickTime Advisory (With Code Snippet)

Someone who works at MS — Wed, 02 May 2007 02:01:44 -0000

That's Odd. I thought Vista didn't include Java. Do they mean it affects Vista if you happen to install Apple and Sun code on it? An odd definition of "affects Vista."

Re: Details on Dino’s QuickTime Advisory (With Code Snippet)

Thomas Ptacek — Tue, 01 May 2007 23:11:27 -0000

Note also how little this vulnerability has to do with "how QuickTime handles Javascript":

http://infosecsellout.blogspot.com/2007/04/vuln...

Not that I'm not conceding that his post was effective.