We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,258 News Articles

Quicktime exploit is still a threat

Researcher claims Apple’s patch is insufficient

The QuickTime vulnerability that led to a widespread worm outbreak on MySpace.com last month could be exploited again, according to security researcher Aviv Raff, who has published software that illustrates his point.

Apple issued a temporary patch for the problem last month, but this week Raff published proof-of-concept code showing how the bug could still be exploited in combination with other malicious software to run unauthorised software on a patched computer.

Apple created its patch after a worm spread through the MySpace community in early December, stealing MySpace log-in credentials and promoting adware websites. But rather than addressing the underlying problem, Apple's fix appears to simply block the MySpace worm code, Raff said. "Apple's patch has no effect on this vulnerability," he said.

Users were infected by the MySpace worm when they played maliciously encoded .mov multimedia files.

The attack demonstrated by Raff is called a cross-zone scripting attack. It circumvents the ‘zone’ security model that’s used by Internet Explorer to limit the types of things web-based software can do on a PC. "It potentially allows an attacker to execute arbitrary code on the user's machine," Raff said.

Raff's proof-of-concept code shows how this cross-zone scripting attack could be used to run code on a Windows 2000 system running the Internet Explorer 6 browser. It was published as part of a month-long effort to draw attention to security issues in Apple's products, called the Month of Apple Bugs.

Running malware on a victim's PC is a two-step process, however, and attackers would also need to exploit a second vulnerability in order to trick the browser into running their code.

Raff's code exploits a known bug in Microsoft's Management Console software, which was patched last August. But the attack could also be paired with code that takes advantage of an unpatched Windows vulnerability, making it a far more serious exploit, said Alyssa Myers, a virus research engineer with McAfee. "It seems likely that this sort of thing could be used for a MySpace worm," she said. "Whether that actually ends up happening is anybody's guess."

When Apple created its QuickTime fix last month, it did not deliver the software directly to QuickTime users but instead took the unusual step of having MySpace link to the code.

Apple may have decided not to distribute this patch directly because it did not address the underlying problem, said Tim Erlin, risk assessment technology manager with nCircle Network Security. "They didn't patch the whole thing," he said. "They reacted to the emergence of a worm on MySpace."

It will be hard for Apple to fix the underlying problem, researchers said, because the HREF Track QuickTime feature that’s exploited in these attacks is used by a number of legitimate applications. These would be broken if Apple simply disabled the feature, Erlin said. "They can't simply pull it out," he said.

Apple is working on a "broader solution" to the QuickTime problem, a company spokesman said. He could not immediately comment on Raff's proof-of-concept code.

IDG UK Sites

Best camera phone of 2015: iPhone 6 Plus vs LG G4 vs Galaxy S6 vs One M9 vs Nexus 6

IDG UK Sites

In defence of BlackBerrys

IDG UK Sites

Why we should reserve judgement on Apple ditching Helvetica in OS X/iOS for the Apple Watch's San...

IDG UK Sites

Retina 3.3GHz iMac 27in preview: Apple cuts £400 of price of Retina iMac with new model