Researcher: QuickTime still at risk from MySpace bug

The QuickTime vulnerability that led to a widespread worm outbreak on MySpace.com last month could be exploited again, according to security researcher Aviv Raff , who has published software that illustrates his point.

Apple Computer Inc. issued a temporary patch for the problem last month, but on Wednesday Raff published proof-of-concept code showing how this bug could still be exploited in combination with other malicious software to run unauthorized software on a patched computer.

Apple created its patch after a worm spread through the MySpace community in early December, stealing MySpace log-in credentials and promoting adware Web sites. But rather than addressing the underlying problem, Apple's fix appears to simply block the MySpace worm code, Raff said. "Apple’s patch has no effect on this vulnerability," he said via instant message.

Users were infected by the MySpace worm when they played maliciously encoded .mov multimedia files.

The attack demonstrated by Raff is called a cross-zone scripting attack. It circumvents the "zone" security model that is used by Internet Explorer to limit the types of things Web-based software can do on a PC. "It potentially allows an attacker to execute arbitrary code on the user's machine," Raff said of the vulnerability.

Raff's proof-of-concept code shows how this cross-zone scripting attack could be used to run code on a Windows 2000 system running the Internet Explorer 6 browser. It was published as part of a monthlong effort to draw attention to security issues in Apple's products, called the Month of Apple Bugs.

Running malware on a victim's PC is a two-step process, however, and attackers would also need to exploit a second vulnerability in order to trick the browser into running their code.

Raff's code exploits a known bug in Microsoft's Management Console software, which was patched last August. But the attack could also be paired with code that takes advantage of an unpatched Windows vulnerability, making it a far more serious exploit, said Alyssa Myers, a virus research engineer with McAfee Inc. "It seems likely that this sort of thing could be used for a MySpace worm," she said. "Whether that actually ends up happening is anybody's guess."

When Apple created its QuickTime fix last month, it did not deliver the software directly to QuickTime users but instead took the unusual step of having MySpace link to the code.

Apple may have decided not to distribute this patch directly because it did not address the underlying problem, said Tim Erlin, risk assessment technology manager with nCircle Network Security Inc. "They didn't patch the whole thing," he said. "They reacted to the emergence of a worm on MySpace."

It will be hard for Apple to fix the underlying problem, researchers said, because the HREF Track QuickTime feature that is exploited in these attacks is used by a number of legitimate applications. These would be broken if Apple simply disabled the feature, Erlin said. "They can't simply pull it out," he said.

Apple is working on a "broader solution" to the QuickTime problem, a company spokesman said Thursday. He could not immediately comment on Raff's proof-of-concept code.