Patched Apple QuickTime Vulnerability Details Disclosed

Researchers at Cisco Talos released details on a use-after-free vulnerability in Apple QuickTime that could lead to remote code execution.

Use-after-free vulnerabilities have nudged buffer overflows off their exclusive perch of serious bugs that hackers covet. They’ve been used in a number of targeted attacks, including some  high-profile nation-state attacks, and also were a motivation for Microsoft to implement UAF-specific mitigations in Internet Explorer and the Enhanced Mitigation Experience Tool (EMET).

On Tuesday, Apple patched a use-after-free vulnerability in its QuickTime media player that could have guaranteed an attacker remote code execution on the underlying system running the program.

Researchers at Cisco, shortly after the patch was released, disclosed technical details on the vulnerability. Cisco’s Talos team reported the bug to Apple on May 8.

Cisco said in its advisory that an attacker who has access to and control data inside an stbl atom in a .mov file can ultimately create a use-after-free condition and execute code on the compromised system. A QuickTime movie atom is a container that describes a movie’s data, according to Apple developer documentation. A sample table atom, for example, contains a number of atoms that parse samples in a particular order. Sample table atoms contain the vulnerable stbl atom type.

“An attacker who can control the data inside an stbl atom in a .MOV file can cause an undersized allocation which can lead to an out-of-bounds read,” Cisco researcher wrote in their advisory. “An attacker can use this to create a use-after-free scenario that could lead to remote code execution.”

Craig Williams, security outreach manager at Cisco, said the vulnerability was discovered  internally by the company’s Talos Vulnerability Research and Development Team and has not been exploited publicly.

“You would see this type of vulnerability used by attackers in spam campaigns, phishing or malvertising campaigns,” Williams said. “Any way where a user can be tricked into clicking on a link is how the vulnerability could be exploited.”

This bug seems ripe in particular for exploit via malvertising or drive-by download, similar to how a Flash zero-day is used in targeted attacks. Users are lured to a website hosting a malicious .mov file that exploits the bug, or the exploit litters advertising on a legitimate website.

Cisco explains the technical details behind the vulnerability and the conditions that must be in place to trigger the bug.

During this spring’s CanSecWest security conference in Vancouver, Cisco released a tool called FreeSentry that mitigates use-after-free bugs; FreeSentry is a plugin for the LLVM compiler. According to Bill Largent, one of the researchers who found the Apple bug, FreeSentry checks bounds in programs and notes where there could be code that runs out of bounds making it vulnerable to use-after-free conditions.

“Buffer overflows are easier to detect through automated testing and security tools,” Largent said. “Use-after-free vulnerabilities are difficult to detect. They’re not an obvious exploitable condition.”

Yesterday’s QuickTime patch was one of dozens released on Tuesday by Apple, patching bugs in OS X, iOS and the Safari browser. Apple iOS is now at version 8.4 and the latest update patched more than 30 vulnerabilities in the iOS kernel, WebKit and CoreText. The Logjam vulnerability was also patched Tuesday in iOS with a patch for the coreTLS system in the mobile OS.

Many of the same bugs were patched in OS X, including a number of memory issues leading to code execution, including the QuickTime patch.

Suggested articles