Media Player Exploits: New Vectors, New Threats

So far, the only browser developer to announce a patch for this vulnerability is Mozilla , which posted a patch to its open source Firefox Web browser last week. The Apple QuickTime vulnerability, now one year old, poses new risks because Apple has yet to fully patch it, warn some security experts.

New attack vectors for both vulnerabilities surfaced last week. The QuickTime vulnerability allows scripting to run with full user rights without the user's knowledge. The other vulnerability allows hackers to insert code that tricks the Windows Media Player into opening a Windows Internet Explorer browser, regardless of the user's preference for a default Web browser.

The Firefox user -- in addition to users of other alternative browsers -- may be especially at risk because Microsoft IE makes the system running other browsers vulnerable to issues associated with IE. The QuickTime vulnerability allows a hacker to gain remote access to a computer to control it, install malicious software or steal personal data.

"The QuickTime exploit fits well into the Web 2.0 environment. It fools surfers into clicking on a link to introduce the code. Many Windows users do not know that they are exposed. If they download iTunes, the software automatically places a copy of QuickTime on the computer to play the Apple music files," Paul Henry, vice president of technology evangelism at Secure Computing, told TechNewsWorld.

New Proof of Concept

The Windows Media Player vulnerability can be used by hackers to phish for user credentials in a Windows environment, according to Henry, who said he tested the proof of concept (POC) code himself to confirm that it works on the Windows operating system but not on the Linux or Apple OS X platforms.

A hacker found a way to use an attack vector in combination with Firefox, so hackers can gain access to a level of trust, giving them administrative rights. The POC code can be downloaded here.

"It's amazing that hackers released the new POC on the one-year anniversary of the original QuickTime vulnerability," Henry said, referring to an exploit that surfaced a year ago from last week.

No Browser Safe

Hackers can very easily put some HTML code inside files supported by Window Media Player. These files run in less restrictive IE environment, according to details provided by Secure Computing's research team.

They found that a fully patched Windows XP system running SP2 with IE6 or IE7 and Windows Media Player 9 will open any page in IE, even if the user's default browser is Firefox, Opera or any other installed browser. This means that even when running other browsers that are more secure, all a user has to do is open a media file to expose the computer to all IE vulnerabilities.

Researchers found that hackers could easily fake the Windows logout/login sequence and phish unaware users' credentials. Users running Media Player 11 as the Windows Vista default media player are not exposed to these attacks.

Critical QuickTime Exploit

Last September, a person known as "pdp" discovered that QuickTime link files can contain script code that would be executed by the browser within the regular, unprivileged Internet security zone. This one would allow for XSS (cross-site scripting) attacks, but nothing more, Christoph Alme, Secure Computing's anti-malware team lead, wrote to team researchers.

This September, the same person revealed that QuickTime link files can contain script code in a way that would be executed by the browser at the highest possible privileges, rather than at unprivileged levels, as in September 2006, Alme told his team. This means the vulnerability now allows any executable to launch locally.

A script running within the regular Internet security zone does not have such permissions. The QuickTime vulnerability is a privilege escalation vulnerability, unlike the September 2006 issue, Alme noted.

"Given the prominence of Web 2.0 applications, any user can now easily insert a URL in to a social Web site or blog. It is highly likely that this exploit will gain in prominence," Henry warned. "The risk of a casual user downloading a rootkit and becoming part of a spam botnet, or perhaps becoming a victim of identity theft with the downloading of a keylogger, is greatly increased with the latest version of this exploit."

Apple Faulted

Security experts were quick to point a finger at Apple for the worsening QuickTime vulnerability. They fault the perceived air of secrecy that typically envelops Apple security issues.

"Apple ignored warnings about this last year and allowed scripting without user intervention. Somewhere along the line, everyone at Apple missed the boat on this vulnerability. They had no level of understanding about how widespread this could become," Randy Abrams, director of technology education for anti-spyware software firm ESET, told TechNewsWorld.

All Apple does is issue bug fixes, Abrams asserted, adding that Apple does not have the degree of transparency that Microsoft has. The company gives no details about what bugs are being fixed, showing little consideration for the customer, he said.

"Apple is about 12 years behind Microsoft in patch controls. Apple says it has patched the original vulnerability, but there is no proof of this," said Abrams.

Patching Incomplete

That sentiment was also expressed by Danny Allan, director of security research for online risk management software firm Watchfire.

"The problem is around today because Apple did not fully patch the original vulnerabilities. There were two, but only one got patched," he told TechNewsWorld

Users cannot do anything to protect themselves from these and other vulnerabilities other than keeping program patching current, he said. The client application is at the mercy of vendors to release patches.

Even with the patch to Firefox that Mozilla issued last week to version 2.0.0.7, the vulnerability is still there in QuickTime, warned Allan. Firefox added a mitigation to lessen the chance of being affected by the vulnerability.

"To fully solve the problem it needs a patch from Apple to patch the attack vector," Allan said.