Let’s suspend the whole "Microsoft vs Apple" competitive bit for a second in the interests of a constructive security discussion.
My friend Blake Handler wrote a blog entry about a potentially important flaw within Quicktime that’s not only gone unpatched for Windows, but more importantly points to the fact that patching across all applications & utilities is something that companies need to be very vigilant about: Even software that they don’t bless but know is probably installed on their managed workstations.
(A full description of the flaw and it’s implications of not being patched are available on Secunia’s web site: http://secunia.com/blog/7/)
WHAT’S THE CONCERN?
The issue is that a simple hyperlink pointing to a Quicktime RTSP stream within:
– any web site/page using any web browser – Firefox, IE, Opera, etc.
– any hyperlink-aware mail application – not just HTML-aware email utilities
– any hyperlink-aware application in general, such as Word, Acrobat, etc., that embed links within documents
…could enable a hacker to completely take over a Quicktime user’s Windows-based computer though any one of these entry vectors. Remember that this is not patchable – Apple has not released a patch for this flaw on it’s Windows version of Quicktime.
TWO IMPLICATIONS OF THIS ISSUE
Since the flaw is buffer overflow based, there are two important implications by this:
– System execution privileges are used, meaning elevating the attacker’s security rights to that of a workstation administrator is trivial using most hacker toolkits. This means complete and total control over the computer.
– Intel’s NX (no-execute) instruction bit should prevent this tactic from being successful, if it’s enabled on end user workstations with NX-enabled processors and Windows XP Service Pack 2, or Windows Vista.
MOST COMPANY’S DON’T PATCH QUICKTIME
What makes this flaw disconcerting is the fact that most IT departments I’ve seen do not publish or disseminate Quicktime patches to their desktop environment. If any patches are made, they’re those from Microsoft Update & possibly Adobe. In fact, most of the time, Quicktime isn’t even a IT-blessed application for a corporate workstation, meaning it was installed by the end user.
THIS ISN’T ABOUT APPLE
Now I want to be clear that I’m not "throwing stones" at Apple. ("People that live in glass houses… blah blah blah.") I’m fully aware that Microsoft should be the last company throwing stones at any other software developer for writing security hole ridden code.
What I’m trying to say is that IT desktop folks should be very very concerned about:
– UNPATCHED FLAWS: Unpatched security flaws on applications on their managed systems
– UNKNOWN APPLICATIONS: Application installations they don’t know about on their managed systems
– VECTORS OF ATTACK: Vectors of entry for attacks on potentially dangerous flaws that exists on managed workstations
This means that:
– If you allow any old application to be install on end user’s workstations, you’re looking for trouble
– If you choose not to patch "unauthorized, unapproved" applications on end user’s workstation you’re looking for trouble
– If you’re not monitoring entry points for attacks (like inbound Internet connections, inbound email, workstation firewalls, etc.) you’re looking for trouble
kurtsh
Kurt Shintaku's Blog 