Posted on 01/03/2007 11:04:31 AM PST by newgeezer
The Month of Apple Bugs project kicked off Monday by posting a zero-day vulnerability in Apple's QuickTime media player. It also posted an exploit that could be used by attackers to compromise, hijack, or infect computers running either Windows or Mac OS X.
The Month of Apple Bugs (MoAB), which will announce a new security vulnerability in Apple's operating system or other Mac OS X software each day in January, is a follow-on to November's "Month of Kernel Bugs" campaign, and is co-hosted by that project's poster, a hacker who goes by the initials "LMH," and a partner, Kevin Finisterre, a researcher who has posted numerous Mac vulnerabilities and analyses on his own site.
The debut vulnerability is in QuickTime 7's parsing of RTSP (RealTime Streaming Protocol); the protocol is used to transmit streaming audio, video, and 3-D animation over the Web. Users duped into clicking on an overlong rtsp:// link could find their PCs or Macs compromised. It also may be possible to automatically trigger an attack simply by enticing users to a malicious Web site.
"Exploitation of this issue is trivial," said LMH in the vulnerability's write-up on the MoAB Web site. The associated exploit code has been tested on Mac OS X running on Intel-based systems, and works against QuickTime 7.1.3, the current version of the player, LMH and Finisterre said.
Other security researchers rang alarms Tuesday. Danish vulnerability tracker Secunia, for example, pegged the bug as "highly critical," the second-from-the-top threat in its five-step score, and Symantec alerted customers of its DeepSight threat network of the vulnerability.
An Apple spokesman declined to confirm the vulnerability, or, if it was legitimate, when the flaw might be fixed. In an e-mail, he said that "Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users. We always welcome feedback on how to improve security on the Mac."
LMH, who didn't immediately reply to several questions sent via e-mail, said on the MoAB site that Apple's Mac OS X operating system was chosen as the target for the month of vulnerabilities because "we like to play with OS X, we enjoy hate e-mail, and it's not as crowded as (random software vendor), yet. Thus, it's really comfortable for research and there's so much to be worked out."
He also said that Apple -- and other vendors whose Mac OS X applications might be the focus of a bug posted during the month's run -- would not be notified in most cases before the information went live, and dismissed that practice. "The point is releasing them without vendor notification. The problem with so-called 'responsible disclosure' is that for some people, it means keeping others on hold for insane amounts of time, even when the fix should be trivial. And the reward (automated responses and euphemism-heavy advisories) doesn't pay off in the end."
LMH, Finisterre, and commercial security vendors recommended that users cripple QuickTime's ability to process rtsp:// links. In Windows, launch QuickTime, select Edit|Preferences|QuickTime Preferences, click the File Types tab, expand Streaming, and clear the box marked "RTSP stream descriptor." In Mac OS X, select System Preferences|QuickTime|Advanced|MIME Settings|Streaming|Streaming Movies and clear the "RTSP stream descriptor" box.
Apple's QuickTime was last in the news during December, when a bug in the player was exploited by fraudsters on MySpace. That vulnerability remains unpatched.
LMH expects to see more QuickTime attacks now that his newest flaw has gone public. He said, "It's a matter of time to see this getting abused in the wild."
Hackers are cowards and no way do they want every news agency in the world looking for them so justice could be served. They'll continue to hack Windows for fun or profit and maintain their pathetic obscurity.
In the case of Apple, which I know *you* are specifically referring to, I agree. AntiRepublican and HAL are constantly trying to claim many of the same benefits Apple users enjoy automoatically apply to Linux as well, you see them trying to lump the two together constantly. It doesn't work that way, OSX from Apple and Linux from Red Hat for example are completey different products, install methods, and upgrade processes. Linux, unlike Apple, rarely comes preinstalled, and often patches for Linux have to come from the original vendor, not typically being modular or directly available from 3rd parties. So in your case with regard to most Apple, I agree, but when AR tries to claim that holes aren't in a linux distribution, he is wrong as a patch for that specific distribution is often required.
I think you'd probably admit in retrospect that was a broad generality that isn't accurate or justified.
Are you talking about that ancient "Man in the middle" vulnerability that was never exploited and patched in the summer of 2002 ? Yep, you are. You called it a virus back when you frothing about N3WBI3 or I going away for 30 days. As far as I know, N3WBI3 did not lose to you. I will repeat what I told you back then.
Or perhaps it is the "Phantom Update" MITM concept created by Russell Harding... in which he postulated in 2002 that a malware COULD POSSIBLY be installed on a Mac OSX computer to spoof the SoftwareUpdate routines into connecting to a fraudulent Apple download site to further install software. Of course someone would have to install (at the ROOT level, with ROOT permissions) alterations to the SYSTEM update routines to connect to the spoofed "Apple" download site.This ancient proof-of-concept, unexploited vulnerability was addressed in Apple OSX Security Update 07-18-2002 by instituting methods to validate the connection is with Apple's website. This vulnerability does not affect any OSX after 10.2.1. - Original FR reply post.
. . .
From the Russell Harding Website:
The victim downloads a software package masquerading as a security update. In truth, it contains a backdoored copy of the Secure Shell Server Daemon, sshd. This version of sshd includes all the functions of the stock sshd, except the following: You can log in to any account on the system with the secret password "URhacked!". After logging in through this method, no logging of the connection is employed. In fact, you do not show up in the list of current users!This "Proof-of-concept" was never in the wild... and it is not a virus. It meets the definition of a "Trojan". It is neither self-replicating or self-propagating and has no vector beyond the user downloading and installing it, which requires the user to somehow download a spoofed "security update" from a non-Apple site so that the spoofed file can redirect future downloads to a non-Apple site. Right. Suuuure. Virus, your ass. - Original FR reply post.
There are other comments relating to this "challenge" but interested users can use this link to read the entire thread if they are so inclined. What it will show is that YOU are just as irritating and unreasonable now as you were then. This is the last time I will respond to your tripe on this thread. YOU are waste of time.
No, its not. However, the Windows virus came about because a Windows machine that was being used at the contract manufacturer to place the Windows software on the iPod was infected. IIRC Fewer than 2000 iPods with the virus were apparently shipped before it was caught and stomped on.
I will retract it because that is no longer the case. WindowsXP since service pack 2 has been FAR better at avoiding drive by downloads. Let's just say that for-q is an irritating *#^%*@ and using his own hyperbole against him might be slightly justifiable.
Just goes to show, nobody's perfect.
Thank you.
using his own hyperbole against him might be slightly justifiable.
Stick with the facts, they always win in the end.
And it was in the wild infecting Macs exactly when?
For all I can tell, you must have stock in antivirus companies. You take theoretical and in-the-lab exploits and FUD them up to scare everybody into thinking they're in great immediate danger.
You just perfectly described Macs.
Few people use Linux on a large scale because it sucks to manage, not the other way around.
Revisiting Largo, how is it that they run their Linux infrastructure on a staff of six, which is far fewer than is normally needed for a comparable Windows setup? Microsoft even came in and tried to woo them back to Windows, but had to admit that Windows couldn't cut it.
Office for Mac wouldn't be the top selling software for the platform if it was already complete, besides he was making a bogus claim about Linux anyway. And FYI Largo isn't a large scale, it's a small city in Florida.
I'm going to accept your response as a legitimate topic of discussion. I am not really interested in perusing hacker sites so I'll have to take your word that this is a RECENT phenomenon. I am interested in how you may have come to this conclusion however. Do hacker sites have archives which go back six years that you have diligently researched? If so, I hope that you'll find a way to share the results of your research with us at some point.
I have no argument with you about the interest of hackers in the Mac OS. In fact, you will find few if any who would disagree. We only differ on the date. You insist it is recent, I believe it is ongoing.
Your posts chide Mac users for being smug about security issues, but you’ve also claimed that the Mac OS is “inherently more secure than Windows.” You can’t have it both ways. If we say the Mac is more secure, you call us smug. Worse, we have enraged the hacker community. What are we to do?
Any time that any software is going to be installed on my Mac, I have to enter an administrator’s password to allow the continuation. That’s simple enough isn’t it? Yet yesterday, with all anti-virus software on alert, a client plugged a thumb drive into the Windows box. Once the open window was cleared, I noticed a dialog box that claimed that Windows had installed something and asked if I wanted to restart. You can’t install anything on my Mac without my permission. Why can you install something on Windows without my permission? I have no idea what it was. I said no, crossed my fingers and went on with my work. I’m still worried about it. That kind of stuff never happens on my Mac. Might it some day? Sure, but it hasn’t happened in six years? We like that.
I used Mac anti-virus software on OS 7 and 8. I will use it again if it becomes necessary. I don’t now. Not tryin’ to be smug.
I can't? Why not? Begging your pardon, I most certainly can, and do have it both ways. More secure doesn't mean impervious to attack, and while you will certainly get no argument from me about OS X being a more secure platform, the attitude that it cannot possibly be exploited is wrong headed. I am interested in how you may have come to this conclusion however. Do hacker sites have archives which go back six years that you have diligently researched? If so, I hope that you'll find a way to share the results of your research with us at some point.
I won't be sharing any results, and my information about the timing and nature of collaborative macking come from others in the field that have been in this game much longer than I have. I guess you'll just have to take my word for it. Or not. It matters not to me. You can’t install anything on my Mac without my permission. Why can you install something on Windows without my permission?
Set up a non-administrator account, then deny permission for modifying the registry in the mandatory profile you set up to do day to day tasks on the machine and let your worries end. Windows default security is pretty light, but it's there if you want it.
That makes no sense. Acrobat wouldn't be the top-selling portable document tools if Windows were complete. See? Doesn't make sense.
And FYI Largo isn't a large scale, it's a small city in Florida.
Large enough to get a good idea of how much labor it takes to maintain a Linux network. Large enough that Microsoft took notice and sent someone to try to switch them back.
Makes perfect sense, the top selling software apps for Windows don't come from their #1 competitor. Unfortunately Microsoft probably makes as much profit off many Apples out there as Apple. Apple should have protected the "Apple Works" software and market a lot better than they did.
Large enough
Tiny, Chicago would have been a better example, you can't even score your own points.
Zealotry, Leonard. Look it up. And leave me alone.
Do you even read your stuff before you post? You did not claim PERSONAL experience. You claimed that you spoke to OTHERS who had knowledge of a NEW concerted effort in the hacker community to target the Mac. And not because they were simply malicious, but because Mac users are smug.
I have a flawed devotion to only one. I have displayed devotion in my posts to no other. Do you really believe that tossing out insults constitutes enlightened debate? You make overreaching statements, attack Mac users with silly name calling and then refuse to respond to the substance of my simple questions. What in the world do you call that?
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.