Apple just released an update for quicktime, no surprise there. Doing some digging I found the five security issues patched:

Playing maliciously crafted QuickTime content in QuickTime Player may lead to arbitrary code execution

Viewing maliciously crafted Indeo video media content may lead to an unexpected application termination or arbitrary code execution

Opening a maliciously crafted PICT image file may lead to an unexpected application termination or arbitrary code execution

Opening a maliciously crafted AAC-encoded media content may lead to an unexpected application termination or arbitrary code execution

Opening a maliciously crafted PICT image file may lead to an unexpected application termination or arbitrary code execution

Five exploits, all in how a variety of media (video, audio, and picture) parses code. This tells me two things pretty much immediately- 1) Apple does not do a great deal of Fuzz testing on their formats, but researchers are happy to do so for them and 2) if I do fuzz testing on quicktime myself I will probably find something exploitable as well.

Fuzzing is a horribly brute force method for security testing. It requires a lot of work to wire things to adequately monitor an application (you want to see memory spikes, process spikes, and all of the myriad of crashes) and automate the loading of media. Regardless, it is very effective at breaking parsing and validation code. Microsoft requires 100,000 iteration on all parsed formats. For complex formats (office docs, media files), they basically never stop. Apple would be well served by doing the same (or caring about security at all).

Fuzzing is also applicable to web apps. They process an immense amount of data from end users, and other than specific known attacks done by pen testers, most companies don’t seem to test for various malformed input. The problem is that it is very hard to detect where and why something failed when fuzzing a remote machine. It would be nice to see a good distributed testing harness that can monitor the application state on the server and produce decent debugging logs.

~ Joshbw

I don’t have reason to use Visio very often, pretty much restricting it to creating a flowchart to dump into Word or PowerPoint or when creating models during Threat Modeling.  I use it on average maybe once every two months or so; obviously I am not a Visio expert by any means but I suspect most people in a similar position to me are much the same way.

 Thus it came as a bit of a surprise when I found out it can create maps of websites almost painlessly.  Selecting “New->Web Diagram->Web Site Map” will allow you to enter a web address and send Visio out to spider the targetted website starting at that location.  Depending on the complexity of the website this can take thirty seconds to several minutes, but once Visio is done spidering the website it will create a purdy little diagram showing all of the interrelationships between web resources.  In addition to normal pages served up it also spits out various included resources, such as .js and .css files that the website utilizes (this is configurable).

The creation of the map isn’t flawless; it doesn’t accept credentials for form authentication but if the site is foolishly only protected by HTTP authentication it will accept credentials for that.  Visio doesn’t try to brute force or even intelligently guess the presence of files or folders but rather just follows references in the pages served up. AJAX confuses the spider somewhat.  Dynamically created URLs (like Wiki produces) can confuse it. 

There are certainly more thorough tools for crawling websites to create a profile for them but regardless Visio has its strengths.  It is very effective at verifying that the presentation layer isn’t exposing access to protected resources.  It is quick and simple to use.  Most usefully though, it creates a better visual map of a website than pretty much any other tool I have played with, and this is greatly valuable to me.  Just glancing at the Visio output gives me a quick relationship between unprotected resources on the website and reaffirms the path of navigation through the site.  I think the hierarchical display is most useful to designers of websites to reaffirm relationships of resources, but for me as a penetration tester it gives me a very early and easy to generate view of the website, as well as provide me with a quick list of early targets to try and compromise.  It is by no means the only scanner I will run on a website when doing anything more than a cursory glance, its flaws are pretty big and it is far from thorough, but for quick 1000′ views of a sites publically discoverable pages in a couple minutes it is a good tool.

 I wonder what else Visio can do that I don’t know about.

~Joshbw