Posted on 01/03/2007 11:04:31 AM PST by newgeezer
The Month of Apple Bugs project kicked off Monday by posting a zero-day vulnerability in Apple's QuickTime media player. It also posted an exploit that could be used by attackers to compromise, hijack, or infect computers running either Windows or Mac OS X.
The Month of Apple Bugs (MoAB), which will announce a new security vulnerability in Apple's operating system or other Mac OS X software each day in January, is a follow-on to November's "Month of Kernel Bugs" campaign, and is co-hosted by that project's poster, a hacker who goes by the initials "LMH," and a partner, Kevin Finisterre, a researcher who has posted numerous Mac vulnerabilities and analyses on his own site.
The debut vulnerability is in QuickTime 7's parsing of RTSP (RealTime Streaming Protocol); the protocol is used to transmit streaming audio, video, and 3-D animation over the Web. Users duped into clicking on an overlong rtsp:// link could find their PCs or Macs compromised. It also may be possible to automatically trigger an attack simply by enticing users to a malicious Web site.
"Exploitation of this issue is trivial," said LMH in the vulnerability's write-up on the MoAB Web site. The associated exploit code has been tested on Mac OS X running on Intel-based systems, and works against QuickTime 7.1.3, the current version of the player, LMH and Finisterre said.
Other security researchers rang alarms Tuesday. Danish vulnerability tracker Secunia, for example, pegged the bug as "highly critical," the second-from-the-top threat in its five-step score, and Symantec alerted customers of its DeepSight threat network of the vulnerability.
An Apple spokesman declined to confirm the vulnerability, or, if it was legitimate, when the flaw might be fixed. In an e-mail, he said that "Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users. We always welcome feedback on how to improve security on the Mac."
LMH, who didn't immediately reply to several questions sent via e-mail, said on the MoAB site that Apple's Mac OS X operating system was chosen as the target for the month of vulnerabilities because "we like to play with OS X, we enjoy hate e-mail, and it's not as crowded as (random software vendor), yet. Thus, it's really comfortable for research and there's so much to be worked out."
He also said that Apple -- and other vendors whose Mac OS X applications might be the focus of a bug posted during the month's run -- would not be notified in most cases before the information went live, and dismissed that practice. "The point is releasing them without vendor notification. The problem with so-called 'responsible disclosure' is that for some people, it means keeping others on hold for insane amounts of time, even when the fix should be trivial. And the reward (automated responses and euphemism-heavy advisories) doesn't pay off in the end."
LMH, Finisterre, and commercial security vendors recommended that users cripple QuickTime's ability to process rtsp:// links. In Windows, launch QuickTime, select Edit|Preferences|QuickTime Preferences, click the File Types tab, expand Streaming, and clear the box marked "RTSP stream descriptor." In Mac OS X, select System Preferences|QuickTime|Advanced|MIME Settings|Streaming|Streaming Movies and clear the "RTSP stream descriptor" box.
Apple's QuickTime was last in the news during December, when a bug in the player was exploited by fraudsters on MySpace. That vulnerability remains unpatched.
LMH expects to see more QuickTime attacks now that his newest flaw has gone public. He said, "It's a matter of time to see this getting abused in the wild."
Chicago would have been a better example
Maybe, but Largo is good enough. It's just standard -- you don't need as many people to manage Linux, or probably Mac.
Since when? The only real thing they have in common is a UNIX-flavored core, which automatically gives them several advantages over Windows. Aside from then being able to use the same UNIX utilities, the differences are quite drastic between OS X and Linux.
ROTFLMAO!!! That is just too funny coming from you.
You do then run into the problem that in many cases the computer will then be unusable for day-to-day tasks, because so many things in Windows want Administrator. My wife has a simple game that won't even run if you're not Administrator.
I guess it's time I remind everyone, you lied, admittedly now on purpose, for months, defending Russian hackers who were cracking Apple's OSX to run on cheap PC's. Yes I exposed it, after months of your charade, which you now claim you did because you thought I wasn't smart enough to find out. But I did, of course, so now you're stuck trying to make jokes about my honesty as a pathetic diversion. Just so everyone knows.
In a decade of Sys Admin, I've never seen a program that needed an administrator account to function. I would view with very jaded eyes any program that required such.
Thanks, I was waiting for that. Are you still bitter over being exposed as a fraud?
Okay, who here is it that keeps that LOOOOONG list of links to GE's past lies, distortions and libel? BTW, you still haven't retracted your libel towards me.
Yes I exposed it, after months of your charade
Please give me that link. I seem to remember finally telling you when I thought the joke had gone on long enough.
It wrote to the registry, requiring admin access.
There are quite a few vertical solution applications that will not run on limited accounts. I work with optometrists, physicians, dentists, and chiropractors... and so far I have found most of the popular medical practice packages for small offices will not run in a limited account, insisting on full administrator mode. This leads to problems with successful attacks on their systems by viruses, ad-ware and spyware.
Again we must prove the fallacy of the "Security by Obscurity" myth.
The Market Share you are referring to is only percentage of ALL computers sold(including dedicated control systems, point-of-sale, workstations, servers, etc. It is not installed base.
Crusher, there are 25,000,000 OS X users. In the United States, it is about 14-18% of consumer computer users, depending on which survey you select. That is hardly hardly an insignificant number. Virus and spyware have been produced for computers with a far smaller installed base than even 2%. I could list them, but that has been done before. Yet the Mac, with a larger installed base than these has ZERO. Before OS X, with its industrial strength UNIX base, the Mac OS had its share of virulent viruses and malware... with a far smaller installed base. Yet, now, with the larger installed base and a more prominent presence in the market (at least the US market) there are still ZERO malware in the wild for the OS X Mac.
You say that there is no money in hacking Macs. I beg to differ. The average Mac users have more disposable income than the bargain hunting average PC users (various surveys have shown this). Most of those Mac users are operating without anti-virus, anti-adware or anti-spyware software, most of them do not even have their firewalls turned on. To hear PC bigots, Mac users are less sophisticated computer users than Windows users. They should be sitting ducks but no one has come up with malware to attempt to steal their IDs, to find their bank accounts or credit card numbers. Spyware? None. Ad-ware? NONE! Browser Hijackers? NONE!
The gauntlet was thrown down years ago... about six for OS X... and there are still ZERO virus or spyware in the wild for the Mac. If we even accept your 2% worldwide figure (a year out of date) then we should expect to see 2% of the 200,000 plus malware in the wild for the Mac... but it is still ZERO.
Challenges with cash prizes were offered in the past (Let's stress that again for comprehension challenged readers like for-q: IN THE PAST) for hackers who break into a hardened Mac... they went unclaimed. The only reported successful attack on an OS X Mac was when a Swedish hacker, hoping to damage the Mac's reputation challenged crackers to "rm-my-Mac" and it was compromised in under 30 minutes! But then it was learned he gave everyone who wanted to try a LOCAL account, turned off all of the built in protections, turned on ALL ports, activated ROOT, and used a weak password for his administrator and root accounts. Immediately following the Swedish hoax attempt, the IT manager for the University of Wisconsin made his own challenge by placing an out of the box Mac Mini on the web as a server and challenged people to break in. 36 hours and thousands of attempts later, the university pulled the plug on the contest because of bandwidth usage... but the Mac Mini was unscathed.
Another publicized breaking into a Mac was the infamous WiFi break-in in under 60 seconds by Maynor and Ellch at last summer's Black Hat conference in Las Vegas. That, too, has been exposed as a hoax... they used a 3rd party WiFi card and pre-prepared the Macbook. They have been challenged to break into an out of the box, brand new Macbook by John Gruber of Daring Fireball... if they do it, they get the new Macbook. Gruber still has his Macbook.
The real reason the Mac is more secure than Windows is not "security by obscurity" but an operating system architecture that was built with security and multiple users in mind.
During install I'm sure it did....as will any other program. If it won't simply run without administrator access, or worse yet, writes to the registry as a matter of normal operation then I'd chunk it.
Who, your blasphemous buddy "FLAMING DEATH"? Hopefully he will post his list, so everyone can see what a ridiculous liar he is too. It's too bad you can't honestly debate like others, but since you're willing to lie to defend things like Russian hackers, there is no limit. Your buddy FLAMING DEATH even claims Multics was invented by a Russian, LOL you'll probably try blame that one on me too.
Not my choice. But I did win in another way over the constant messing with the registry -- I made her a VM to play the games on, so when things get mucked up I simply delete the virtual hard drive and copy the original one over again.
But a simpler way to explain this is in automatic updates. You have to be admin in Windows for them to work. In Mac, you're just told to type in the admin password so the updates can install. It's simply a great thing about UNIX that you almost never need to run in root (=Windows Administrator). I know Microsoft tried to fix this in Vista, but somewhere along the way it went horribly wrong.
I don't think you want that list posted. Remember, it includes things like you saying that Stallman wants all patent laws overturned, you saying he's against "IP" when according to his own statements he isn't, and in fact relies on "IP" to protect his own works. Sorry GE, but the list of your provable lies is long, so you shouldn't speak on the subject of truth.
BTW, still waiting for the link where you discovered my ruse on your own.
Still waiting....
and waiting...
.
.
.
LMAO, so your excuse for purposefully lying for months in defense of Russian hackers is your supposedly noble defense of Green Party leftist Richard Stalllman, he of his own "manifesto" which advocates an actual "software tax" and his theories of "copyLEFT" vs. normal "copyright". Keep it up, this is a great confession, something we know from your other admissions you're not normallyfamiliar with.
We have several medical facilities on the slate for 1Q, so I'll keep an eye out for that sort of thing. HIPPA should be bringing that practice to a close though. I've seen a few of the programs that you are referring to in my Sys Admin days making calls to doctors offices and such, and judging by the amateurish quality that I witnessed, I don't doubt what you say at all. Most of my experience has been with large Enterprise type programs, and had they required administrator access to operate they never would have made it past a cursory look.
There I agree. However, most small medical practices are using software that "just growed" from an old DOS base. Some is still running in a DOS window. Others have been Windowfied... but poorly and won't work in anything below administrator. Try and get the doctors to spend the money to switch their entire offices over to something more modern. The cost is not just the package but data conversion for thousands of patients, learning curve and training time for staff and doctors, converting billing forms and often reminder notices, etc.
One popular Chiropractic package stores all of the Patient files directories in the server's root directory. Can't change it. Dumb. All workstations have to have admin rights to the server. Dumber.
Quickbooks, the most popular small business accounting package until recently would not work in anything but administrator or Power User mode. With 2007, they took a step backwards and require admin rights in Windows except in Vista unless you have an upgraded extra-cost Multi-user install. They'll probably fix it fairly quickly. HP's all-in-one Printer driver requires Admin rights to work... they say they are working on it. Stamps.com requires Admin rights. Photoshop Elements changes the folder it installed into to Full Administrator level access... and all subfolders in that folder. Don't want to put this in your Windows/Programs files. Apple bad: apparently iTunes requires Admin. There are a lot more.
The HIPAA laws have some doctors going crazy. An enterprising entrepreneur went through my area and sold a lot of medical office little HIPAA security shutters to mount on all their computer monitors.... the staff were supposed to close the shutters whenever they left their workstations. Ridiculous. I just set up my clients with a screen saver that comes on after no activity for a specific period and requires a password to clear. Much cheaper (The shutters were $49 per workstation for 15" and $79 for 17"). A local MIR lab bought about 40 of these shutter pairs.
For a lot of the med offices, I just pointed out that reading the small print on their screens from public access areas would require binoculars... and added that there are only six HIPAA inspectors for the entire State of California, all of them in Southern California.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.