Free Republic
Browse · Search
Smoky Backroom
Topics · Post Article

Skip to comments.

Mac, Windows QuickTime Flaw Opens 'Month Of Apple Bugs'
Information Week ^ | Jan 2, 2007 03:04 PM | Gregg Keizer

Posted on 01/03/2007 11:04:31 AM PST by newgeezer

The exploit could be used by attackers to compromise, hijack, or infect computers running either Windows or Mac OS X.

The Month of Apple Bugs project kicked off Monday by posting a zero-day vulnerability in Apple's QuickTime media player. It also posted an exploit that could be used by attackers to compromise, hijack, or infect computers running either Windows or Mac OS X.

The Month of Apple Bugs (MoAB), which will announce a new security vulnerability in Apple's operating system or other Mac OS X software each day in January, is a follow-on to November's "Month of Kernel Bugs" campaign, and is co-hosted by that project's poster, a hacker who goes by the initials "LMH," and a partner, Kevin Finisterre, a researcher who has posted numerous Mac vulnerabilities and analyses on his own site.

The debut vulnerability is in QuickTime 7's parsing of RTSP (RealTime Streaming Protocol); the protocol is used to transmit streaming audio, video, and 3-D animation over the Web. Users duped into clicking on an overlong rtsp:// link could find their PCs or Macs compromised. It also may be possible to automatically trigger an attack simply by enticing users to a malicious Web site.

"Exploitation of this issue is trivial," said LMH in the vulnerability's write-up on the MoAB Web site. The associated exploit code has been tested on Mac OS X running on Intel-based systems, and works against QuickTime 7.1.3, the current version of the player, LMH and Finisterre said.

Other security researchers rang alarms Tuesday. Danish vulnerability tracker Secunia, for example, pegged the bug as "highly critical," the second-from-the-top threat in its five-step score, and Symantec alerted customers of its DeepSight threat network of the vulnerability.

An Apple spokesman declined to confirm the vulnerability, or, if it was legitimate, when the flaw might be fixed. In an e-mail, he said that "Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users. We always welcome feedback on how to improve security on the Mac."

LMH, who didn't immediately reply to several questions sent via e-mail, said on the MoAB site that Apple's Mac OS X operating system was chosen as the target for the month of vulnerabilities because "we like to play with OS X, we enjoy hate e-mail, and it's not as crowded as (random software vendor), yet. Thus, it's really comfortable for research and there's so much to be worked out."

He also said that Apple -- and other vendors whose Mac OS X applications might be the focus of a bug posted during the month's run -- would not be notified in most cases before the information went live, and dismissed that practice. "The point is releasing them without vendor notification. The problem with so-called 'responsible disclosure' is that for some people, it means keeping others on hold for insane amounts of time, even when the fix should be trivial. And the reward (automated responses and euphemism-heavy advisories) doesn't pay off in the end."

LMH, Finisterre, and commercial security vendors recommended that users cripple QuickTime's ability to process rtsp:// links. In Windows, launch QuickTime, select Edit|Preferences|QuickTime Preferences, click the File Types tab, expand Streaming, and clear the box marked "RTSP stream descriptor." In Mac OS X, select System Preferences|QuickTime|Advanced|MIME Settings|Streaming|Streaming Movies and clear the "RTSP stream descriptor" box.

Apple's QuickTime was last in the news during December, when a bug in the player was exploited by fraudsters on MySpace. That vulnerability remains unpatched.

LMH expects to see more QuickTime attacks now that his newest flaw has gone public. He said, "It's a matter of time to see this getting abused in the wild."


TOPICS:
KEYWORDS: apple; bugs; moab; security; threadjester
Navigation: use the links below to view more comments.
first previous 1-2021-4041-6061-80 ... 541-557 next last
To: DonGrafico
Wow! A month of Apple bugs and roughly 30 years (and counting) of M-Soft bugs. Apple has a long way to go to be as good at security flaws as M-Soft, but give them credit they're trying.

Apple has been flying under the hackers radar. Just like Linux once did. Their smugness has led hackers to show they aren't perfect either. We all know Windows isn't perfect, but the reason they have the most exploits found is because they have the biggest footprint and hackers won't waste time trying to attack a handful of machines.

If you're saying no exploits makes an OS secure, then you will want to buy the one I wrote as it has yet to be exploited. Of course I'm the only one that has ever used it, but it must be secure since no one has ever hacked it. /sarcasm

21 posted on 01/03/2007 2:45:47 PM PST by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 19 | View Replies]

To: antiRepublicrat
I certainly hope nobody said it, because exploits already existed back then. However, active exploits in the wild, actually taking over Macs, do not exist yet. Maybe some day...

Once again...security by obscurity is no security. Reason they don't exist is because there's not enough bang for the buck for the hackers. Oh and btw, they do exist...ever heard of Leap-A or Oompa-A. Now what's your defense.

22 posted on 01/03/2007 2:49:46 PM PST by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 18 | View Replies]

To: TommyDale
All I know is that it sure as heck caused problems.

I can take your word for that. I've heard of PC users who've had problems running QuickTime.

Although QuickTime does not contain spyware, looking at the technical details of this latest vulnerability, it's feasible that QuickTime could be a attack vector for loading spyware or performing some other malicious act. But the attack would have to lure the user into taking some action, like clicking on a link, so it's not an efficient way to propagate malware. The risk to the average QuickTime user is negligible. Another complication is that QuickTime is available for three platforms (Windows, PowerPC Macs and Intel Macs), and it would be difficult to create an exploit that works on all three.

Apple needs to fix some things, like checking for buffer overflows and checking for code following a colon character in URLs. These fixes should be simple to apply. I'm sure Apple is a little embarrassed that these bugs exist, but they should not cause any widespread problems.

23 posted on 01/03/2007 2:50:00 PM PST by HAL9000 (Get a Mac - The Ultimate FReeping Machine)
[ Post Reply | Private Reply | To 17 | View Replies]

To: HAL9000
These fixes should be simple to apply. I'm sure Apple is a little embarrassed that these bugs exist, but they should not cause any widespread problems.

The reason it wont' cause widespread harm is because there aren't enough MACs to make a dent on the news cycle, so hackers won't waste their time.

The Windows version is already fixed, but that requires someone to install the patch. Does quicktime autocheck for security patches?

But to lure someone to a link is pretty easy nowadays...a simple email with a funny video will do the trick. Users will click all your links if you give them one or two funny videos to watch.

24 posted on 01/03/2007 2:57:39 PM PST by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 23 | View Replies]

To: newgeezer
Perhaps the solution to the problem is to dump Quick Time and download VLC Media Player. Open source, non-propritary, supports just about every type of input and output media there is and, best of all, it's Free!!.
25 posted on 01/03/2007 3:02:27 PM PST by upchuck (How to win the WOT? Simple: set our rules of engagement to at least match those of our enemy.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: for-q-clinton
Reason they don't exist is because there's not enough bang for the buck for the hackers.

Previous versions of Mac OS had lots of viruses in the wild, and they had nowhere near the market penetration or visibility of OS X, which has none.

Oh and btw, they do exist...ever heard of Leap-A or Oompa-A. Now what's your defense.

Leap-A/Oompa-A was a trojan, requiring the person to purposely run it and be running as administrator (which is not as common in the Mac world due to the better permissions set up in UNIX). I believe the first malware for OS X was a supposed pirated copy of MS Office, which if ran deleted files in the user's profile (but couldn't hose the system due to lack of root permission). There was one reported case of getting nailed by the latter, none that I heard of with the former.

26 posted on 01/03/2007 3:24:16 PM PST by antiRepublicrat
[ Post Reply | Private Reply | To 22 | View Replies]

To: for-q-clinton
But their users do... most I know don't even run AV protection.

There are no Mac viruses in the wild, no self-propagating malware, so the odds of getting infected are very low. People without antivirus are just playing the odds that they won't be among the first to get hit, and given that those odds are probably millions to one, it's not too bad a bet for most people.

AV sellers have been hyping every proof of concept (some of which they probably create) to boost sales, and so far nobody is listening. Only expect OS X AV sales to go up when there's actually something out there to worry about.

27 posted on 01/03/2007 3:30:24 PM PST by antiRepublicrat
[ Post Reply | Private Reply | To 20 | View Replies]

To: for-q-clinton
The reason it wont' cause widespread harm is because there aren't enough MACs to make a dent on the news cycle, so hackers won't waste their time.

Apple had occasional problems with viruses several years ago when they were selling far fewer computers. Since then, Apple has switched to Mac OS X and is selling Macs in record numbers - and not a single virus has spread in the wild. Your theory is discredited.

28 posted on 01/03/2007 3:41:36 PM PST by HAL9000 (Get a Mac - The Ultimate FReeping Machine)
[ Post Reply | Private Reply | To 24 | View Replies]

To: upchuck
The second exploit is a VLC bug. Though how that counts as an Apple flaw, I can't fathom.

The basic point is that there are better design decisions on the Mac side which explain the lack of exploits and viruses.

The best debunking of the security through obscurity myth is here.

29 posted on 01/03/2007 3:44:27 PM PST by Obi-Wandreas (Dedicated to the shameless pursuit of silliness)
[ Post Reply | Private Reply | To 25 | View Replies]

To: newgeezer

It's a social engineering bug. People who click unknown links deserve what awaits them.


30 posted on 01/03/2007 3:46:34 PM PST by Doohickey (I am not unappeasable. YOU are just too easily appeased.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: newgeezer
He also said that Apple ... would not be notified in most cases before the information went live, and dismissed that practice. "The point is releasing them without vendor notification. The problem with so-called 'responsible disclosure' is that for some people, it means keeping others on hold for insane amounts of time, even when the fix should be trivial. And the reward (automated responses and euphemism-heavy advisories) doesn't pay off in the end."

Assholes.

31 posted on 01/03/2007 3:48:38 PM PST by Doohickey (I am not unappeasable. YOU are just too easily appeased.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Eric in the Ozarks

Hand him a 512MB video card and have him let you know when he's got it installed in the Mini.


32 posted on 01/03/2007 3:52:03 PM PST by Doohickey (I am not unappeasable. YOU are just too easily appeased.)
[ Post Reply | Private Reply | To 5 | View Replies]

To: newgeezer

Well, Apple chose to go from... MIPS? to Intel. Now there's essentially one homogenous processor used by everybody. So you can imagine the implications.


33 posted on 01/03/2007 4:26:07 PM PST by Lexinom (Duncan Hunter 2008)
[ Post Reply | Private Reply | To 1 | View Replies]

To: newgeezer

If you spent your time posting about every Windows exploit, you'd never leave your computer.


34 posted on 01/03/2007 4:28:57 PM PST by gonewt
[ Post Reply | Private Reply | To 1 | View Replies]

To: HAL9000

I'm not so sure that will continue with Apple's embracing of the Intel processor. Granted, dll-loading and system API calls within the virus code designed for Windows will not work, but I'd still think hackers could now have the capability to write platform-agnostic viruses for Intel that could do a phenomenal amount of damage. Your thoughts?


35 posted on 01/03/2007 4:29:09 PM PST by Lexinom (Duncan Hunter 2008)
[ Post Reply | Private Reply | To 28 | View Replies]

To: Lexinom

If the attack is designed in machine code, it probably won't be very portable. But it's possible to use cross-platform scripting and network vulnerabilities to attack different operating systems, even with different CPU architectures.


36 posted on 01/03/2007 4:53:13 PM PST by HAL9000 (Get a Mac - The Ultimate FReeping Machine)
[ Post Reply | Private Reply | To 35 | View Replies]

To: HAL9000; antiRepublicrat
and not a single virus has spread in the wild. Your theory is discredited.

But there have been as noted above. The new vista requires users to say yes when running as admin as well; however, I bet the excuse antirepublicrat uses won't be acceptable for Microsoft when idiot users click on a link and say yes to allow admin access and wammo virus hits. The fact that most machines will be windows it's more likely that a virus writer will gamble that even if 1% of the users are dumb enough to say yes...they'll catch hundreds of thousands if not millions of users with their virus. If you catch 1% of the mac users that say yes to an admin access request...then you have caught hundreds of people. Not exactly newsworthy.

37 posted on 01/03/2007 7:28:14 PM PST by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 28 | View Replies]

To: for-q-clinton
But there have been as noted above.

But those viruses were for Mac OS 9 and earlier operating systems that were discontinued years ago. There have been zero viruses in the wild for Mac OS X since it was introduced five years ago.

The vast majority of Mac OS X users don't even have anti-virus software. In the Windows world, they would be sitting ducks.

38 posted on 01/03/2007 8:00:07 PM PST by HAL9000 (Get a Mac - The Ultimate FReeping Machine)
[ Post Reply | Private Reply | To 37 | View Replies]

To: for-q-clinton
I bet the excuse antirepublicrat uses won't be acceptable for Microsoft when idiot users click on a link and say yes to allow admin access and wammo virus hits.

For trojans of this type, it'll still be the user's fault. However, Microsoft's implementation has its own problems in that it makes that box pop up so much in normal usage that users will get used to simply typing in the password to keep working with their normal stuff, and they may not notice that they just allowed something they shouldn't have.

39 posted on 01/03/2007 9:09:45 PM PST by antiRepublicrat
[ Post Reply | Private Reply | To 37 | View Replies]

To: for-q-clinton
But there have been as noted above.

And please learn something about the platform you denigrate before posting about it. There is less relation between OS 9 and OS X than between Windows 3.1 and Vista.

40 posted on 01/03/2007 9:13:35 PM PST by antiRepublicrat
[ Post Reply | Private Reply | To 37 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-2021-4041-6061-80 ... 541-557 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
Smoky Backroom
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson