Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire
| Mac flaw may also affect Windows
from
»www.securityfocus.com/brief/488
"...
The attack successfully used in last week's CanSecWest competition exploits a Java-based flaw in QuickTime and affects all browsers on systems with the multimedia software installed, possibly including Windows, Dino Dai Zovi, who discovered the flaw, told SecurityFocus on Monday.
...
To be safe, users of both the Mac OS X and Windows should turn off Java, if they have Apple's QuickTime software installed, Dai Zovi said.
..."
Cudni |
|
matunga
join:2003-07-26
2 edits | Internet Explorer is not affected:
"Terri Forslof, manager of security response at TippingPoint, confirmed with me today that any Java-enabled browser is potentially vulnerable. Internet Explorer is not, she said"
»securitywatch.eweek.com/mac_hack···ani.html |
|
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire | they mean IE on Vista?
Cudni |
|
matunga
join:2003-07-26
1 edit | said by Cudni  :they mean IE on Vista? Internet Explorer is Internet Explorer. It's not affected! |
|
angussf
Premium
join:2002-01-11
Tucson, AZ
| quote:
Internet Explorer is Internet Explorer. It's not affected!
Actually, the article said IE "was not affected because of its sandbox feature" which AFAIK is only present in IE7 on Vista. I don't think IE7 on XP or IE6 has a "sandbox feature" to protect it (unless you're running something like SandboxIE »www.sandboxie.com/ |
|
AB
Premium
join:2006-04-04
Leesburg, VA
| reply to Cudni
said by Cudni :. . To be safe, users of both the Mac OS X and Windows should turn off Java, if they have Apple's QuickTime software installed, Dai Zovi said. ..." Java or javascript?
Most websites require javascript enabled when viewing media files. .Mov files are no exception.
The Sun-Java application rarely comes into play when watching a movie, as far as I know.
Which makes the advice, "only watch .mov files that already exist on your hard drive, don't watch them on the Internet".
Sounds awfully similar to the 'My Space' flaw that was circulating awhile back, and supposedly patched.
You'd think they might have been able to patch any similar flaws at the time. |
|
matunga
join:2003-07-26
1 edit | said by AB :Java or javascript? Java is Java, it's NOT javascript! |
|
AB
Premium
join:2006-04-04
Leesburg, VA
| said by matunga :Java is Java, it's NOT javascript! An incredibly valuable piece of information. Thanks a million. |
|
matunga
join:2003-07-26
4 edits | said by AB :Most websites require javascript enabled when viewing media files Javascript is NOT required. Put this code in an HTML page and a .mov videoclip is played automatically with Firefox and IE:
<OBJECT classid='clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B' width="320" height="240" codebase='http://www.apple.com/qtactivex/qtplugin.cab'>
<param name='src' value="http://mydomain.com/video.mov">
<param name='autoplay' value="true">
<param name='controller' value="false">
<param name='loop' value="false">
<EMBED src="http://mydomain.com/video.mov" width="320" height="240" autoplay="true"
controller="false" loop="false" bgcolor="#000000" pluginspage='http://www.apple.com/quicktime/download/'>
</EMBED>
</OBJECT> |
|
AB
Premium
join:2006-04-04
Leesburg, VA
| said by matunga :said by AB :Most websites require javascript enabled when viewing media files Javascript is NOT required. Put this code in an HTML document and a .mov videoclip is played automatically . . . My Granddad will be getting all over that one, I'm sure.
Tres fabuloso! Thanks again.  |
|
matunga
join:2003-07-26 | Embedded QuickTime Movie with Autostart
»home.att.net/~cherokee68/qtmovie.html |
|
AB
Premium
join:2006-04-04
Leesburg, VA
| Cool clip, thanks! Gramps is gonna love it.
This kind of brings us back around to this likely being a javascript thing, not a Sun-Java thing, doesn't it?
The article would seem to indicate that the issue lies with Sun-Java & Quicktime.
I've never known .mov files or the Quicktime player to rely on or make use of Sun-Java, have you? |
|
GILXA1226
Premium,MVM
join:2000-12-29
London, OH
clubs:
| said by AB :Cool clip, thanks! Gramps is gonna love it. This kind of brings us back around to this likely being a javascript thing, not a Sun-Java thing, doesn't it? The article would seem to indicate that the issue lies with Sun-Java & Quicktime. I've never known .mov files or the Quicktime player to rely on or make use of Sun-Java, have you? Nope it is definitely a Java attack:
said by "http://securitywatch.eweek.com/mac_hacked_by_quicktime_bug_as_serious_as_ani.html" :
As Matasano and Forslof said, one mitigation is to remove qtjava.jar, the Java extension that's automatically installed on Macs as part of a QuickTime library. Another option is to disable JavaScript entirely. TippingPoint wrote a filter for the vulnerability on Monday, so its IPS customers are already protected from the vulnerability.
--
We don't give a d@mn for the whole state of Michigan... we're from OHIO! O!H! ... I!O! |
|
AB
Premium
join:2006-04-04
Leesburg, VA
2 edits | said by GILXA1226 :said by AB :This kind of brings us back around to this likely being a javascript thing, not a Sun-Java thing, doesn't it? The article would seem to indicate that the issue lies with Sun-Java & Quicktime. I've never known .mov files or the Quicktime player to rely on or make use of Sun-Java, have you? Nope it is definitely a Java attack: said by "http://securitywatch.eweek.com/mac_hacked_by_quicktime_bug_as_serious_as_ani.html" :
As Matasano and Forslof said, one mitigation is to remove qtjava.jar, the Java extension that's automatically installed on Macs as part of a QuickTime library. Another option is to disable JavaScript entirely. TippingPoint wrote a filter for the vulnerability on Monday, so its IPS customers are already protected from the vulnerability.
Then I guess Quicktime does use Sun-Java. Thanks for the info.
But as the vulnerability is mitigated by either removing a .jar file or by disabling javascript, it might seem that the javascripting is the initial means for malfeasance.
*Edit-
And in fact, maybe the only means of infecting Windows?
As you quoted, "remove qtjava.jar, the Java extension that's automatically installed on *Macs* as part of a QuickTime library."
I don't have a 'qtjava.jar' file on my computer.
I use Quicktime Alternative & JRE 1.6.1.
So I guess Quicktime doesn't use Sun-Java on Windows. |
|
GILXA1226
Premium,MVM
join:2000-12-29
London, OH
clubs:
| said by AB :said by GILXA1226 :said by AB :This kind of brings us back around to this likely being a javascript thing, not a Sun-Java thing, doesn't it? The article would seem to indicate that the issue lies with Sun-Java & Quicktime. I've never known .mov files or the Quicktime player to rely on or make use of Sun-Java, have you? Nope it is definitely a Java attack: said by "http://securitywatch.eweek.com/mac_hacked_by_quicktime_bug_as_serious_as_ani.html" :
As Matasano and Forslof said, one mitigation is to remove qtjava.jar, the Java extension that's automatically installed on Macs as part of a QuickTime library. Another option is to disable JavaScript entirely. TippingPoint wrote a filter for the vulnerability on Monday, so its IPS customers are already protected from the vulnerability.
Then I guess Quicktime does use Sun-Java. Thanks for the info. But as the vulnerability is mitigated by either removing a .jar file or by disabling javascript, it might seem that the javascripting is the initial means for malfeasance. Javascript is probably only the means to activate the bug. It is not the bug itself, there is a difference.
--
We don't give a d@mn for the whole state of Michigan... we're from OHIO! O!H! ... I!O! |
|
AB
Premium
join:2006-04-04
Leesburg, VA
| said by GILXA1226 :Javascript is probably only the means to activate the bug. It is not the bug itself, there is a difference. I understand. Also, as I alluded to earlier, any site showing .mov files is going to want you to turn on javascripting anyway, as par for the course.
I rarely see .mov files anymore, anyway. Mostly Flash & .wmv.
But I smell a new version of Quicktime Player in the next couple of weeks! |
|
matunga
join:2003-07-26
2 edits | reply to AB
said by AB :This kind of brings us back around to this likely being a javascript thing, not a Sun-Java thing, doesn't it? IT'S PLAIN HTML CODE. IT'S NOT JAVASCRIPT |
|
daveinpoway
Premium
join:2006-07-03
Poway, CA | reply to Cudni
Does anyone know if the QuickTime Alternative player is also affected by this? |
|
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire | it was affected last time, it might as well be this time
Cudni |
|
AB
Premium
join:2006-04-04
Leesburg, VA
| reply to matunga
said by matunga :said by AB :This kind of brings us back around to this likely being a javascript thing, not a Sun-Java thing, doesn't it? IT'S PLAIN HTML CODE. IT'S NOT JAVASCRIPT If you're talking about the code you posted-- yes, I'm aware of that, thank you.
I'd like to know how a Quicktime player without a 'qtjava.jar' file, that doesn't use Sun-Java's application, is vulnerable to this? Unless javascript is in play. Which, from the two stories I read, nobody can say how it is, just that it might be, or something.
Actually, nobody explaining this vulnerability seemed to have any real grasp on it, other than knowing it involved the qtjava.jar file-- something installed by default along with Quicktime on a Mac.
I don't use a Mac, I have no qtjava.jar file on my computer.
So either I'm not at risk, or the people reporting on this vulnerability don't have their facts straight yet.
From the reporting, javascript doesn't even factor in-- other than someone recommending it be disabled. Why? Because they felt like they needed to give a recommendation, and sound like they knew what they were talking about? |
|
