A researcher from Wintercore, a Spain based security firm, discovered an unused parameter in QuickTime media player that could be exploited to give attackers full control of a computer system. This kind of attack has been found to work on computers running on Windows XP, Vista and even on machines running Windows 7. Oddly, the parameter “_Marshaled_pUnk”, which was a variable some unnamed Apple programmer most likely forgot to remove during the application’s development and testing phases, was left in the program unknowingly since 2001. It was used in a function used in previous versions of the application but eventually the function was removed and this unused object pointer was left behind. It was found that this variable could be used as an attack vector to load malicious programs into memory and give attackers complete access to the computer.

Many applications over the years contain so many types of these errors that Microsoft finally took notice and built architecture to help minimize the damage of exploits that use them. Address Space Layout Randomization (ASLR); which randomizes the loading of code into memory so that hackers will have a difficult time predicting where code is loaded in memory, and Data Execution Prevention (DEP); which prevents data loaded into memory from running without permission from the user, are prime examples of their efforts.

But even with these safeguards in place, researcher Ruben Santamarta was able show that the system could still be compromised with the use of “Return Oriented Programming” (ROP) techniques. He used the WindowsLiveLogin.dll from Windows Live and created a script that eventually allowed him to take control of the computer system. The DLL provided him with enough information to actually know where in memory his code resided and ultimately helped him execute malicious code.

He proved that the right combination of DLL file and the said parameter would make the system open to attack. Other DLL files which attackers could use to do this kind of attack are also included by default when installing QuickTime. This calls attention to the fact that many programs like QuickTime still are not able to use new security architectures effectively or at all.

 Programmers and hackers have already started building a module that exploits this vulnerability. Exploit code for this vulnerability might be available as soon as tomorrow.  Apple has yet to correct this error to its Media player for windows. QuickTime users, be warned!

SecPoint helps in increasing network security. Read about us, our news, and products.