Free Republic
Browse · Search
Smoky Backroom
Topics · Post Article

Skip to comments.

Mac, Windows QuickTime Flaw Opens 'Month Of Apple Bugs'
Information Week ^ | Jan 2, 2007 03:04 PM | Gregg Keizer

Posted on 01/03/2007 11:04:31 AM PST by newgeezer

The exploit could be used by attackers to compromise, hijack, or infect computers running either Windows or Mac OS X.

The Month of Apple Bugs project kicked off Monday by posting a zero-day vulnerability in Apple's QuickTime media player. It also posted an exploit that could be used by attackers to compromise, hijack, or infect computers running either Windows or Mac OS X.

The Month of Apple Bugs (MoAB), which will announce a new security vulnerability in Apple's operating system or other Mac OS X software each day in January, is a follow-on to November's "Month of Kernel Bugs" campaign, and is co-hosted by that project's poster, a hacker who goes by the initials "LMH," and a partner, Kevin Finisterre, a researcher who has posted numerous Mac vulnerabilities and analyses on his own site.

The debut vulnerability is in QuickTime 7's parsing of RTSP (RealTime Streaming Protocol); the protocol is used to transmit streaming audio, video, and 3-D animation over the Web. Users duped into clicking on an overlong rtsp:// link could find their PCs or Macs compromised. It also may be possible to automatically trigger an attack simply by enticing users to a malicious Web site.

"Exploitation of this issue is trivial," said LMH in the vulnerability's write-up on the MoAB Web site. The associated exploit code has been tested on Mac OS X running on Intel-based systems, and works against QuickTime 7.1.3, the current version of the player, LMH and Finisterre said.

Other security researchers rang alarms Tuesday. Danish vulnerability tracker Secunia, for example, pegged the bug as "highly critical," the second-from-the-top threat in its five-step score, and Symantec alerted customers of its DeepSight threat network of the vulnerability.

An Apple spokesman declined to confirm the vulnerability, or, if it was legitimate, when the flaw might be fixed. In an e-mail, he said that "Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users. We always welcome feedback on how to improve security on the Mac."

LMH, who didn't immediately reply to several questions sent via e-mail, said on the MoAB site that Apple's Mac OS X operating system was chosen as the target for the month of vulnerabilities because "we like to play with OS X, we enjoy hate e-mail, and it's not as crowded as (random software vendor), yet. Thus, it's really comfortable for research and there's so much to be worked out."

He also said that Apple -- and other vendors whose Mac OS X applications might be the focus of a bug posted during the month's run -- would not be notified in most cases before the information went live, and dismissed that practice. "The point is releasing them without vendor notification. The problem with so-called 'responsible disclosure' is that for some people, it means keeping others on hold for insane amounts of time, even when the fix should be trivial. And the reward (automated responses and euphemism-heavy advisories) doesn't pay off in the end."

LMH, Finisterre, and commercial security vendors recommended that users cripple QuickTime's ability to process rtsp:// links. In Windows, launch QuickTime, select Edit|Preferences|QuickTime Preferences, click the File Types tab, expand Streaming, and clear the box marked "RTSP stream descriptor." In Mac OS X, select System Preferences|QuickTime|Advanced|MIME Settings|Streaming|Streaming Movies and clear the "RTSP stream descriptor" box.

Apple's QuickTime was last in the news during December, when a bug in the player was exploited by fraudsters on MySpace. That vulnerability remains unpatched.

LMH expects to see more QuickTime attacks now that his newest flaw has gone public. He said, "It's a matter of time to see this getting abused in the wild."


TOPICS:
KEYWORDS: apple; bugs; moab; security; threadjester
Navigation: use the links below to view more comments.
first previous 1-2021-4041-6061-80 ... 541-557 next last
To: newgeezer

Mac users are deluding themselves if they think they are immune to security issues. And when the time comes that Macs are hit hard, Apple will bear the brunt of the responsibility for fostering this false sense of security within their community. Apple has become public enemy #1 for many black hatters in no small part because of Jobs arrogant stance that his OS is immune to the security flaws, and in essence daring the black hatters to give it a go. Be careful what you ask for Steve.....


41 posted on 01/03/2007 9:18:06 PM PST by Space Wrangler
[ Post Reply | Private Reply | To 1 | View Replies]

To: 1234; 6SJ7; Action-America; af_vet_rr; afnamvet; Alexander Rubin; anonymous_user; ...
Month of Apple Bugs... PING!

If you want on or off the Mac Ping List, Freepmail me.

42 posted on 01/03/2007 10:07:46 PM PST by Swordmaker (Remember, the proper pronunciation of IE is "AAAAIIIIIEEEEEEE!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: for-q-clinton
Does quicktime autocheck for security patches?
Gosh, you must know, why not just tell us?
43 posted on 01/03/2007 10:28:32 PM PST by SunkenCiv (Ahmedumbass and the mullahcracy is doomed. https://secure.freerepublic.com/donate/)
[ Post Reply | Private Reply | To 24 | View Replies]

To: for-q-clinton
I remember a discussion a year or so ago that exploits on MAC/Apple systems were impossible. I wonder if techjunkyard and N3WBI3 will be here to help explain how this can happen.

The funny thing is that on the Mac and other tech forums, every Mac user posting is saying they cannot get the MOAB Quicktime "exploit" to work!

In fact, it doesn't work on Macs that do not have a "Ruby" interpreter installed. Ruby does not get installed on a default OS X installation. You might have Ruby installed if you use MySQL but not if you don't.

As I stated then...security by obscurity is not real security.

Let's AGAIN discuss the myth of Security by Obscurity. That canard has been shot down many times by people far more expert than I. What obscurity is it when there are 20-22,000,000 Mac OS X users in the installed base? Various scientific polls of consumer computer users have shown that between 14% and 18% are Mac users. OS X is going on six years of operation with ZERO malware... and people are still claiming "Obscurity" as the reason no crackers have written any effective viruses, adware or spyware impacting the platform.

44 posted on 01/03/2007 10:29:03 PM PST by Swordmaker (Remember, the proper pronunciation of IE is "AAAAIIIIIEEEEEEE!)
[ Post Reply | Private Reply | To 16 | View Replies]

To: HAL9000
those viruses were for Mac OS 9
BTW, I've been running just Macs for a long while now, and have never moved to OS X, and have never had a virus.
45 posted on 01/03/2007 10:30:19 PM PST by SunkenCiv (Ahmedumbass and the mullahcracy is doomed. https://secure.freerepublic.com/donate/)
[ Post Reply | Private Reply | To 38 | View Replies]

To: for-q-clinton
Oh and btw, they do exist...ever heard of Leap-A or Oompa-A. Now what's your defense.

Leap-A or Oompa-A, actually the same "virus" under different names, never existed outside of a laboratory proof-of-concept created to try and gin up interest in Mac AV software.. It was never in the wild. Intended to spread by using iChat, it took TWO Mac software engineers from Macworld and TWO computer security specialists from Secunia (one of the security agencies that reported it) working SIX hours to get the virus to spread from one Mac to another Mac... and then it didn't work as advertised. When they DID get it to the second Mac, it required that Mac's administrator's permission to install and then again to run for the first time. Some threat.

Inqtana-A, another claimed Mac OS-X "virus", was actually created by one of the guys running the Month of Apple Bugs... and if failed for the same reason. It also was never seen in the wild and was a mere proof-of-concept that fell flat on its face and was laughed out of the Mac user's world of worry. Inqtana was designed to spread from one Mac to another by way of Bluetooth... but the target had to accept the malicious file from someone literally within 30 feet of the target computer, download it, click OK on the warning that the file contained an application, provide permission to install it and then again to run it. Whoop-do-doo. I am so threatened.

46 posted on 01/03/2007 10:46:51 PM PST by Swordmaker (Remember, the proper pronunciation of IE is "AAAAIIIIIEEEEEEE!)
[ Post Reply | Private Reply | To 22 | View Replies]

To: upchuck
Perhaps the solution to the problem is to dump Quick Time and download VLC Media Player. Open source, non-propritary, supports just about every type of input and output media there is and, best of all, it's Free!!.

Uh, the Month of Apple Bugs #2 bug is a similar buffer overflow in VLC...

This one requires an installed working Perl interpreter to work. Again, not something installed in the default OS X installation.

The other question is why is a bug in VLC an Apple bug???

47 posted on 01/03/2007 10:56:36 PM PST by Swordmaker (Remember, the proper pronunciation of IE is "AAAAIIIIIEEEEEEE!)
[ Post Reply | Private Reply | To 25 | View Replies]

To: Lexinom
I'm not so sure that will continue with Apple's embracing of the Intel processor. Granted, dll-loading and system API calls within the virus code designed for Windows will not work, but I'd still think hackers could now have the capability to write platform-agnostic viruses for Intel that could do a phenomenal amount of damage. Your thoughts?

As far as I know, viruses are not written for processors... they are written to exploit flaws in operating systems. There have been a few viruses aimed at BIOSes, but none that are aimed at specific processors. For example, most Windows viruses work just fine on a PowerPC chip based Mac running a Windows installation in VirtualPC yet the PowerPC is completely different from the Intel/AMD X86 design.

48 posted on 01/03/2007 11:04:23 PM PST by Swordmaker (Remember, the proper pronunciation of IE is "AAAAIIIIIEEEEEEE!)
[ Post Reply | Private Reply | To 35 | View Replies]

To: for-q-clinton
But there have been as noted above.

As also noted above, no, there haven't been. Mere proofs-of concept demos that were never spread in the wild. They have NOT been seen outside of a file sent to (created in?) a security company who then promptly reported it with an offer to sell AV software.

A virus without a vector is impotent.

49 posted on 01/03/2007 11:07:35 PM PST by Swordmaker (Remember, the proper pronunciation of IE is "AAAAIIIIIEEEEEEE!)
[ Post Reply | Private Reply | To 37 | View Replies]

To: Space Wrangler
Apple has become public enemy #1 for many black hatters in no small part because of Jobs arrogant stance that his OS is immune to the security flaws, and in essence daring the black hatters to give it a go.

Gosh. Gee whillikers, Space. Do you think those black hatters might just like to "stick a cigarette in the eyes of Mac users" to show them how unsafe they are???

That cigarette quote came from just such crackers David Maynor and Jon Ellch, who, to demonstrate the fragility of Mac's security, found it necessary to create a HOAX video of a Macbook being taken over via WIFI. The video was shown with great glee at the last Black Hat convention. They refused to tell people how they did it or to demonstrate the exploit live. It turned out they used an EXTERNAL USB WIFI card and a third party driver despite the existence of a perfectly good (and secure) built in WiFi card and drivers. They also PRE-installed a script to run on the targeted Mac.

"Daring Fireball's" John Gruber bought a brand new MacBook and challenged Maynor and Ellch to crack his out-of-the-box MacBook... if they could, it was theirs, free and clear. John Gruber still has the MacBook.

Another Mac challenge DID get hacked. A guy in Sweden put up a Mac Mini as a server and it was cracked in under 30 minutes. BUT, this idiot gave everyone wanting to "rm-my-Mac" a Local User Account, opened every port that is normally closed in a default install, and then used extremely weak passwords for his administrator account. An Australian cracker named Gwerdna (I wonder if his first name is Andrew? I also wonder how hardened his passwords are.) broke in and defaced the web site by escalating his privileges to administrator.

David Schroeder, the senior Apple systems engineer at the University of Wisconsin's IT department put up a Mac Mini as a Web server, using it straight out of the box with no firewall, no AV, nothing, bare naked, and challenged the black hatters to crack into it. Thousands of attempts were made over a period of 37 hours (the University required him to pull the challenge because of bandwidth usage) and NOT ONE SUCCEEDED.

David Schroeder . . . set up his own contest inviting security researchers and hackers to attempt to breach a Mac with open SSH and HTML ports and two user accounts. A critic of the original contest, Schroeder stressed that his challenge is more fair, but that most users will not likely even have those ports open.

"Mac OS X is not invulnerable--it, like any other operating system, has security deficiencies in various aspects of the software," Schroeder wrote. "However, the general architecture and design philosophy of Mac OS X, in addition to usage of open source components for most network-accessible services that receive intense peer scrutiny from the community, make Mac OS X a very secure operating system." - Source.

I think it is safe to say that the "black hatters" have given it a go and have failed miserably. Six years and counting... no malware!

50 posted on 01/03/2007 11:42:33 PM PST by Swordmaker (Remember, the proper pronunciation of IE is "AAAAIIIIIEEEEEEE!)
[ Post Reply | Private Reply | To 41 | View Replies]

To: Swordmaker

Excellent smackdown.


51 posted on 01/03/2007 11:54:33 PM PST by Petronski (I just love that woman.)
[ Post Reply | Private Reply | To 50 | View Replies]

To: for-q-clinton

Nope - sure don't. Don't intend to. Built-in firewall is the closest thing.


52 posted on 01/04/2007 4:51:26 AM PST by TheBattman (I've got TWO QUESTIONS for you....)
[ Post Reply | Private Reply | To 20 | View Replies]

To: Swordmaker
None of this is a Mac OS X bug or vulnerability. It is a quicktime problem and quicktime runs on Windows as well.
53 posted on 01/04/2007 5:49:40 AM PST by Sunnyflorida ((Elections Matter)
[ Post Reply | Private Reply | To 50 | View Replies]

To: Space Wrangler
Apple has become public enemy #1 for many black hatters in no small part because of Jobs arrogant stance

So what is it? Do the black hatters ignore OS X because of its marketshare, or are they intent on nailing OS X because of Apple's arrogance?

54 posted on 01/04/2007 6:22:00 AM PST by antiRepublicrat
[ Post Reply | Private Reply | To 41 | View Replies]

To: antiRepublicrat; HAL9000

Ok, then what about the wireless card driver bug? But since, the mac osx isnt' a big enough footprint...since it's not in the wild I guess it doesn't matter.

In fact, since OSX is so secure I'm sure Jobs is out praising this 0-day exploit release that is going to be happening all month long. I wonder why he isn't out trumpeting this as a good thing?

Once again the anti-M$ folks at FR will find excuses and not accept the fact that MACs are vulnerable to attack.


55 posted on 01/04/2007 6:45:09 AM PST by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 40 | View Replies]

To: Sunnyflorida
None of this is a Mac OS X bug or vulnerability. It is a quicktime problem and quicktime runs on Windows as well.

But if you listen to the MAC faithful this type of attack is impossible on the MAC. So how can it be possible if MAC is so secure? Also using Windows as your scapegoat isn't exactly sound reasoning with these guys becuase they spend their time telling why windows is so bad and MAC is so good. To say well Windows has the issue to is a joke...especially when the issue is in APPLE software.

56 posted on 01/04/2007 6:47:12 AM PST by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 53 | View Replies]

To: SunkenCiv
Gosh, you must know, why not just tell us?

Actually I don't. I use quicktime in limited fashion. I typically have to install it whenever I need it. So why don't you tell us?

57 posted on 01/04/2007 6:48:41 AM PST by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 43 | View Replies]

To: Swordmaker; antiRepublicrat; HAL9000

I'm confue. Anti-R and Hal9000 have said that the virus was for MAC OS9, but it looks like your post says they are for OS X. And they dismiss it because the user is prompted for admin access. As I stated earlier. Trick 1% of mac users to giving admin access...no real threat. Trick 1% of windows users and you have yourself a nice little claim to fame.


58 posted on 01/04/2007 6:51:50 AM PST by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 46 | View Replies]

To: Swordmaker

Not sure if a poorly written driver is a HOAX? Windows suffers from 3rd party drivers all the time and gets a black eye from it.

One could argue the OS shouldn't allow such things.


59 posted on 01/04/2007 6:54:44 AM PST by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 50 | View Replies]

To: antiRepublicrat

Up until this point, they have ignored it, but starting about mid-2006, there is now a truly concerted effort to target Mac users. Macking, until now has always been a disjointed effort, with the feeling that such a thin market share was hardly worth the time and effort. I'm not just shooting in the dark here. My area of expertise is data security, and I know that many black hatters are salivating to be the one that brings Apple to it's knees. They may or may not succeed. And before anyone thinks I'm some PC shill, I own and use a MacBook regularly. I also hold several MS certifications and a few other vendor neutral certs. I like the Mac OS, and I do believe that it is inherently more secure than Windows. I also run several distros of Linux. In short, I like computers and believe that all OS's have something to offer depending on the consumer. I also know that any OS is capable of being hacked, and the attitude of "it can't happen to me" is extremely misguided. Apple seems to be fostering this attitude by whistling past the graveyard, and even worse, basically daring anyone to have a go at them. That is what I would call "bad joujou".


60 posted on 01/04/2007 6:54:57 AM PST by Space Wrangler
[ Post Reply | Private Reply | To 54 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-2021-4041-6061-80 ... 541-557 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
Smoky Backroom
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson