More QuickTime bugs located as one is patched
By Steve Ragan Jan 29, 2007, 11:35 GMT
Apple released a patch for the QuickTime bug released earlier this month along with a proof-of-concept exploit that allowed for attacks on the media software.
What is interesting about this patch is that it came twenty-two days after it was exposed during the month long project called the “Month of Apple Bugs” or MoAB for short. While it is a positive thing to see a patch released, the time it took was a disappointment. The bug was disclosed with full details and working exploitation code. Many online are asking why it was so long before a patch was released.
On the MoAB website, the person who released the code, a researcher named LMH, said, “22 days to fix a remote arbitrary code execution issue in one of their most extended products, distributed with working exploits for both Microsoft Windows and Mac OS X versions can be considered acceptable timing. Come on, it's not that difficult to change a strcpy() call... is it?”
Without knowing the process of development for Apple, one cannot say how hard it is to develop a patch. If you assume that, it was minor and that the code was easy to fix, then there is no reason to have had to wait so long for a patch that affected so many users. If in fact there was a need to take so long, then the news of a new exploit for QuickTime will not sit well for users of the program.
It was released on Tuesday, and as of yet there is not patch. The new exploit targets QuickDraw and is integrated into Mac OS X and used by QuickTime and any other program that needs to handle PICT images. What makes this exploit more damaging is the ability to use it with another un-patched Apple bug. The other bug released Monday deals with Apple’s UserNotificationCenter and creates the ability to gain local root privileged on a system when the exploit is triggered.
A working example cited by LMF on the MoAB website explains that the UserNotificationCenter exploit:
“…makes every "denial of service issue" leading to a so-called 'crash' usable for escalating privileges. Elevating to root from wheel is as simple as replacing the installAssistant binary with a setuid(0) shell wrapper and running diskutil to "repair" the permissions, setting the setuid bit back. diskutil requires the user to have admin group privileges, but due to the fact that it's being executed in the context of the InputManager (which, again, runs with wheel privileges) the issue can be successfully exploited by fully unprivileged users….”
With that information, the QuickDraw bug, which will cause a denial of service leading to a system crash, can be tied with the UserNotificationCenter exploit to gain access to a system. The QuickDraw bug is triggered when a malicious PICT image is opened. The PICT image will cause the system crash, and denial of service because of a corrupt ARGB (Alpha RGB) error when the information is passed to the _GetSrcBits32ARGB() function. While QuickTime will associate with PICT files, Safari will also allow a MIME association allowing for a two-prong approach in attacking a system.
As there is no patch available to correct this issue, a temporary fix would be to use RCdefaultApp to disable file and MIME type associations for PICT files. The MoAB website said. To limit the UserNotificationCenter exploit, and protect against it until a patch is released, limit user access to /Library/InputManagers/. Preventing use of diskutil is also needed. However, modification of permissions on the installAssistant binary alone will not work because the tool will reset permissions back to their original form. With luck, Apple will patch things sooner than twenty-two days later.