Security Watch | Matt Hines » Researchers - Remote QuickTime exploit isn't out

April 26, 2007 | Comments: (0)

Researchers - Remote QuickTime exploit isn't out

TAGS: Security

Security researchers involved with the MacBook Pro/QuickTime exploit detailed at last week's CanSecWest conference are denying reports that the threat is circulating publicly, but admit that the vulnerability used in the attack is easier to find than they originally believed.

Matasano Security Researcher Thomas Ptacek said that his team -- which includes Dino Dai Zovi, who wrote the exploit as part of a CanSecWest Mac-hacking competition sponsored by 3Com's TippingPoint division -- has determined that people who claim to have scraped the exploit from the conference network are most likely not telling the truth.

Ptacek posted a blog late Wednesday warning that the QuickTime exploit may have been unintentionally exposed and warning people to turn off Java in their browsers to avoid attack based on claims by another blogger that the exploit code had been intercepted at CanSecWest.

As part of the competition, TippingPoint had originally instructed competitors post to their exploits to a publicly-available wiki, from which the attacks would be uploaded in a Mac laptop to test them against a browser.

The individual claiming to have access to the exploit code, identified only by their blog name "Information Security Sell Out," said that it was snatched from the wiki as it was waiting to be tested.

However, CanSecWest organizers told Ptacek that they changed the format of the competition mid-event, and that the information needed to reverse engineer the code could not have been taken out of the wiki as the blogger has claimed.

Other details of the post have also led the Matasano team to doubt the validity of the blogger's claims, Ptacek said.

"At this point we believe that the details of the exploit sneaking out are false, some of the things being said are wrong, such as the claim that it uses JavaScript, which it doesn't involve," he said. "We don't have any credible statements being made and they don't match the confidential details available only to us and [TippingPoint]; in terms of scraping the exploit from the wiki, the CanSecWest guys are telling us this couldn't have happened, as they changed the use of the wiki."

Representatives of CanSecWest posted to Ptacek's blog, saying that it couldn't have been taken from their network either.

The post reads:

"Someone may have reverse-engineered the vulnerability but they didn't pull it off the network there. The network was very simple: a WAP that was connected to a hub and to the router to provide Internet access. The Macs sat on the hub and the only other systems on there were the ones we used to monitor the network to ensure rules were followed and then K2’s when he ran the exploit. The WAP was routing traffic from the hub to the Internet, not sending it out over the wireless network.

We were sniffing the traffic on the wireless network and would have noticed if it had been getting traffic from the wired side.

Y'all know routing & switching protocols well enough to know that traffic destined for the Internet wouldn’t end up on the pocket wireless network. The AP doesn't have enough smarts to mess up routing that way unless someone owned it (which is admittedly possible).

The point is, no one sitting on the wireless network would have been able to sniff the traffic from the wired network to the Internet."

Despite their belief that the Information Security Sell Out claims are untrue, Ptacek said that the Matasano team has deduced that the QuickTime vulnerability used to carry out the exploit -- which affects a number of browsers, not just Apple Safari -- is easier to find than they originally thought it to be.

Apple has been informed of the vulnerability, and TippingPoint has added the CanSecWest Mac Hack to its list of upcoming bulletins.

Posted by Matt Hines on April 26, 2007 08:18 AM

RATE THIS ARTICLE: