So a while back – Oracle decided to brag about how their database was ‘unbreakable’ in an ad campaign that came out around the time the Slammer worm had just finished giving SQL server a huge black eye . . . they wasted no time kicking us while we were down. As a result of this bold advertising campaign security researchers pounced on the challenge to show that Oracle really isn’t any better and by the looks of things in the last 2 years (in terms of raw CVE’s) – they’ve done a pretty good job exposing the fact that not only is Oracle not unbreakable – it’s not even as good as SQL (by a LONG shot). http://blogs.technet.com/security/archive/2006/11/27/microsoft-sql-vs-oracle-david-litchfield-comparison-paper.aspx.
I actually know some Oracle employees – and when i was teasing one of them about unbreakable last year in an email exchange – they were actually surprised that I thought it had anything to do with security! I guess in their minds it was all about ‘reliability’ . . . fault tolerance, clustering and such . . . they were shocked that someone would imply that it had anything to do with security. 🙂 I would argue that you can’t have ‘reliability’ without a secure product – but whatever. Oracle is still going with the ‘unbreakable’ theme and recently they’ve dressed up a penguin in a suit of armor . . . so I leave their intentions with this campaign as a thought exercise to the reader. To be fair – Oracle does seem to have finally (in 2006) gotten the security religion . . . last year they hired outside penetration testers to pound on their code . . . they are using automated code analysis software to look for low hanging fruit type of bugs (buffer overruns, integer wrap issues etc.), they are improving their security response process etc. etc. All positive signs that they ‘get it’ and are at least making an effort to catch up to their competition (i.e. us). 🙂
Someone once said – those who don’t learn from the past are doomed to repeat it. Caes in point – Apple. Apple decided to launch an ad campaign that out right mocked the PC as a platform (and all that implies – i.e. Windows) as being inherently insecure and enticing users to switch . . . again – this has largely been seen as a challenge by the security researcher community – a highly competitive and motivated group of people and the amount of chatter about Apple security bugs among the researchers has reached unprecedented levels and has culminated in the January Month of Apple bugs. And the first one is a doozie . . . we’re talking about a remote, anonymous stack based BO in an application almost everyone has installed . . . that’s remotely anonymously exploitable via a browser plug-in? Yikes. The same vulnerability is apparently present on both the OSX and the Windows versions of the affected software (QuickTime). Yikes again! And there are still 30 more days left in the month . . . and it doesn’t seem likely that the author is reporting these vulnerabilities to Apple or giving them any advance notification. All I can say is ‘been there, done that’.
I actually feel bad for Apple . . . we here working in security response all know what it’s like when this happens and wouldn’t wish it upon any vendor as we firmly believe in responsible disclosure and not needlessly putting users of any software at risk. It seems very likely that this exploit will be used in short order to start making money by those in the underground economy who make a living stealing your money and that makes me sad.
Finally – I realized when reading about this Apple bug that I didn’t have QuickTime installed yet on my main Vista box . . . so I went to www.quicktime.com and was prompted to elevate to install it . . . I allowed it to elevate and then I got the IE add-ons install wizard thing and allowed it to install the QuickTime ActiveX stuff . . . I chose to install the rather svelte 18MB package without iTunes (I kid) and was prompted to install version 18.104.22.168 today which seems to be an affected version . . . my goal in installing this software was to see if the QuickTime AX control is allowed to run in IE7 by default without prompting or if I will get prompted to run the control when visiting a site that makes use of the control. (NOTE: Sadly the MSI file to install QuickTime prompted me twice to run un-signed software from an unknown publisher during the install . . . grrrr). Sadly after the install I went to IE7’s ‘Manage Add-ons’ applet and chose to filter by ‘Add-ons that run without requiring permission’ (i.e. ActiveX controls that don’t prompt you to run them via the gold bar in IE) and QuickTime is listed as one such add-on. The add-on allowed to run is QTPlugin.ocx. I haven’t looked into this beyond the time it took me to install QuickTime but it looks like some workarounds offered up would be to disable the RTSP protocol handler in the registry (i.e. remove it, ACL it etc.) or you may be able to just use the IE ‘Manage Add-ons’ UI to disable the ActiveX until Apple can offer a fixed version . . . that is assuming you can even get to the vulnerable code via the aforementioned OCX. I guess we’ll find out shortly . . .