Re: [SE-2012-01] Security weakness in Apple QuickTime Java extensions (details released)

[Ramo <ramo () goodvikings com>]

> The more surprising it is to see a vendor's
> response downplaying the importance of the issue found in its code that
can
> actually contribute to the full blown attack against the users of its
> software.

This is apple you're talking about, are you really that surprised?

Cheers

Ramo

On Jun 26, 2012 4:57 AM, "Security Explorations" <
contact () security-explorations com> wrote:
> Hello All,
>
> Security Explorations decided to release technical details and
accompanying
> Proof of Concept code for a security vulnerability in Apple QuickTime
> software.
> This move is made in a response to Apple's evaluation of a reported issue
as
> a "hardening issue" rather than a security bug [1].
>
> Security Explorations does not agree with the results of Apple's
evaluation.
> It does not support the approach of a "silent fix" either [2].
>
> A vulnerability that was reported to the company on Apr 12, 2012 allows to
> bypass two security checks in Apple's code. That vulnerability (Issue 22)
> leads to a serious violation of Java VM security. When combined with Issue
> 15 affecting Oracle's Java SE [3], it can lead to a complete compromise of
> a Java VM environment on a fully patched Windows OS with latest Java SE
> (1.6.0_33-b03) and Apple QuickTime (7.72.80.56) software installed.
>
> The case of an attack against Apple QuickTime software illustrates a
common
> trend in attacks against technologies such as Java VM where more than one,
> partial security bypass issue usually needs to be combined together to
> achieve
> a complete security compromise. The more surprising it is to see a
vendor's
> response downplaying the importance of the issue found in its code that
can
> actually contribute to the full blown attack against the users of its
> software.
>
> Security Explorations is publishing the following materials in a hope
that a
> wider public could conduct an independent evaluation of Apple QuickTime
> issue
> and deliver an unbiased judgment of both companies claims:
> - Short write-up presenting vulnerability details, its impact and a
summary
>   of vendor's response,
> - Proof of Concept code for Issue 22.
>
> Download links for the above-mentioned materials are provided below:
>
> http://www.security-explorations.com/materials/se-2012-01-22.pdf
> http://www.security-explorations.com/materials/se-2012-01-22.zip
>
> Thank you.
>
> Best Regards,
> Adam Gowdiak
>
> ---------------------------------------------
> Security Explorations
> http://www.security-explorations.com
> "We bring security research to the new level"
> ---------------------------------------------
>
> References
> [1] SE-2012-01 Vendors status
>     http://www.securityexplorations.com/en/SE-2012-01-status.html
> [2] About the security content of Java for OS X 2012-004 and Java for
> Mac OS X 10.6 Update 9
>     http://support.apple.com/kb/HT5319
> [3] SE-2012-01 Project, Security Vulnerabilities in Java SE
>     http://www.securityexplorations.com/en/SE-2012-01-press.html
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/