Apple toughens up QuickTime
Only last week, Apple had to patch eleven security vulnerabilities in its QuickTime multimedia software. Quoting "reliable sources", US media now report that Apple also took a number of additional steps in version 7.4.5 to make it harder for vulnerabilities to be exploited.
Microsoft employs Address Space Layout Randomization (ASLR) in Windows Vista to link libraries to addresses that are more or less arbitrary. Any malicious code injected by means of security flaws then has a harder time finding the right static address than in previous versions of Windows (such as in
return-to-libc attacks). Such techniques have long been implemented in UNIX operating systems, such as BSD and a Linux (PaX), and Mac OS X has also had such a mechanism since version 10.5. Apple has now integrated ASLR in QuickTime so that libraries are no longer loaded to static addresses.
Apple compiled QuickTime with the /GS buffer security check, which detects buffer overflows using special cookies injected onto the stack. Apple also reportedly enabled Hardware No-Execute (NX) protection on Windows Vista. Apple has implemented these mechanisms not only in QuickTime for Windows, but also in QuickTime for Mac OS X. The
-fstack-protector flag is used to check the stack, for instance.
It is currently not clear why Apple waited until now to implement these mechanisms. Since the end of 2005, Microsoft has been recommending the Security Development Lifecycle (SDL), which explicitly calls for the use of
/GS for stack protection in addition to normal planning and checking phases. While these attempts to make QuickTime more secure are praiseworthy, they only make it harder for security flaws to be exploited rather than eliminating them. Information about how to get circumvent these mechanisms is already circulating on the internet.