Back to
63 posts

Apple Security Update Fixing QuickTime Vulnerabilities

Guest post from Rodrigo Branco, Director of Vulnerability and Malware Research at Qualys

Apple just released an advisory addressing 17 security flaws in QuickTime Media Player. The update is rated critical as several of the fixed vulnerabilities can be used to achieve "Remote Code Execution". One of the critical vulnerabilities addressed is CVE-2012-0671, which I discovered and reported to Apple earlier this year.

How was the vulnerability discovered?

I found the vulnerability by manually investigating and reverse engineering the binary code of QuickTime and created a fuzzer to cover specific portions of the Apple media formats. In this particular vulnerability, QuickTime does not parse .pct media files properly, which causes a corruption in the module DllMain through a malformed file with an invalid value located at offset 0x20E. In my testing I used QuickTime Player version 7.7.1 (1680.42) on Windows XP SP 3 – PT_BR, but most likely other versions on Windows affected as well.

A PoC repro01.pct is available for interested parties and was shared with Apple on February 22, 2012 to help them locate and fix the problem.

What does this vulnerability mean?

If you use QuickTime, attackers can take total control of your machine through this vulnerability, which is triggered by playing a malicious media file that uses overly large values in the PCT image format. A typical attack would embed such a file into a webpage and use social engineering to drive users into viewing the page. So far, there have been no reports of attackers exploiting this vulnerability yet.

To put this into context, QuickTime is used by 61% of all internet enabled PCs, including 49% of all Windows PCs and 98% of all Apple computers (numbers courtesy of Qualys BrowserCheck). Even if you don’t use QuickTime by default to play movies and videos, it can be used as the media player for the PCT format on all web browsers, including Chrome, Safari, Internet Explorer and Firefox.

All users, consumers and businesses alike, should download the security update as soon as possible since simply browsing to a malicious web page on any web browser can activate this vulnerability. If you’re not sure whether your QuickTime plug-in is updated, you can use Qualys BrowserCheck, a free service, to check if you need to download the update.

Throughout the whole process, Apple was very professional in handling this issue and provided constant status updates upon my request. It was great to see a company of Apple’s size taking a proactive role to ensure that their software and their users are protected from major vulnerabilities like this one.

A detailed advisory can be accessed at

May Patch Tuesday 2012

This month, Microsoft released seven bulletins, three critical and four important, that addressed a total of 23 vulnerabilities. MS12-029 is the bulletin that should be highest on the list for most organizations, as it can be used to gain control of an end-user’s machine without requiring user interaction. The bulletin provides a patch for a vulnerability in the RTF file format that can be exploited through Microsoft Office 2003 and 2007. It is rated critical because simply viewing an attached file in the preview pane of Microsoft Outlook is sufficient to trigger the exploit.

MS12-034 — addressing 10 vulnerabilities — is the second critical bulletin, and it applies to the broadest selection of Microsoft software this month. Here’s some background to help to understand why: In December of 2011 Microsoft issued bulletin MS11-087, which patched a vulnerability in the TrueType Font handling in win32k.sys DLL that had actively been exploited by the Duqu malware. After the fix was delivered, Microsoft’s internal security team started an effort to identify further occurrences of the vulnerable code in Microsoft’s other software packages and found multiple products that contained the flawed code. MS12-034 now provides the patches necessary to address these "Sons of Duqu vulnerabilities," together with a number of other security fixes (9 CVEs) that were bundled into the same files. Please note that we are not aware of any malware currently exploiting this issue. See Microsoft’s SRD blog for a good summary of their internal engineering process.

MS12-035 is the third critical bulletin and addresses a flaw in XBAP, a Microsoft browser based application delivery format. It is probably the least urgent bulletin to install, as it can only be exploited without user interaction by an attacker that sits in the Intranet zone of the target. Since June 2011, with the MS11-044 bulletin, Windows has changed its behavior from simply running an XBAP application to asking the user (via a popup window) whether it is ok to execute the application, which provides an additional layer of security. However, similar to our recommendation for Java, we advise users to completely disable XBAP to improve the overall robustness of your installation.

Of the remaining four important bulletins, we recommend focusing on MS12-030 for Excel and MS12-031 for Visio. Both are file-format vulnerabilities that allow an attacker to take control over the targeted machine if its user opens a specifically crafted file. As we have seen in some of the last year’s data breaches, this lowers the success rate only slightly as attackers are capable of drafting a convincing e-mail that can trick a percentage of the e-mails recipients into opening such a file.

Adobe also released its monthly patches today, addressing five vulnerabilities in its Shockwave player. Three of the vulnerabilities were discovered by Rodrigo Branco, Qualys' Director of Vulnerability and Malware Research. You can find the detailed advisories published at If you have any questions about the Adobe patches, you can discuss the advisories at, which Rodrigo will be actively monitoring, or simply drop him an e-mail at

Fast Updating: the Best Way to Defend Against Java Attacks

This week Brian Krebs posted some important news – according to his sources, the BlackHole exploit kit has been equipped with an exploit for the Java vulnerability CVE-2012-0570, released a mere month ago on Feb. 14 by Oracle. BlackHole is a widely disseminated, exploit kit, commercially available in the underground. It allows interested groups with basic computer knowledge to implement an operation to attack target machines through their web browsers by setting up malicious web sites. Used in conjunction with a malware kit such as Zeus or SpyEye, these groups can build botnets that can then be used to harvest personal information for sale, rented out for SPAM or DDoS operations or handed over to pay-per-install operators.

The quality of exploit kits play an important role in such a setup, as it concentrates the rather sophisticated attack knowledge. The kit has to select the correct exploit based on the user’s configuration and the detected vulnerabilities. Most included exploits focus on older and well-known vulnerabilities (such as CVE-2010-1885 in Internet Explorer or CVE-2011-2110 in Adobe Flash), because they are the most stable and well-researched. A well-maintained target machine can usually not be penetrated with one of these off-the-shelf toolkits, as all software components are at the latest level. However, Java is difficult to update and the addition of an exploit for such new vulnerability in Java sharply increases the risk of an attack for the Internet population at large.

Our recommendation: update your Java installation to the latest version available. There are a number of tools available to help you to find out the version of Java you are running, including Oracle’s own version checker. I recommend our own tool, BrowserCheck. Just point your browser to and get a precise diagnostic on the state of your browser and its plugins, including Java and other attacker favorites such as Adobe Flash and Adobe Reader.

If you cannot update Java (or you want to make your machine or the ones that you are responsible for more resilient to future attacks) there is a configuration setting in Windows that can be used to limit Java to a few selected and trusted sites. This requires a simple modification of the Windows Registry: changing Registry Value 1C00 to Setting 0 in Zone 3 (Subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3) which prohibits the Java from running in the Internet Zone.

Sites that need Java can be whitelisted under Internet Options/Security/Trusted Sites. This works across all versions of IE and is non-overridable. Google Chrome has a similar mechanism, but I like the Internet Explorer better than Google’s implementation, which prompts the user for a decision on whether to run the plugin. Unfortunately most users will opt-in just to get rid of the prompt and continue to load the site, which has the potential to increase their security exposure.

February 2012 Patch Tuesday Preview

Microsoft published its Patch Tuesday Preview for February of 2012 and as expected we are getting a larger batch of nine bulletins addressing a total of 21 vulnerabilities. Four bulletins are classified as "critical" and the remaining as "important". There is the expected critical update to Internet Explorer which should be highest priority. After all, we saw last month how quickly attackers are incorporating browser based attacks into their toolkits; an exploit for MS12-004 was detected a mere 15 days after Patch Tuesday.

There are also two critical fixes for WIndows itself, plus one for the .NET framework that should be prioritized.

In the "important" category, there are three Remote Code Execution vulnerabilities, one of them in Office. Most likely we are looking at file based attacks and at least the Office vulnerability should be included in your first tier of patching.

January 2012 Patch Tuesday

2012’s first Patch Tuesday has seven bulletins, including the postponed bulletin from December 2011 that addresses the BEAST style information disclosure. Talking about changes in schedules, Microsoft also released a bulletin MS11-100 for ASP.NET originally planned for this January between Christmas and New Years of 2011, which you might have missed.

Our highest priority is MS12-004, which fixes two vulnerabilities in Windows Media Player, one critical in MIDI playing, one important in the closed caption (CC) interpretation. The vulnerabilities are relatively easy to trigger and require a specially crafted media input file. Attacks against these vulnerability can be both through e-mail or hosting the media file on a website. They have the potential to be used in a drive-by-download attack.

Next on our list is MS12-005, a vulnerability in the Windows .NET packager that can be triggered through a malicious Microsoft Office Word or PowerPoint document. Microsoft rates it only as 'important', but we consider vulnerabilities that only rely on a user opening a file critical enough to move them up in priority.

MS12-006 is the mentioned fix for the BEAST attack and should be deployed on all of your webservers. BEAST was first demonstrated at the September 2011 Ekoparty conference in Buenos Aires and is a crypto attack against SSL/TLS that allows the attacker to decode and eavesdrop on HTTPS sessions. If you did miss the MS11-100 release over the holidays, now is a good time to take the opportunity to bundle both together. Tools for triggering MS11-100 are actively being researched and are very simple to build, meaning that they will soon get added to the common DoS tools, maybe even to the one advertised here by Crista ( via @mikko).

MS12-001 is the bulletin that was tagged as addressing a 'Security Feature Bypass' flaw. This is a new category and Microsoft has written a blog post explaining the details involved. In summary: a certain version of Visual-C (2003 RTM) implemented the the SAFESEH security measure in a way that Windows XP, 2003, Vista, Win7 and 2008 were unable to read the information and fell back to run the binary without the SAFESEH handler. Binaries compiled with the later versions of Visual-C (starting with SP1) are generated correctly and MS12-001 now changes the affected Windows Operating systems to be able to read the older format as well. There is no direct vulnerability here, but an attacker would have to identify a software compiled with the old version of Visual-C, find a vulnerability in it and code an exploit that would use the SEH exploit mechanism. Install it when you can, as it is a useful defense-in-depth measure.

Please also take a look at Adobe’s release today of a new version of Adobe Reader 9 and X. It will cover CVE-2011-4369 for Adobe Reader X, which they had already addressed for Adobe Reader 9 out-of-band due to exploits in the wild on December 16th plus a security enhancement that allows for better control of embedded JavaScript.

2011 Year in Review, Trends for 2012

Tony Bradley published yesterday a blog entry that contains a great summary of the top security incidents of 2011. This is worth reading for any IT administrator as these attacks will grow in 2012 and if you are like me, you may agree that one always learns better by looking at real-life examples.

Tony Bradley, The Security Detail at TechTarget

Microsoft Releases MS11-100 for ASP.NET DoS Attack

Today Microsoft released a security bulletin addressing a flaw in ASP.NET that was disclosed early morning yesterday at the Chaos Communication Congress (CCC) in Berlin. Microsoft tested and finished MS11-100 in record time, taking about 30 days for the process of integrating this new vulnerability with the fix that was already scheduled for January 2012. We consider Microsoft’s reaction and implementation speed outstanding, as they were only notified at the tail end of the German security researchers work. We will be tracking how the other projects and vendors affected (PHP, Oracle, Phython, Ruby and others) are rolling out their patches.

The bulletin fixes the DoS attack vector by providing a limit to the number of variables that can be submitted for a single HTTP POST request. The default limit is 1000 which should be enough for normal web applications, but still low enough to neutralize the attack as described by the security researchers in Germany. This addresses the most obvious attack method immediately and leaves the reimplementation of the hash function for a future update.

Overall the bulletin addresses four issues. CVE-2011-3416 is an ASP.Net Forms Authentication Bypass issue which is rated as critical. CVE-2011-3414 is the hash table collision DoS issue discussed above and is rated as important. CVE-2011-3417 is the ASP.NET Ticket Caching vulnerability which is also rated as important. And finally CVE-2011-3415 is the Insecure Redirect vulnerability which is rated as moderate. We recommend installing as soon as possible if you have web based infrastructure that uses ASP.NET.


October 2011 Patch Tuesday

Guest blog from Amol Sarwate, Manager of Vulnerability Labs for Qualys.

Microsoft released today fixes for a total of eight security bulletins, out of which two are marked as critical and the rest are marked as important.

The highest priority should be given to MS11-081 which patches a code execution vulnerability in Internet Explorer. The exploit occurs when a victim uses IE to browse a malicious website. High priority should also be given to MS11-078 which fixes a vulnerability in Microsoft Silverlight and the .NET framework. This vulnerability is also exploited when a victim browses a malicious website with a Silverlight enabled browser.

The rest of the six bulletins are classified below. In our opinion they can be scheduled after the critical bulletins are patched:

Two DLL preloading issues were fixed by MS11-075 and MS11-076. More information about DLL preloading and workarounds can be found in advisory 2269637 from last year. Two local EoP issues were fixed in win32k.sys and AFD.sys by MS11-077 and MS11-080. To exploit these issues, attackers already need to have access to the target systems to gain higher privileges. Two patches were released for less pervasive technologies, namely Forefront Unified Access Gateway and Host Integration Server. In our opinion, the exposure for this is very low, but if your corporation uses these technologies, then patching is recommended.

Although eight bulletins were released, we do not expect this month’s release to generate a heavy load on administrators who are responsible for patching.

Patch Tuesday April 2011

In April 2011 Microsoft is releasing 17 security bulletins fixing a total of 64 vulnerabilities. Nine bulletins are rated critical and eight bulletins are rated important. All Windows operating systems and all versions of Office are affected, so this is a full plate for system administrators of companies both large and small.

On the top of the priority list of Qualys' vulnerability team is MS11-018, a bulletin for Windows Internet Explorer that addresses two vulnerabilities that are already being used used by attackers in the wild to gain control over machines. We recommend deploying this patch immediately.

Next on our list is MS11-020, a server side vulnerability in the SMB protocol. Attackers can send a specially crafted packet to a server running this file sharing service and take control of the machine. The exploitability index is a low "1", meaning that attackers will have little difficulty in reverse engineering the exploit, once they have the patch for MS11-020 in hand. Companies that make SMB accessible over the Internet are especially at risk. However the main attack opportunity is going to be inside of enterprise networks, once an attacker has established a presence on the network, for example, through one of the more frequent client side vulnerabilities in browsers, browser plug-ins or applications.

MS11-019 is the third vulnerability that we rank as highly critical. It also affects the SMB protocol, but this time on the client side. This typical attack vector is an e-mail that contains a link to an external malicious file server. The client opens the file which responds with malicious content and then gains control over the client workstation.

MS11-021, MS11-022, MS11-023 are all vulnerabilities in the Microsoft Office Suite. Rodrigo Branco, Director of Vulnerability Research at Qualys who reported the Excel vulnerability fixed by MS11-021 to Microsoft in 2010, emphasizes that an attacker can relatively easily craft an Excel file that will trigger this critical flaw and assume control of the target machine. He recommends installing this patch as quickly as possible.

Microsoft also shipped a fix (MS11-026) for the MHTML vulnerability in Windows. This vulnerability has seen a number of attacks since first disclosed by Google on March 11th. Microsoft had previously addressed it with a "Fix-it" script that locked-down the MHTML protocol inside of Windows Explorer and Internet Explorer.

As in all months, IT administrators should review all remaining bulletins for applicability to their environments, but this month this is especially important with such a large number of vulnerabilities.

Note that Adobe released a security advisory for a critical vulnerability in Adobe Flash (APSA11-02) that is being used in the wild to attack workstations. As all current attacks use a Flash file embedded in Microsoft Word, we recommend looking into the possibility of disabling Flash content in Word files altogether through the Trust Center, as described in this Microsoft Tech Document.

Patch Tuesday March 2011 – Preview

Next Tuesday, March 8, Microsoft will release three security bulletins in their monthly patch cycle. One of the bulletins is rated as critical while the other two are rated important. This is a small update as compared to February in which there were a dozen updates.

The critical update affects Windows XP, Vista and Windows 7 while Windows Sever 2003 and Server 2008 are not affected. One of the important updates affects all Windows operating systems and we expect it to be for the MHTML Information Disclosure issue, which was left un-patched in last month’s patch cycle (2501696). The other important update patches the little known Office Groove 2007 software.

Overall we expect this month’s patch Tuesday to be easy for deployment for organizations and individuals.

-Amol Sarwate, Manager, Vulnerability Research Lab, for Qualys