The Need for Vigilance: QuickTime Zero-Day

Many IT administrators routinely dismiss zero-day vulnerabilities thinking that the "hand-waving" by many security zealots does not actually affect the network they manage. Unfortunately, this could not be further from the truth.

Zero-day vulnerabilities and their exploits could represent quite possibly the most serious threat to networks, small and large. And they require a completely different approach for protection. This month we will examine an active zero-day vulnerability and its relative exploits to show how zero-day threats represent a very serious risk to your network

Do any of your employees have an iPod that they plug into their workstation?

Do any of your employees surf Internet sites and play video?

The majority of network administrators would say "Yes".

Unfortunately, users that perform these two common activities are currently at a very high risk from a probable attack against one of the main software applications for these activities — QuickTime from Apple.

Apple QuickTime is installed with iTunes which is the software used to upload music to the ever-common iPod. This software is also the main player from Apple-proprietary video formats, such as ,mov. Because of these two factors, there is a high likelihood that this software is installed in many business networks.

A recently vulnerability has been revealed in QuickTime that allows a remote, anonymous attacker to exploit users of QuickTime by having users view a simple web page. This vulnerability is currently being tracked by eEye Research, and important information is posted on the eEye Zero-Day Tracker entry: EEYEZD-20071123: Apple QuickTime RTSP Buffer Overflow.

The vulnerability lies in the audio-streaming RTSP protocol in QuickTime. Once an RTSP request is sent by a victim, an RTSP server's first response can include malformed data that could be manipulated to execute arbitrary code.

The biggest problem comes from the fact that this response can be auto-requested on behalf of the victim when the victim views a web page. Because of this, an attacker need only have a victim visit a malicious website, which is quite easy to accomplish using many methods that are outside the scope of this discussion.

Once that victim is exploited, the attacker could use this infected workstation to launch greater attacks against the network from within the firewalled network.

Within a short time of the release with the details of this vulnerability, proof-of-concept exploits were released on a very well-known exploit website that is referenced in the eEye Zero-Day Tracker.

The well-known exploit website meant to show other potential researchers and attackers where the vulnerability lied in code, but was not meant to be used in a real-world attack. However, within 3 days, a fully-functional exploit was released which allowed even the most unknowledgeable attacker to start using an exploit against potential victims. This vulnerability went from a small blip on many IT administrators radar to the most serious vulnerability affecting their network.

This vulnerability remains unpatched by Apple — at the time of this writing/ this means that networks have only 3 options:
- Protect their networks by uninstalling QuickTime
- Do nothing and hope that the their users are not attacked until a patch is available from Apple
- Use simple "security-in-depth" techniques to analyze the security posture of the network toward this threat.

Based on these three options, the most realistic option is the third option when it comes to balancing usability with security. Unfortunately, for the IT staff, this also means the most amount of work. However, by using tools specifically-designed to combat these types of threats, this can be easily accomplished.

1 - Generic IPS
Many administrators have heard the classic terms of "buffer overflow" protection. One of the most entertaining parts of this vulnerability from a research perspective is that QuickTime has actually been compiled with the Microsoft-suggested buffer overflow protection, but is still exploitable.

However, a much more robust exploit prevention system is available by security vendors that protect from exploits generically. By utilizing a generic memory-based firewall as well as a smart host-based network-based IPS, administrators can feel safe that exploitation attempts made against their network will be chopped down at the knees as soon as the exploit attempts to run on a victim's workstation.

2 - Generic Anti-Malware
In environments where a generic IPS is disabled — surprisingly this actually happens in some networks —the next layer of defense is the detection of a exploit payload in the form of a trojan or other malware.

This line of defense has perhaps the most difficult battle since the shelf-life of a piece of malware is now being measured in hours, not months. Because of this, generic malware engines are required. These engines detect malicious behavior in a binary and block its execution on the victim's host. By using a solid generic anti-malware system, administrators can feel relieved that the majority of successful attacks will be unable to install a trojan or backdoor since the behavior would inherently look malicious to a smart generic anti-malware engine.

3 - Vulnerability Assessment
Last but not least, administrators need to be able to quantify the threat potential of a vulnerability against their specific network. This relies specifically on the installation based on the vulnerability software in the network, and can only be accomplished by doing the full scan of the network to identify all potentially-vulnerable machines.

Since this cannot be done at the network layer without credentials, the best location for this is to utilize a host-based vulnerability assessment tool. By correlating this data for the entire network, IT security teams will have a good understanding of their posture against attacks against this vulnerability, and can develop IT policies and strategies based upon the findings.

By utilizing these three tools and bringing the line-of-defense from the gateway to the desktop, administrators can feel at ease about the security posture of their network against all types of threats — including zero-day vulnerabilities and exploits such as the QuickTime vulnerability and accompanying exploits.

Source: Andre Derek Protas, Director of Research and Preview Services

Information Security Magazine: Color Me Complex
"Endpoint security products have introduced a new dynamism into our industry, as antivirus vendors augment their wares with fresh features to compete against each other and hungry challengers. To help sort out all of this, Information Security evaluated seven enterprise endpoint security solutions. Grading each on its management capabilities, reporting, ability to detect and block malware, detecting and thwarting exploit attempts, and integration of the various desktop security capabilities in one package." Full Article

Dangerous Security Mistakes That Can Take Your Company Down
"CRN recently asked several IT security experts for their take on some of the most common errors in judgment companies make when it comes to securing their networks." Full Article

View All Media Coverage
"eEye and its security solutions have been covered by numerous press and media associations." Full Article

Q: What does eEye Research see as the next big project for network admins?

A: Currently eEye Research thinks one of the biggest things that network administrators need to start thinking of is Windows XP SP3. Slated to be released in the coming months, this service pack could represent a huge change to internal networking. There is discussion that this service pack will add Vista features to XP, which of course could potentially break existing functionality. Furthermore, as mentioned by eEye Research quite a few times, Silently Fixed Vulnerabilities could also be patched in this Service Pack, leaving SP2 users at potential risk if they do not apply the patch quickly.

Administrators should start beginning their test-planning phase, and if the service pack RC is available to them, they should begin testing it against internal applications as soon as possible.

Have a question you would like answered? Send it to versa@eEye.com, and win an eEye t-shirt if we select your question for an upcoming newsletter.

eEye Ranked Top Host-based Security Solution by Information Security Magazine
eEye’s Blink is rated the top endpoint security product, beating major security companies and leading to 53% sales growth Full Article

eEye’s Blink Blocks Bogus FTC Spoof Email
Email that states it’s from the FTC’s “Fraud Department” has virus attached Full Article

View All Articles and Announcements
eEye and its security solutions set have introduced a number of newsworthy security advisories and security technology deliveries that have been covered by the press. Select any of the links below to view more details regarding our most recent articles and announcements. Full Article

Stay Up-to-Date with eEye Research
eEye Research has seen some staggering results from the recent influx in Blink Personal/Neighborhood Watch users. This data is offering eEye Research a distinct insight into host-based vulnerability and attack trends to offer enhanced protection into Blink. Keep an eye on the eEye Research Portal http://research.eeye.com/ for future projects that have arisen because of the mass use of Blink Personal including Neighborhood Watch reports and attack trends. More

Vulnerability Expert Forums
The monthly Vulnerability Expert Forum focuses on recently announced critical vulnerabilities - from Microsoft and other software vendors. eEye's Internet security experts will describe the actions necessary to protect your systems from the threats that target these vulnerabilities. More

HOW TO SUBSCRIBE
To subscribe to this and other eEye newsletters, please visit: http://www.eeye.com/html/resources/newsletters/subscribe.html

FEEDBACK
The eEye newsletter staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to versa@eeye.com.

DISCLAIMER
The information within this newsletter may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

NOTICE
Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of eEye. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email versa@eeye.com for permission.