Matasano Chargen - Latest Comments in URGENT: Unconfirmed Reports QuickTime Exploit Capture Is Circulating

Re: URGENT: Unconfirmed Reports QuickTime Exploit Capture Is Circulating

David Schor — Tue, 01 May 2007 17:09:18 -0000

Update - QuickTime 7.1.6 has been released today, and apparently fixes the problem. Kudos to Apple.

Re: URGENT: Unconfirmed Reports QuickTime Exploit Capture Is Circulating

HAL — Fri, 27 Apr 2007 12:35:11 -0000

Cue Lalo Shiffrin soundtrack.... you may want to consider moving to a virtual env altogether, and ask yourself where your hardware came from, for starters.

Summer should be a fun time.

H

Re: URGENT: Unconfirmed Reports QuickTime Exploit Capture Is Circulating

Ryan Russell — Thu, 26 Apr 2007 00:48:45 -0000

Possibly because it's a Quicktime vuln, and not a Java vuln? If it's a shellcode-based exploit, maybe you can use Java to cross-platform shove code at it, but that doesn't necessarily mean it's going to execute.

Re: URGENT: Unconfirmed Reports QuickTime Exploit Capture Is Circulating

Hash — Wed, 25 Apr 2007 21:06:45 -0000

If it's a Java bug, I don't see why it wouldn't.
Remember, Java's selling point was write once run anywhere. ;-)

Re: URGENT: Unconfirmed Reports QuickTime Exploit Capture Is Circulating

David Schor — Wed, 25 Apr 2007 20:08:50 -0000

Any news on whether this exploit works on PPC machines?

Re: URGENT: Unconfirmed Reports QuickTime Exploit Capture Is Circulating

John Herron — Wed, 25 Apr 2007 18:38:07 -0000

The latest versions of NoScript can block Java (as well as JavaScript, Flash, other Plugins, and some XSS. You have the option to allow these for "trusted" sites. See the screen shot under mitigation that I posted: http://www.nist.org/news.php?extend.226

If the browser never processes the Java code it can't pass it on to Quicktime. You may want check the box to not allow any plugins on untrusted sites just in case.

Re: URGENT: Unconfirmed Reports QuickTime Exploit Capture Is Circulating

Thomas Ptacek — Wed, 25 Apr 2007 17:06:15 -0000

I don't like it either, but them's the breaks. Matasano isn't directly involved in this exercise; we're just reporting what we hear.

The problem is that we've confirmed that disabling Java (or QuickTime) mitigates the vulnerability, but haven't firmed deleting specific Java components will. I totally believe your solution could work, but I can't confirm it.

Re: URGENT: Unconfirmed Reports QuickTime Exploit Capture Is Circulating

Don jackson — Wed, 25 Apr 2007 15:33:56 -0000

Could you simply rename the "QTJava.zip" file and continue to use Java as you normally would? I don't like that you're advising to disable one vendor's software in order to protect against a vulnerability in another vendor's product.

Re: URGENT: Unconfirmed Reports QuickTime Exploit Capture Is Circulating

Jordan Wiens — Wed, 25 Apr 2007 15:17:26 -0000

It seems like the the advanced no plugins, no java, and no flash options in noscript would be preventative enough. Whether it's an embedded quicktime object or embedded java applet, both are blocked by a recent noscript with those options on.

Re: URGENT: Unconfirmed Reports QuickTime Exploit Capture Is Circulating

Chris Rohlf — Wed, 25 Apr 2007 15:03:16 -0000

Ok so quicktime is required, I am saved via lack of functionality and support :D thanks

Re: URGENT: Unconfirmed Reports QuickTime Exploit Capture Is Circulating

carl — Wed, 25 Apr 2007 15:00:31 -0000

Firefox is vulnerable, with or without NoScript.

Re: URGENT: Unconfirmed Reports QuickTime Exploit Capture Is Circulating

Thomas Ptacek — Wed, 25 Apr 2007 15:00:25 -0000

No confirmation of Linux. What's the disposition of QuickTime on Linux?

Again, as regards vulnerability details: it requires Java and QuickTime, and has been confirmed on FF/X, FireFox, Safari, IE6, and IE7 XP.

Re: URGENT: Unconfirmed Reports QuickTime Exploit Capture Is Circulating

Chris Rohlf — Wed, 25 Apr 2007 14:59:03 -0000

Ok too many people are saying too many things and I have been out of the loop this week, busy with other things. Firefox on Linux, vulnerable? Not vulnerable? Thanks

Re: URGENT: Unconfirmed Reports QuickTime Exploit Capture Is Circulating

Thomas Ptacek — Wed, 25 Apr 2007 14:47:40 -0000

No. Definitely stop living dangerously. I feel dumb for being cavalier about this finding.

Re: URGENT: Unconfirmed Reports QuickTime Exploit Capture Is Circulating

Rosyna — Wed, 25 Apr 2007 14:47:26 -0000

It's very, very possible that someone is "auditing" a reverse engineer of various libraries based on the crash log snippets posted earlier. While they won't help much, they may help just enough. I even thought about using them to find what's what. But then I figured it'd take too much time to reproduce the exact config in order to make it easier for me. Laziness wins again.

Also, people could just be searching the various codepoints like crazy trying to find anything that could resemble this bug.

Re: URGENT: Unconfirmed Reports QuickTime Exploit Capture Is Circulating

Rosyna — Wed, 25 Apr 2007 14:42:40 -0000

Thomas, so we can continue to live dangerously? Throw caution to the wind? Have our cake and eat it too?

Also, how about we just call it Java and ECMAScript from now on? The latter is probably more accurate as well.

Re: URGENT: Unconfirmed Reports QuickTime Exploit Capture Is Circulating

toby — Wed, 25 Apr 2007 14:29:30 -0000

Someone may have reverse-engineered the vulnerability but they didn't pull it off the network there. The network was very simple:
a WAP that was connected to a hub and to the router to provide Internet access. The Macs sat on the hub and the only other systems on there were the ones we used to monitor the network to ensure rules were followed and then K2's when he ran the exploit. The WAP was routing traffic from the hub to the Internet, not sending it out over the wireless network.
We were sniffing the traffic on the wireless network and would have noticed if it had been getting traffic from the wired side.
Y'all know routing & switching protocols well enough to know that traffic destined for the Internet wouldn't end up on the pocket wireless network. The AP doesn't have enough smarts to mess up routing that way unless someone owned it (which is admittedly possible).
The point is, no one sitting on the wireless network would have been able to sniff the traffic from the wired network to the Internet.

Re: URGENT: Unconfirmed Reports QuickTime Exploit Capture Is Circulating

Drew Thaler — Wed, 25 Apr 2007 14:04:16 -0000

JavaScript and Java have absolutely nothing in common except a poorly-chosen name. Disabling JavaScript (directly or via NoScript) has no effect on Java code.

Re: URGENT: Unconfirmed Reports QuickTime Exploit Capture Is Circulating

Jon Bowie — Wed, 25 Apr 2007 14:04:04 -0000

"The NoScript Firefox extension provides extra protection for Firefox, Flock, Seamonkey and others mozilla-based browsers: this free, open source add-on allows JavaScript and Java execution only for trusted domains."

It includes Java.

Re: URGENT: Unconfirmed Reports QuickTime Exploit Capture Is Circulating

Thomas Ptacek — Wed, 25 Apr 2007 13:58:20 -0000

You don't need to disable Javascript. Javascript and Java are unrelated.

Re: URGENT: Unconfirmed Reports QuickTime Exploit Capture Is Circulating

Jon Bowie — Wed, 25 Apr 2007 13:56:55 -0000

I've used the NoScript Firefox plugin for awhile now:

http://noscript.net/

By default it completely disables javascript, allowing for user-based manual exclusion of sites you trust.

I haven't audited it, so caveat emptor.

Re: URGENT: Unconfirmed Reports QuickTime Exploit Capture Is Circulating

Thomas Ptacek — Wed, 25 Apr 2007 13:56:54 -0000

You can remove QuickTime as well, and that will also solve the problem. It's harder to do that than to click the Java checkbox in the browser, which is why we're recommending it.

Re: URGENT: Unconfirmed Reports QuickTime Exploit Capture Is Circulating

carl — Wed, 25 Apr 2007 13:52:18 -0000

Why Should I disable Java? The flaw is in Apple QuickTime and so I disable QuickTime

Re: URGENT: Unconfirmed Reports QuickTime Exploit Capture Is Circulating

Thomas Ptacek — Wed, 25 Apr 2007 13:26:48 -0000

You don't know that, yet.

Re: URGENT: Unconfirmed Reports QuickTime Exploit Capture Is Circulating

luc — Wed, 25 Apr 2007 13:25:12 -0000

I'm using IE7 in Windows Vista and so I'm not affected