Network News

X My Profile
View More Activity

QuickTime Flaw Kicks Off Month of Apple Bugs

A previously undocumented flaw in Apple's QuickTime media player could be exploited remotely by attackers to install malicious software on computers running either the Windows or Mac OS X operating systems, according to the inaugural posting by the Month of Apple Bugs project, a month-long effort that promises to feature a newly described security hole in Apple's software each day for all of January.

The advisory on the MoAB page states that the vulnerability stems from the way QuickTime implements a media streaming communications standard known as the "real time streaming protocol," or RTSP for short. By convincing an unsuspecting user to click on a specially crafted, very long hyperlink that begins with "rtsp://", and an attacker could install unwanted software on the victim's computer.

I am far from an expert on OS X, but the test exploit link I obtained from LMH -- the hacker handle of the secretive researcher who is co-curator of this project -- launched QuickTime on my test OS X Tiger system and then quickly crashed the application. When I manually re-launched QuickTime, it froze the entire computer, and the operating system threw up a message telling me that I need to restart. I learned later that the test exploit was written to work on Intel-based Macs, whereas my install of Tiger is on top of an older PowerPC. According to LMH, however, the exploit could also be made to work just as reliably on PowerPC based Macs.

Johannes Ullrich, chief technology officer for the SANS Internet Storm Center, said the exploit appears to be fairly solid and easy to use, noting that its potential for abuse presents a serious security threat to both Windows and Mac users.

"Apple [has] an advantage in that users typically do not run as administrators," Ullrich said. "But this still puts the user's personal data at risk." Threats more typically found on Windows machines, such as bot or keystroke logging programs, could be installed via this flaw even if a Mac user is running a less powerful user account, Ullrich said.

LMH said the Windows and Mac QuickTime Version 7.1.3 and the Player Version 7.1.3 are vulnerable, and that earlier versions also are likely to be vulnerable. QuickTime users can mitigate the threat from this bug by not opening links that begin with "rtsp://" or by disabling the display of streaming files in QuickTime. To do that on a Mac, open QuickTime, go to "Preferences," then click on the "Advanced" tab. You should see a "Mime Settings" button; click on that, and then uncheck the box next to "Streaming - Streaming Movies." For Windows users of the most current QuickTime version, click on "Edit," then 'Preferences," and then "QuickTime Preferences". Click on the "File Types" tab, and then on the plus sign next to "Streaming - Streaming Movies" and uncheck the box next to "RSTP stream descriptor".

I put in a query about this with Apple and will update the blog if I hear anything from them.

I've been playing around with this RTSP protocol, and it appears as though in its default configuration, Firefox 2.0 doesn't know what to do with links that begin with "rtsp://" and will throw up an error message saying so if you try to visit such a link. However, Internet Explorer and Safari, the default Web browsers on Windows and OS X machines, respectively, will happily render them via QuickTime.

I mention this because if the advisory is correct, this vulnerability does not strictly rely on tricking the would-be victim into clicking on a maliciously-crafted hyperlink. The exploit could be inserted into a video embedded in a Web page, one that loads automatically when the user visits the site. It also can be invoked inside of Macromedia Flash code or through Javascript commands (see the Security Fix post about the QuickTime worm on MySpace.com for a demonstration of the power of Javascript).

By Brian Krebs  |  January 1, 2007; 5:01 PM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Grim 2007 Cyber Forecast (and a Nod to Late Pres. Ford)
Next: Not Your Average Phishing Scam

Comments

...disabling the display of streaming files in QuickTime. To do that, open QuickTime, go to "Preferences," then click on the "Advanced" tab. You should see a "Mime Settings" button; click on that, and then uncheck the box next to "Streaming - Streaming Movies."

I'm using QuickTime 7.1.3 (Windows XP and Firefox 2.0.0.1) but I don't seem to have a "Mime Settings" button. I looked under QuickTime preferences and player preferences. What am I missing?

Thanks.

Posted by: Rosie Win | January 1, 2007 6:00 PM | Report abuse

Rosie,

Sorry. I need to update that post. Those instructions work on a Mac, but I need to check the process for doing that on Windows. Check back in a bit please, thanks.

Posted by: Bk | January 1, 2007 6:08 PM | Report abuse

Thank you and that works. Of interest, mine was already NOT checked and I have never (to my knowledge) made any changes to the the default.

Posted by: Rosie Win | January 1, 2007 7:11 PM | Report abuse

Rosie, I looked in my installation of Quicktime on Windows and had the same experience as you -- I found that it was NOT enabled by default. But then I looked and noticed I was not running the most recent version, and thought I had probably forbade QuickTime from setting itself as the default player for most file types when I installed it way back when. So I uninstalled the player and installed the latest version, and sure enough the box next to RTSP WAS checked by default.

Posted by: Bk | January 1, 2007 7:14 PM | Report abuse

Seriously, if they can come up with a month of Apple OS bugs....what does that equate for MS bugs? years? decades?

Posted by: louie | January 1, 2007 9:34 PM | Report abuse

I too would have forbade QuickTime from becoming default player for anything but QuickTime files. Never thought of that as the reason. In any case, I hope that for the moment and with wise surfing that issue is under control.

May I take the moment to say how much I appreciate this feed for the timely information and solutions (when such exist).

Posted by: Rosie Win | January 1, 2007 9:34 PM | Report abuse

Quik-Time preferences-then the 'Advanced' button,then clik on the mime settings button. it takes you to a listing of mime settings. The first is 'streaming-streaming movies'. Uncheck the box which is checked as a default setting.

Posted by: Mr. Ron | January 1, 2007 11:07 PM | Report abuse

I guess those new I'm a Mac ads have these guys panties in a bunch. Yes there are bugs in OSX, there are bugs in every peice of software ever written. These guys are just tweaked about the fact that their OS of choice is thought to be less secure than OSX. So now they want to bring the "smug" Mac users down a notch or two. So they can point and say see yours is just as bad as ours. I guess this will make them feel better about their choice or something.

Personally, I'll wait until there is a real exploit that has proven to be something worth worring about, before I'll start changing my system settings and preferences. It's takes more than just someone saying they found a bug, to make it a virus or malware.

My prediction is this will ulimately be much ado about nothing.

Any legitimate bugs will be dealt with swiftly by the folks in Cupertino. Just as they always have.

Posted by: Dave K | January 1, 2007 11:29 PM | Report abuse

A nice one to kick off with. French SIRT rates this one as critical.

http://www.frsirt.com/english/advisories/2007/0001

I notice the MoAB people say on their iste:

"... some of us use OS X on a daily basis. Getting problems solved makes that use a bit more safe each day, for everyone else. Flaws exist, with and without people disclosing them. If we wanted to make business out of this we would be selling the issues and the proper exploit for each one. ..."

They have a point. I imagine they could have sold that one - specially as it also presents a threat to users on the Windows platform, who are a much larger, and therefore more interesting, target for bad guys.

Posted by: Michael | January 2, 2007 4:02 AM | Report abuse

Of course it's best when flaws in any OS are exposed - what I dislike is making a public circus of it. Have they conveyed the information to Apple in a timely fashion?

If yes, and Apple did nothing then this makes sense. If no, then it's a cheap broadsides to pump their group and slag the OS, on the eve of a big media event.

If they were truely worried about the user, they'd have released this in November, before the sales season. No - this is a publicity machine first, and a bug hunt second.

Posted by: Jim | January 2, 2007 6:58 AM | Report abuse

I agree with Jim. They should have notified Apple first and allowed them ample time to respond/fix the bugs. Posting them first like this is just a publicity stunt and it's not appreciated.

Posted by: MacDan2004 | January 2, 2007 8:26 AM | Report abuse

Actually, most Mac OS X users *do* run as administrator, since that is the default configuration.

But anyway, I think it is a myth that running as non-admin on Mac OS X or Windows actually increases security significantly.

Posted by: Running as Admin | January 2, 2007 10:14 AM | Report abuse

I had the same problem as Rosie Win. I went and opened QuickTime and did not see Advanced and Mime Settings in its preferences. HOWEVER, using the Quicktime Help, I determined that I needed to go to SYSTEM PREFERENCES and find QuickTime there, and change the streaming movies preference. I use Mac OSX and do not know how to make this fix in Windows, but maybe your Windows QuickTime help will tell you how to get at system preferences, assuming it is a parallel procedure for that of Macs.

Posted by: J. Belliveau | January 2, 2007 10:55 AM | Report abuse

J Belliveau -- I added instructions for Windows users of QuickTime last night in the main body of the blog.

Posted by: Bk | January 2, 2007 11:01 AM | Report abuse

On windows, goto "Edit", "Preferences", and then "QuickTime Preferences". Choose the "File Types" tab, and then uncheck the box next to "Streaming - Streaming Movies".

Posted by: JR | January 2, 2007 11:41 AM | Report abuse

Has anyone gotten the exploit demo to work? A few Slashdot posters using Intel Macs have reported that the demo doesn't work on their boxes.

Posted by: HLS | January 2, 2007 11:57 AM | Report abuse

I have the latest version (1.7.3) quicktime for windows installed. RSTP stream descriptor is not checked by default. I would also recommend that some consideration be made to suggest that users follow up with the Quicktime updates to patch this vulnerability. In other words break out your advice into past/present/future instructions. From a web developer's standpoint, we don't like to see millions of people turning on and off default preferences for standard integrated functions of the software. I.e. what good is Quicktime without streaming? So...part of your solutions should be to request that the user set a calendar date one month from today, to follow up and see the long term solution.

Posted by: mike | January 2, 2007 12:28 PM | Report abuse

The next one is going to make a lot of people lose sleep!

Apparently, there is an obscure, open source video player called VLC that has a buffer overflow bug. O. H.  M. Y.  G. O. D.

I just checked and apparently I have a defective OS X install since i don't have that on my computer anywhere. I wonder how Apple missed it. It is from Apple right? Since this is the month of Apple bugs?

Seriously, if they've already run out of bugs in actual Apple products, this is going to get lame awfully fast.

Posted by: James Bailey | January 2, 2007 6:48 PM | Report abuse

From your screenshot it looks like you're using the Mac OS X "basic" crash dialog. The "developer" dialog is a lot nicer; see http://www.squarefree.com/2006/11/02/determining-whether-a-crash-looks-exploitable/ .

Posted by: Jesse Ruderman | January 3, 2007 1:54 AM | Report abuse

Brian was not quite correct in his description of how to disable rtsp:// in QuickTime. Go to System Preferences, Open QuickTime and you will see tabs, one of which is 'advanced' and here is where a button for 'mime settings' exists.
You can then deselect the RTSP stream descriptor under 'Streaming-streaming movies'
OSX 10.4.8

Posted by: Jeffrey Murray | January 3, 2007 6:19 AM | Report abuse

To quote Mr. Krebbs, "I am far from an expert on OS X". Although he's a certainly enough of an expert to find LMH's publicity stunt newsworthy. Then again Mr.Krebs was instrumental on bringing the fake Apple Airport Hijack to all of our attention. Keep up the great work Brian.

Posted by: no spin | January 3, 2007 6:59 AM | Report abuse

Fanboys fanboys
Watcha gonna do
When they come for you (with an AP)
Fanboys fanboys tsk tsk

Posted by: Fred Fanboy Fighter | January 4, 2007 5:48 AM | Report abuse

This blog was useful. I discovered the 'default' QuickTime setting WAS activated on my Mac OS. Not anymore. (Have alerted others to your blog).

However, this morning, I saw online there is an alert about Adobe PDF security. I hope you write on this toute de suite (sic) because I checked my Mozilla preferences to uncheck the Adobe PDF Plug-In and 'couldn't find it to protect myself."

What is the solution?

Posted by: Anne Drew | January 4, 2007 1:38 PM | Report abuse

Landon Fuller, a former Apple employee, is providing "patches" for each of the exploits as they come out. You may read more about them on his blog:

http://landonf.bikemonkey.org/

Dave

Posted by: David Kilzer | January 4, 2007 2:34 PM | Report abuse

Anne Drew> What is the solution?

Uninstall the Adobe PDF browser plug-in. This plug-in is a pain in the ass, anyway, in that it interferes with your browsing experience. It's actually much easier to open PDFs in the external reader application.

That doesn't solve the whole problem, but it helps. Others have suggested a free non-Adobe PDF reader (Foxit reader) in the past. You might want to try that out and lose Acrobat Reader entirely.

Posted by: antibozo | January 4, 2007 3:05 PM | Report abuse

A little dose of reality for those not too obsessed; a "fair and balanced" treatment by Mr. Krebs would start each hyperventilating article about "the grave security threat to Mac users" with a reference to this article.

http://www.nytimes.com/2007/01/07/technology/07net.html?em&ex=1168318800&en=486679f342f00bb8&ei=5070

Posted by: Judge C. Crater | January 7, 2007 2:51 PM | Report abuse

Judge C. Crater> a "fair and balanced" treatment by Mr. Krebs would start each hyperventilating article about "the grave security threat to Mac users" with a reference to this article.

A "fair and balanced" posting from you would neither characterize Bk's writings as "hyperventilating" nor put words in his mouth--I don't recall him ever using the phrase you attribute to him.

The cited article is worth reading, but doesn't really say anything new. Also, the NY Times author (John Markoff) abbreviates Internet Relay Chat as "I.R.C." (it's IRC), which doesn't inspire confidence in the technical details.

Posted by: antibozo | January 8, 2007 12:05 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company