http://www.kb.cert.org/vuls/id/442497
Note that since QuickTime is a component of Apple iTunes, iTunes installations are also affected by this vulnerability
I'm gonna post some comments & ideas I have after reading: US-CERT Alert http://www.kb.cert.org/vuls/id/442497 (http://www.kb.cert.org/vuls/id/442497)
First let me say that the description of the vulnerability they give, and from the link that Stealthzone posted is in such geek speak, it is truly difficult to determine what temporary change(s) make sense to a user, short of uninstalling the affected software.
What I *think* I read is most risky is a QT file playing thru your browser, by following a link, or surfing to a website that automatically opens a QT file? Therefore files saved on your HD and played thru a QT Player are not affected? And I am not even including questions at to what happens in the case of ITunes, because I don't have it installed.
Rather than an explanation of the vulnerability, I am looking at these "workarounds," noting I just loaded the latest QT version 7.1.3 not too long ago, which is identified as affected. It would be helpful if someone could confirm whether these "ideas" I have correspond with the US-CERT recommendations. I haven't quoted all of them, and have divided them by browser setting changes we all can make for ourselves, and then reverse, when a patch, or solution is available. Maybe others have better ways. I want QT for when I want it (not too often), but until this gets sorted, it doesn't make sense not to change *some settings* at least.
From US-CERT on Apple Quicktime Vulnerability:
QuoteWe are unaware of a solution to this problem. Until a solution becomes available the following workarounds are strongly encouraged:
Disable the QuickTime ActiveX controls in Internet Explorer
The vulnerable QuickTime ActiveX controls can be disabled in Internet Explorer by setting the kill bit for the following CLSIDs:
{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}
{4063BE15-3B08-470D-A0D5-B37161CFFD69}
A: For Internet Explorer...Can't we accomplish the above by using SpywareBlaster? Seems easier to reverse and no registry edits involved??
Idea #1 Open SpywareBlaster>Tool>Custom Blocking
Clk Add>Type Apple QuickTime Active X ( I just guessed at what to call it)
choose OK
For the next box that pops up, select {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} using Ctrl-C, then Ctrl-V to paste
choose OK
Repeat above for the second CLSID, {4063BE15-3B08-470D-A0D5-B37161CFFD69}
Then checkmark both boxes, and Clk "Protect Against Checked Items"
QuoteDisable file association for QuickTime files
Disable the file association for QuickTime file types to help prevent windows applications from using Apple QuickTime to open QuickTime files. This can be accomplished by deleting the following registry keys:...
Idea #2 Wouldn't another way be to open Quicktime>Edit>Preferences>File Types and UNCHECK all types associated with QT?
QuoteThe Advanced tab contains settings used by all zones. The settings contained in the Multimedia section have features that you can adjust to protect against some potential vulnerabilities. For instance, attackers may be able to track your usage or exploit the software you use to play multimedia data. We recommend disabling the options to play sounds and videos:
Idea #3 I have no alternate idea...this option *feels pretty global* and drastic, but if a person was concerned about others or kids using the computer, it is a nice option to be reminded of until this issue is resolved maybe.
and then I have this other browser...
B: For Firefox...QuoteUsers of Mozilla-based browsers, such as Firefox can disable the QuickTime plugin, as specified in the PluginDoc article Uninstalling Plugins.
Idea #1 Instead of uninstalling a plugin for QT, couldn't I lock down the behavior in FF by going to Tools>Options>Content>Files Types>Manage>Change Action>and de-selecting use this plug-in (for any QT ones) choose Save To Disc instead? At which point I would assume I would get a prompt somewhere about allowing a download which I could accept or reject, but more importantly, nothing would be automatically triggered thru Firefox to play a QT file?
In the meanwhile, I am going to test this SpywareBlaster Custom Block idea of mine.
cert offers two types of alerts
one for "normal" people and one for tech types
i sign up for both ;-D that is why that link !
i would be worried about ANY qt file unless it is from a known good site !
it does look like they are saying you could get some bad active X and url stuff ( firefox) hidden in a qt file
so if you are making them with a digital camera you would be ok, but i sure would think twice ( maybe even 3 times) before i downloaded anything from the net for a while ;-D
yes you can kill the file association in ff and then select "save to disk" but i would write down the file path before i removed it!
( in options/mail it ask where you want to save all downloads to
in windows i have a folder called "downloads" that i use and on linux i just use the desktop
in linux it is a bit of a pain to create that path again and not too easy in windows if i remember right
Thnx Mitch for the reply, and especially this reminder, "but i would write down the file path before i removed it!"
I've found in the past I've made settings changes as a temp workaround, and then forgot what I changed :smash: So I've now created a new folder called Temp Workarounds, and then using Notepad describing what change I made. Then saved the txt file w/ a date in the title, 30 days from when I created it. I'll have a record of the change, and maybe some visual reminder, for checking to see if a patch or version change was released.
As far as my test, which is more an exercise of trying to learn how to use the setting changes to "deal" with these temporary workarounds, my idea w/ SpywareBlaster CustomBlock above didn't work on the 3 QT files I viewed thru IE. I know SB Custom Block works, so it's more an issue of my not understanding all these QT file types I guess.
In the meantime, I have continued reading and found 2 additional links which provide more information addressing this Quicktime vulnerability.
http://blog.washingtonpost.com/securityfix/2007/01/quicktime_flaw_kicks_off_month_1.html (http://blog.washingtonpost.com/securityfix/2007/01/quicktime_flaw_kicks_off_month_1.html)
"...LMH said the Windows and Mac QuickTime Version 7.1.3 and the Player Version 7.1.3 are vulnerable, and that earlier versions also are likely to be vulnerable. QuickTime users can mitigate the threat from this bug by not opening links that begin with "rtsp://" or by disabling the display of streaming files in QuickTime...For Windows users of the most current QuickTime version, click on "Edit," then 'Preferences," and then "QuickTime Preferences". Click on the "File Types" tab, and then on the plus sign next to "Streaming - Streaming Movies" and uncheck the box next to "RSTP stream descriptor".
More here with screen shots:
http://isc.sans.org/diary.html?storyid=1993 (http://isc.sans.org/diary.html?storyid=1993)