Full Disclosure mailing list archives
Re: [SE-2012-01] Security weakness in Apple QuickTime Java extensions (details released)
From: Ramo <ramo () goodvikings com>
Date: Wed, 27 Jun 2012 07:00:31 +1000
The more surprising it is to see a vendor's response downplaying the importance of the issue found in its code that
can
actually contribute to the full blown attack against the users of its software.
This is apple you're talking about, are you really that surprised? Cheers Ramo On Jun 26, 2012 4:57 AM, "Security Explorations" < contact () security-explorations com> wrote:
Hello All, Security Explorations decided to release technical details and
accompanying
Proof of Concept code for a security vulnerability in Apple QuickTime software. This move is made in a response to Apple's evaluation of a reported issue
as
a "hardening issue" rather than a security bug [1]. Security Explorations does not agree with the results of Apple's
evaluation.
It does not support the approach of a "silent fix" either [2]. A vulnerability that was reported to the company on Apr 12, 2012 allows to bypass two security checks in Apple's code. That vulnerability (Issue 22) leads to a serious violation of Java VM security. When combined with Issue 15 affecting Oracle's Java SE [3], it can lead to a complete compromise of a Java VM environment on a fully patched Windows OS with latest Java SE (1.6.0_33-b03) and Apple QuickTime (7.72.80.56) software installed. The case of an attack against Apple QuickTime software illustrates a
common
trend in attacks against technologies such as Java VM where more than one, partial security bypass issue usually needs to be combined together to achieve a complete security compromise. The more surprising it is to see a
vendor's
response downplaying the importance of the issue found in its code that
can
actually contribute to the full blown attack against the users of its software. Security Explorations is publishing the following materials in a hope
that a
wider public could conduct an independent evaluation of Apple QuickTime issue and deliver an unbiased judgment of both companies claims: - Short write-up presenting vulnerability details, its impact and a
summary
of vendor's response, - Proof of Concept code for Issue 22. Download links for the above-mentioned materials are provided below: http://www.security-explorations.com/materials/se-2012-01-22.pdf http://www.security-explorations.com/materials/se-2012-01-22.zip Thank you. Best Regards, Adam Gowdiak --------------------------------------------- Security Explorations http://www.security-explorations.com "We bring security research to the new level" --------------------------------------------- References [1] SE-2012-01 Vendors status http://www.securityexplorations.com/en/SE-2012-01-status.html [2] About the security content of Java for OS X 2012-004 and Java for Mac OS X 10.6 Update 9 http://support.apple.com/kb/HT5319 [3] SE-2012-01 Project, Security Vulnerabilities in Java SE http://www.securityexplorations.com/en/SE-2012-01-press.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [SE-2012-01] Security weakness in Apple QuickTime Java extensions (details released) Security Explorations (Jun 25)
- Re: [SE-2012-01] Security weakness in Apple QuickTime Java extensions (details released) Ramo (Jun 27)
- Re: [SE-2012-01] Security weakness in Apple QuickTime Java extensions (details released) Security Explorations (Jun 28)
- Re: [SE-2012-01] Security weakness in Apple QuickTime Java extensions (details released) Ramo (Jun 27)