New Backdoor Natured Code Found Inside Apple’s Quicktime
Researcher Ruben Santamarta at Wintercore a security company based in Madrid said that he recently uncovered weird vulnerability in the QuickTime Player of Apple which if exploited could let hackers execute malware remotely on computers that ran any Windows OS. TheRegister published this on August 30, 2010.
Actually a developer of Apple had created a parameter "Marshaled_pUnk" and included it in the QuickTime program although never used it. And while that code had all the characteristics of a backdoor, he missed deleting it.
So the code remained in the program for 9 years or so after when Santamarta happened to find it. He also perceived that by exploiting it one could fully compromise computers having Windows 7, the safest OS from Microsoft till date.
Said Santamarta, hackers just required tricking users into going to an exploit code-hosted website for the attack to work. He added that the exploit worked while the victim used Internet Explorer on a system having Windows 7, Vista or XP which had QuickTime 7.x or 6.x deployed. ComputerWorld published this on August 30, 2010.
Also, according to Santamarta, his exploit was elusive of two vital security measures that Microsoft had included in Windows: Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP).
Thus, while ASLR installs software onto memory locations, which hackers cannot know beforehand, DEP doesn't let any software, which has been installed, to run.
However, Santamarta was able to determine the way for repurposing code within an ordinary Windows file for evading security detections. Applying a method called ROP, the security researcher managed to install WindowsLiveLogin.dll a file from Windows Live onto memory as well as so reframe instructions that he was able to compromise the PC under target.
Moreover, when he also employed Microsoft DLL, he was not just able to know the location in memory for installing the code, but even have the program run.
Hence Symantec suggested that till a patch was ready from Apple, users must deactivate QuickTime plug-in to prevent attacks. Moreover they must also change the name of the plug-in or run the killbit pertaining to the QuickTime ActiveX control.
Related article: New Zealand Releases Code To Reduce Spam
» SPAMfighter News - 07-09-2010