Ruben Santamarta, a Spanish security researcher from Wintercore, published an article detailing a new vulnerability he's uncovered in Apple's QuickTime software. The beauty of this flaw is two-fold: it can bypass both ASLR and DEP in XP, Windows 7, and Vista so as to give an attacker complete control of a PC, and the bug seems to be the result of a small bit of code that was accidentally left in older versions of QuickTime. According to Santamarta, this isn't purposely malicious code, "..but a horrible trick a developer implemented during the development cycle."
Like all good exploits, the vulnerability can be run remotely from visiting a malicious Web site, and is made possible through something called a "heap-spraying technique". Santamarta's exploit involves creating a fake pointer in memory as part of the heap-spraying technique.
"I'm taking advantage of common code generated by c++ compilers to control parameters and execution. The gadgets come from Windows Live messenger DLLs that are loaded by default on IE and have no ASLR flag," Santamarta writes.
In his explanation of the details of the vulnerability and the exploit for it, Santamarta said he believes the parameter at the heart of the problem was, for whatever reason, just not removed from older versions of the QuickTime code.
Santamarta has passed the exploit code to the Metsploit Project, and it's expected that there will be a Metasploit module available for this attack soon. HD Moore, founder of the Metasploit Project, commented that "The QuickTime plugin is widely installed and exploitable through IE; ASLR and DEP are not effective in this case and we will likely see this in the wild."
We'd be first in line to update our QuickTime software, except that there is no fix available yet, and given the (lack of) speed that Apple fixes flaws like this, there may not be one for quite some time.