Members blue2blue Posted November 30, 2007 Members Share Posted November 30, 2007 Just this a.m., one of my iPod loving buddies was saying his copy of iTunes for Windows appeared to have been infected by malware. Six months or a year ago I would have suggested it was likely a coincidence... But as I listened to the details from him, it seemed clear that he'd correctly isolated the problem. When I got home, I saw this article from Ryan Naraine's Zero Day blog: Not counting silent (undocumented) fixes, Apple has patched at least 32 security flaws affecting QuickTime in 2007. Last year, the QuickTime patch count was 28. Five was documented in 2005. Judging by the public release of details Link to comment Share on other sites More sharing options...
Members alphajerk Posted December 1, 2007 Members Share Posted December 1, 2007 i took off QT on my XP boot several months back, didnt reload it on the fresh XP boot nor the Vista boot. despite AE wanting it for certain things... i need to find a workaround for that. Link to comment Share on other sites More sharing options...
Members blue2blue Posted December 1, 2007 Author Members Share Posted December 1, 2007 You can avoid the app if not the codec by using QT Alternative. There's some dispute as to the legitimacy of QT Alternative, which, AIUI, uses the actual QT codec. It's hard to say how much that would cut down your risk profile. The U.S. computer emergency readiness team: Apple QuickTime contains a stack buffer overflow vulnerability in the way QuickTime handles the RTSP Content-Type header. This vulnerability may be exploited by convincing a user to connect to a specially crafted RTSP stream. Note that QuickTime is a component of Apple iTunes, therefore iTunes installations are also affected by this vulnerability. We are aware of publicly available exploit code for this vulnerability.Testing indicates that QuickTime versions 4.0 through 7.3 are vulnerable on all supported Mac and Windows platforms. By convincing a user to connect to a specially crafted RTSP stream, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. An attacker can use various types of web page content, including a QuickTime Media Link file, to cause a user to load an RTSP stream. We are currently unaware of a practical solution to this problem. Link to comment Share on other sites More sharing options...
Members blue2blue Posted December 3, 2007 Author Members Share Posted December 3, 2007 Well, ya heard it here first -- I passed along the (unconfirmed, anecdotal) report of this exploit in the wild back on 11-30. Apple QuickTime exploit in the wild By Tom Espiner, ZDNet (UK) Published on ZDNet News: Dec 3, 2007 8:14:00 AM Symantec has found active exploit code in the wild for an unpatched Apple QuickTime vulnerability. Researcher Joji Hamada wrote in Symantec's Security Response Weblog on Saturday that the company had seen an active exploit for the vulnerability in Apple's media-streaming program that could lead to users downloading Trojan software. Hamada said the exploit code was found on a compromised porn site that redirects users to a site hosting malicious software called "Downloader." Downloader is a Trojan that causes compromised machines to download other malicious software from the Internet. Symantec rates Downloader as "very low" risk. No patch is currently available for the vulnerability, which affects version 7.x, and which lies in a boundary error when QuickTime processes Real Time Streaming Protocol (RTSP) replies. Symantec is advising concerned IT professionals to run Web browsers at the highest security settings possible, disable Apple QuickTime as a registered RTSP protocol handler, and filter outgoing activity over common RTSP ports, including TCP port 554 and UDP ports 6970-6999. Proof of concept code was published when the vulnerability was disclosed by security research company Secunia last week.http://news.zdnet.com/2100-1009_22-6221098.html?tag=nl.e550 I followed that "Downloader" link and found this very disturbing article on crimeware toolkits... In an age where "data equals money," fortune has replaced fame as hackers' key motivation. Criminals are willing to pay top dollar for personal, financial, and corporate data collected by Trojans and other "crimeware." The evidence is out there. Price lists discovered on the black market reveal that criminals are willing to pay $5,000 for a financial report, $500 for a credit card with PIN, and $150 for a driver's license ID.With do-it-yourself malicious software packages available for $200, cybercriminals need neither deep pockets nor programming skills to compromise a Web site or steal sensitive financial data from an infected PC. Indeed, Finjan's security research confirms that crimeware toolkits have become cybercriminals' favorite weapon. The new business model is criminal-2-criminal (C2C)--attackers selling malicious code and stolen data to other criminal elements that profit from it. Most government offices, financial institutions, and large enterprises deploy signature-based antivirus tools and a network firewall to protect highly sensitive and private data. The fact is that cybercriminals know this, and they use new antiforensic techniques specifically designed to bypass these traditional security solutions. The MPack crimeware toolkit, which infected more than 500,000 users in June 2007, illustrates this point. Even several weeks after intensive media coverage, the crimeware downloaded by the MPack toolkit was still not detected by the majority of leading security products. One particularly devious Trojan installed by the MPack toolkit steals bank account information (such as user name, password, credit card number, Social Security number, ATM, PIN). The Trojan silently waits on the victim's PC until he/she accesses an online banking site, then it springs into action, harvesting the sensitive information. The user's online experience is identical to that of his/her own bank, and the stolen data is sent to the criminal's server over an encrypted SSL connection. Link to comment Share on other sites More sharing options...
Members blue2blue Posted December 18, 2007 Author Members Share Posted December 18, 2007 PROBLEMS UPDATING QUICKTIME for WINDOWS??? The ONLY way I could get Apple's QT download page to work was using Safari for Windows. The QT patch has been out for a few days now but I'd been having a HECK of a time trying to get it. Everytime I clicked the check for updates in QT/Win it took me to a page with links ONLY for QT Mac! I searched the Apple site and found a few links for QT/Win DL's -- but they all took me back to the original Mac-only page. Finally, it occurred to me that I should check in something besides my default browser, Firefox 2. So I go to the same URL using Internet Explorer and -- voila! -- there's a message that says my download will begin automatically. It is a lie. I sit there. Nothing. Try again. Nothing. But I'm NOT out of options, oh no! I pull out my trusty copy of Safari for Windows which I keep for testing (it's far too slow to use for normal browsing, at least without super jacked up caching). And -- YES! -- I get the 'download will start automatically' message -- and it actually does!!! I believe the appropriate phrase in our era is, w00t! __________________________________ UPDATE -- rather than bump this thread up, I'll just add THIS interesting bit to this post: The year 2007 has been an interesting year that brought us improved security with Windows Vista and Mac OS X Leopard (10.5). But to get some perspective of how many publicly known holes found in these two operating systems, I Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.