QuickTime 0day for Vista and XP

April 25, 2008 – 5:18 PM

A remote vulnerability exists in the QuickTime player for Windows XP and Vista (latest service packs). Other versions are believed to be affected as well. For now, no details will be released regarding the method of exploitation.

Because we are an information security think tank and because we encounter some very interesting vulnerabilities in our work, we often share our findings with the masses in order to give something back to the community. It is good to take but it is even better when you give. Unfortunately, the situation in UK is changing and we, as whitehat hackers, have to adjust to these changes. Therefore, we have been experimenting with a number of disclosure methods in the past couple of months. We’ve tried everything, from full-disclosure to partial-disclosure, private-disclosure and no disclosure at all. Now is time to move to something totally different and if we find it working for us, we will share the secret with you for the better of the community. Please bare with us. This is just one of our social experiments.

A remote vulnerability exists in the QuickTime player for Windows XP and Vista (latest service packs). An attacker could exploit the vulnerability by constructing a specially crafted QuickTime supported media file that allows remote code execution if a user visited a malicious Web site, opened a specially crafted attachment in e-mail or opened a maliciously crafted media file from the desktop.

If a user is logged on with administrative privalages, the attacker could take complete control of an affected system. An attacker could then install malicious programs, view, change, delete sensitive data, or create new accounts with full user rights. Users who are logged on with less privileged account could be less impacted than users who operate with administrative user rights.

The vulnerability was successfully tested in Windows XP SP2 and Windows Vista SP1 environments. Other versions are believed to be exploitable as well. The vulnerability is currently held private. The GNUCITIZEN team is following responsible disclosure practices. Therefore, the vulnerability details will be privately disclosed to the vendor in a short period of time. This advisory is meant to inform the public and raise the consumer’s awareness.

The video above demonstrates the issue on Windows Vista and Windows XP. The Windows Vista demo is rather slow because it runs from a 512MB VMWare station.

Source: GNUCITIZEN