QuickTime Bug Affects All Java-Enabled Browsers
The QuickTime bug revealed at CanSecWest last week turns out to affect everything that's Java-enabled and that has QuickTime installed, including IE 6 and IE 7 on Vista, browsers that were originally thought to be safe due to sandboxing techniques. Researchers are urging all users of QuickTime--and that means you, if you have iTunes installed--to turn off Java. That Apple's Safari browser is an attack vector for the flaw was known on Friday, when Matasano Security principle Dino Dai Zovi used it to earn a $10,000 cash prize in the Pwn-2-Own contest at CanSecWest. Soon after, TippingPoint added Mozilla's Firefox to the list of attack vectors, and on Tuesday night discovered that IE is also an attack vector. Terri Forslof, manager of security response at TippingPoint, said this QuickTime flaw is comparable to Microsoft's ANI vulnerability in terms of severity, and Secunia has rated it highly critical—its second most serious rating (the highest being "extremely critical.") "This is probably one of the biggest vulnerabilities we've seen," Forslof told me today. "It affects every platform, every browser. It's widespread, and nobody's immune to this thing." As of now, there is no exploit code out in the wild, although one blogger calling him or herself "Infosecsellout" is making claims that he or she has "the advantage of a full packet capture of the entire contest" and has confirmed the vulnerability with "good 'ol fashioned vulnerability research." These claims are being dismissed by CanSecWest organizers, who stand behind the security of the network on which the Pwn-2-Own contest was held. Forslof dismissed the blogger as an irresponsible exploiter dealing in nothing but FUD. The supposed exploit nabber's claims are also undermined by the fact that he or she didn't get the flaw's technical details right, calling it a JavaScript-enabled flaw as opposed to what it is: a Java-enabled flaw. (Disclaimer: The blogger might have gotten that fallacy from me—I believe this might be the case, given that he or she referred to press reports comparing the severity of the QuickTime bug to that of the ANI vulnerability. In my feeble defense, I only said JavaScript once, and it was a typo. Plus, I'm not making foolish FUD claims and getting people at Mozilla and Microsoft all cooked up over the thought that the exploit's in the wild. Shame, Sellout, shame.) |
Comments (12)
"nobody's immune to this thing" but depending on your OS, this can cause greater or lesser harm.
The bug allows the pirate to get current user privileges.
On Unix/Lunix OSes (like MacOS), this means reduced access rights.
On Windows, even Vista, by default, this means root access.
Posted by AWx | April 26, 2007 8:38 AM
AWx you WRONG!!!!
On Windows Vista this means reduced access rights by default
Posted by carl | April 26, 2007 10:43 AM
AWx, I believe the 'linux' you mention is immune due to a lack of quicktime.
Posted by Daryl | April 26, 2007 2:40 PM
Daryl is correct. Apple's Quicktime is not available for Linux and other *nix variants, though WINE might be able to run it, or some other program like it, or an emulator.
Carl: Yes, if UAC is enabled, this means that the shell would only gives normal user-level access, but plenty of Windows Vista users have disabled it and are running with administrator privileges.
Posted by J. M. | April 26, 2007 7:36 PM
daryl,
the post by AWx clearly said 'On Unix/Lunix OSes (like MacOS)'.
why did you simply zero in on the one word that makes microsoft disciples get into a frenzy? and take a step off the cliff?
it affects any os that can run quicktime. if you took the time to study thy enemy, which is a worthwhile endeavor (hint), you would find that those 'linux' people can run apps like quicktime in an emulator, among other things.
and since those 'linux' people are usually more aware of how their systems work than people who do things like say 'linux' like 'linux', they can usually deal with threats like these more effectively, too.
so i guess it is a good thing that this, um, 'bug' doesn't affect the user community most equipped to deal with it, anyhow. forget all the lusers, they need new machines anyhow. with that bright shiny aeroglide thingie, sucking up clock cycles and ram!! its what's good for them, dammit.
Posted by prip | April 27, 2007 12:30 AM
What does this exploit even do ?!?! Everwhere I just read, that it's an exploit !
Posted by Jeronimo | April 27, 2007 9:33 AM
I use QuickTime Alternative; wonder if it is vulnerable?
Posted by Hal | April 28, 2007 6:16 PM
The article said "if you have iTunes installed--to turn off Java."
Sounds like they're implying that if one is running QuickTime WITHOUT iTunes, that they would not be affected (which I doubt).
Posted by Dean | April 30, 2007 4:47 PM
this is great but without instructions on how to turn off JAVA it is TOTALLY USELESS!!!!!!!!!!!!!!
PLEASE UPDATE WITH USEFUL INFO (dee dee deeeeee)
Posted by Robert | May 1, 2007 12:43 PM
Hello All,
From my attempt to resolve the "java" issue and in response to the last post. In WinXP Home, click
Control pannel,
Internet Options,
Secruity,
Click the level "internet"
Click
Custom Level
Scroll down to Scripting of Java Appelets
Click disable or prompt instead of enable
I'm no teck geek, but that seems to be the only Java "Enabled" in the security settings under internet connections; therefore, I believe this would prevent the potential exploitation of this weakness.
God Bless,
BRC
Posted by BRC | May 8, 2007 6:22 PM
Is this still an issue?
Posted by Les | June 12, 2007 3:28 AM
uninstall Quicktime. Java is too useful.
Posted by geedavey | August 3, 2007 9:51 AM