lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <4FE857BC.5070408@security-explorations.com>
Date: Mon, 25 Jun 2012 14:21:16 +0200
From: Security Explorations <contact@...urity-explorations.com>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: [SE-2012-01] Security weakness in Apple QuickTime
 Java extensions (details released)


Hello All,

Security Explorations decided to release technical details and accompanying
Proof of Concept code for a security vulnerability in Apple QuickTime 
software.
This move is made in a response to Apple's evaluation of a reported issue as
a "hardening issue" rather than a security bug [1].

Security Explorations does not agree with the results of Apple's evaluation.
It does not support the approach of a "silent fix" either [2].

A vulnerability that was reported to the company on Apr 12, 2012 allows to
bypass two security checks in Apple's code. That vulnerability (Issue 22)
leads to a serious violation of Java VM security. When combined with Issue
15 affecting Oracle's Java SE [3], it can lead to a complete compromise of
a Java VM environment on a fully patched Windows OS with latest Java SE
(1.6.0_33-b03) and Apple QuickTime (7.72.80.56) software installed.

The case of an attack against Apple QuickTime software illustrates a common
trend in attacks against technologies such as Java VM where more than one,
partial security bypass issue usually needs to be combined together to 
achieve
a complete security compromise. The more surprising it is to see a vendor's
response downplaying the importance of the issue found in its code that can
actually contribute to the full blown attack against the users of its 
software.

Security Explorations is publishing the following materials in a hope that a
wider public could conduct an independent evaluation of Apple QuickTime 
issue
and deliver an unbiased judgment of both companies claims:
- Short write-up presenting vulnerability details, its impact and a summary
   of vendor's response,
- Proof of Concept code for Issue 22.

Download links for the above-mentioned materials are provided below:

http://www.security-explorations.com/materials/se-2012-01-22.pdf
http://www.security-explorations.com/materials/se-2012-01-22.zip

Thank you.

Best Regards,
Adam Gowdiak

---------------------------------------------
Security Explorations
http://www.security-explorations.com
"We bring security research to the new level"
---------------------------------------------

References
[1] SE-2012-01 Vendors status
     http://www.securityexplorations.com/en/SE-2012-01-status.html
[2] About the security content of Java for OS X 2012-004 and Java for 
Mac OS X 10.6 Update 9
     http://support.apple.com/kb/HT5319
[3] SE-2012-01 Project, Security Vulnerabilities in Java SE
     http://www.securityexplorations.com/en/SE-2012-01-press.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ