No announcement yet.

Legacy apps on Win7 don't use ASLR/DEP (QuickTime vulnerable even on Win7)

  • Filter
  • Time
  • Show
Clear All
new posts

  • Legacy apps on Win7 don't use ASLR/DEP (QuickTime vulnerable even on Win7)

    A code execution vulnerability was recently discovered on QuickTime in an obscure, 10-year-old, no-longer used function which shouldn't have ever made it into a production release. Especially interesting though is that QuickTime thwarts some of the mechanisms added to Windows 7 to stop just this class of vunerability:

    ASLR, or address space layout randomization, for instance, loaded code into memory locations that attackers can't predict, while DEP, or data execution prevention, prevented any code that does get loaded from being executed.

    But in a stroke of efficiency, Santamarta figured out how to repurpose code in a common Windows file to bypass the protections. Using a technique known as ROP, short for return oriented programming, he was able to load a Windows Live file known as WindowsLiveLogin.dll into memory and reorder the commands in a way that allowed him to take control of the underlying computer. Using the Microsoft DLL not only allowed him to know where in memory it would load, it also allowed him to get the code executed.

    Santamarta said the parameter was present in a QuickTime version dating back to 2001, when it could be used to draw contents into an existing window instead of creating a new one. The functionality was eventually removed from newer versions but the line lived on. Combined with an unrandomized DLL like the one for Windows Live, it represents a serious threat to end users.

    The attack has been confirmed on the XP, Vista, and 7 versions of Windows, Santamarta said.

    In addition to demonstrating the importance of regular code reviews to identify extraneous parameters, the exploit underscores the threat that comes from programs that fail to use the ASLR and DEP protections baked into more recent versions of Windows. A surprisingly large number of popular applications — including Quicktime, Foxit Reader, Google Picasa,, RealPlayer, and VLC Player — all neglect to use one or the other, a recent review by Secunia found.
    It seems these mechanisms aren't being properly leveraged by a bunch of legacy applications, leaving a user vulnerable when really they shouldn't be.

    Perhaps someone (Microsoft would be a good candidate) can give some sort of security certification to apps that use both ASLR and DEP. That's about the best I can think of.
    45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B0
    45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B1
    [ redacted ]