Mac, Windows QuickTime Flaw Opens 'Month Of Apple Bugs'

Information Week ^ | Jan 2, 2007 03:04 PM | Gregg Keizer

[newgeezer]

The exploit could be used by attackers to compromise, hijack, or infect computers running either Windows or Mac OS X.

The Month of Apple Bugs project kicked off Monday by posting a zero-day vulnerability in Apple's QuickTime media player. It also posted an exploit that could be used by attackers to compromise, hijack, or infect computers running either Windows or Mac OS X.

The Month of Apple Bugs (MoAB), which will announce a new security vulnerability in Apple's operating system or other Mac OS X software each day in January, is a follow-on to November's "Month of Kernel Bugs" campaign, and is co-hosted by that project's poster, a hacker who goes by the initials "LMH," and a partner, Kevin Finisterre, a researcher who has posted numerous Mac vulnerabilities and analyses on his own site.

The debut vulnerability is in QuickTime 7's parsing of RTSP (RealTime Streaming Protocol); the protocol is used to transmit streaming audio, video, and 3-D animation over the Web. Users duped into clicking on an overlong rtsp:// link could find their PCs or Macs compromised. It also may be possible to automatically trigger an attack simply by enticing users to a malicious Web site.

"Exploitation of this issue is trivial," said LMH in the vulnerability's write-up on the MoAB Web site. The associated exploit code has been tested on Mac OS X running on Intel-based systems, and works against QuickTime 7.1.3, the current version of the player, LMH and Finisterre said.

Other security researchers rang alarms Tuesday. Danish vulnerability tracker Secunia, for example, pegged the bug as "highly critical," the second-from-the-top threat in its five-step score, and Symantec alerted customers of its DeepSight threat network of the vulnerability.

An Apple spokesman declined to confirm the vulnerability, or, if it was legitimate, when the flaw might be fixed. In an e-mail, he said that "Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users. We always welcome feedback on how to improve security on the Mac."

LMH, who didn't immediately reply to several questions sent via e-mail, said on the MoAB site that Apple's Mac OS X operating system was chosen as the target for the month of vulnerabilities because "we like to play with OS X, we enjoy hate e-mail, and it's not as crowded as (random software vendor), yet. Thus, it's really comfortable for research and there's so much to be worked out."

He also said that Apple -- and other vendors whose Mac OS X applications might be the focus of a bug posted during the month's run -- would not be notified in most cases before the information went live, and dismissed that practice. "The point is releasing them without vendor notification. The problem with so-called 'responsible disclosure' is that for some people, it means keeping others on hold for insane amounts of time, even when the fix should be trivial. And the reward (automated responses and euphemism-heavy advisories) doesn't pay off in the end."

LMH, Finisterre, and commercial security vendors recommended that users cripple QuickTime's ability to process rtsp:// links. In Windows, launch QuickTime, select Edit|Preferences|QuickTime Preferences, click the File Types tab, expand Streaming, and clear the box marked "RTSP stream descriptor." In Mac OS X, select System Preferences|QuickTime|Advanced|MIME Settings|Streaming|Streaming Movies and clear the "RTSP stream descriptor" box.

Apple's QuickTime was last in the news during December, when a bug in the player was exploited by fraudsters on MySpace. That vulnerability remains unpatched.

LMH expects to see more QuickTime attacks now that his newest flaw has gone public. He said, "It's a matter of time to see this getting abused in the wild."

[antiRepublicrat]

He says he was trying to trap you (evidently over several month period).

Look at the thread he linked to. There you can see another example of me trapping him, leading him long enough to make himself look bad. I finished that trap within the thread, citing applicable federal law to counter his claim once I was finally able to nail him down to a definitive statement (that was the hard part). I admit I did let the nmap one run quite a bit longer though. So you see a pattern of behavior, not of lies, but of trapping GE in his own ignorance.

Based on the fact that I've seen GE admit when he was mistaken in the past

We who have played with him for a while have seen it only once, after several of us forced him, and then it was only a politician-style semi-retraction.

When caught he admits to the lie but claims it was to trick you.

At the very worst it would have been my ignorance in seeing the name Fyodor and automatically believing he was Russian. People do make mistakes. However, I was the one who gave up the truth on my own volition, so you couldn't exactly call it a lie in the end. It was simply stringing along someone, playing to his paranoia. I admit it wasn't very nice, but by then I was fed up by GE's lies, distortions and libel.

[N3WBI3]

The FReeper you are referring to doesn't mind being referred to as a hacker, in fact his screen name is based on hacker symbology.

I mind being referred to as a hacker when it drips with the iml;ication that by going to my site I am going to hack your box.

Any links from him are obviously suspect,

Because my screen name is n3wbi3? you have to be kidding me! I have something for you..

just because you worship foreign hackers doesn't mean the rest of us should ever trust links from them.

(a) I'm not foreign, (b) I am not a cracker I am a white hat hacker and a n3wbi3 one at that. More people on FR know who I really am and what I am all about than can be counted as having a clue who you are.

[antiRepublicrat]

Of course, I also knew about Fyodor

BTW, I never thanked you and other FReepers for not giving it up (one FReepmailed privately). A big belated thank you.

[antiRepublicrat]

Apologies for lack of ping on 241.

[Golden Eagle]

He truly is despicable.

Obviously, the first thread or one of the first threads he ever created here, he changed the title of the article to "Democrats ahead of Republicans on" something or other. Of course when confronted with that recently he denied it until I linked it, nothing he says is believeable, it's all in defense of leftist BS anyway.

[for-q-clinton]

I admit it wasn't very nice, but by then I was fed up by GE's lies, distortions and libel

So are you lying now or were you lying then?

BTW: You don't win an argument with a liar by lying. And I haven't seen where GE has deliberately lied as you have admitted to doing. Sure people make mistakes or are misinformed. Like the many of people that read your thread who have followed you and believe your posts to be true. By your lying how much of that lie has influenced others to pass misinformation? Lying never wins and is only used as a tactic by losers.

As I said it's one thing to post false info and then quickly fix it once the bait is either taken or not. But to let it go for months is malicious and shows at best your poor character and at worst your Bill Clinton nature to lie to cover your arse.

[for-q-clinton]

I think we should refer to Anti-R as "Miss Information" (If you're a South Park fan you'll know its roots).

[N3WBI3]

Sorry but Miss Information goes back to histeria for its roots 1999 not the south park episode which aired in 2000. I actually think I remember it from animaniacs but can find no solid reference of that..

[N3WBI3]

In fact N3WBI3 left FR for 1 month because he lost the bet we had (loser had to leave for 1 month).

This had nothing to do with mac's or security. You said that Internet Explorer was a perfect application adn windows was without error.

If your going to lie about something I was involved in *please* do ping me to it..

[antiRepublicrat]

To lie for months to try and trick someone into saying something isn't an honest way to do business

I didn't trick him. His earlier unsupported claim was about "Defending criminal Russian hackers." I asked him to back it up. As you'll notice, he went ranting about violations of US law with no support for his claim that their actions were criminal. Now given his prior history of trying to weasel out when caught making unsupported claims, I tried to make sure he stated it (with its obvious in-context meaning) in a way that left him no room to weasel. I got close, he finally said "I already said of course." to the question "Was it criminal?" He fed himself the rope, not my problem.

As you've read earlier in this thread and that one, others got it. That's because they've been following GE's antics for a very long time and understand the context. You haven't been following and therefore do not know the context, which is why you are supporting GE.

It's one thing to say something wrong...to lay the bait but if it's not taking up shortly you must correct the record.

I admitted it wasn't nice, but then everyone else got it and were just watching the show. GE is the only victim, but a victim of his own ignorance. If he was what he claimed, he would have called me on it, and I would have admitted immediately. Alternately, he could have admitted he didn't know, and I would have told him everything. But if you watch the history you will just see a series of rants.

I think I'm done wasting time with him. I'll just bookmark this http://www.freerepublic.com/focus/f-chat/1724347/posts?page=148#148

Notice the exclamation marks? If you look at my posting history, that's called sarcasm.

You want a very simple example of GE in action? In the "Does Clinton do Linux?" thread, GE makes a case against Linux as being American technology going to foreigners (but then claims Linux is foreign, but that's a different subject) because of the license, yet gives BSD, with an even more liberal license, a free pass on the issue. We tried to resolve this difference, and GE settled on that foreigners aren't taking BSD to use as their own, and that BSD supposedly doesn't scale to multiprocessors very well.

I showed that several foreign versions of BSD exist (here). Someone else linked to an article showing how BSD was scaling well on hundreds of processors. Now follow the thread and notice he never admits he was proven wrong, instead using misdirection and ad hominem attacks.

As a comic aside there, he berated us for mocking and denigrating the Westboro Baptist Church. He actually defended that cult -- can you believe it? But if you read further, he probably did that out of ignorance, too.

Hold it, I must admit I broke a promise. Long ago I promised not to call GE ignorant anymore, because ignorant simply means not knowing. Ignorance can be easily cured with facts, but there is no known cure for what ails GE. Yes, I admit I started using the word "ignorant" again.

I do have to wonder whether you are just GE posting under a different nick.

[Golden Eagle]

What a scumbag. Now he's trying to blame me for his lies defending Russian hackers who pirate US software. Lies he perpetrated for months.

[ShadowAce]

Lies he perpetrated for months.

Perhaps, since you obviously know SOOOO much about the subject, you should've called him on it the very first post, hmmm?

[for-q-clinton]

True, I remember the animanics using that joke as well. But SP is what I was thinking of when I typed it. either way...it all works for describing Anti-R

[for-q-clinton]

This had nothing to do with mac's or security. You said that Internet Explorer was a perfect application adn windows was without error.

If your going to lie about something I was involved in *please* do ping me to it..

That's what started it; however, I *believe* the bet was for me to find an exploit on a Mac out-of-the-box that one could exploit against a mom/grandma type user.

Don't stoop to Miss Information levels and level baseless charges of lying. Give a link if you say I'm "Lying".

Also I DID ping you to this thread early on and you never came until Miss Information needed some help.

[for-q-clinton]

but then everyone else got it and were just watching the show

I find that highly unlikely. It's more like those that agree with you got it. But to innocent lurkers you completely fed them a load of crap...hence I will now refer to you as Miss Information.

[for-q-clinton]

Perhaps, since you obviously know SOOOO much about the subject, you should've called him on it the very first post, hmmm?

Wow you all will stoop to the lowest level to try and win an argument. Even defend a known/proven liar. And if you knew he was lying and stood idly by you are also complicate in this charade of lying. To allow fellow conservatives to be fed garbage and allow them to make fools of themselves when/if they bring your false info forward is just WRONG. I don't care if it was bait...it was allowed to go on WAY to long and should have been corrected after GEs first or second resopnse (regardless whether it trapped him or not). If you want to post false info go to DUmmies. FR is about conservative ideals and thoughts...which at its core is the TRUTH!

[antiRepublicrat]

But to innocent lurkers you completely fed them a load of crap

Lurkers are supposed to lurk long enough to understand the whole picture before posting on the subject. Those who do not do that often suffer from foot-in-mouth disease. You must be GE's account clone*, because no reasonable person can see the evidence I just gave and think GE is some kind of maven of truth. His own links show his misbehavior.

* That's why I'm not pinging GE on this anymore. It's probably going to the same person anyway.

BTW, Swordmaker and I do not always agree.

[Golden Eagle]

Westboro Baptist Church...he actuallly defended that cult

More of his lies, of course. He and his hell-bound buddy FLAMING DEATH accused me of being in some cult I had never even heard of, nothing surprising just more of his lies trying to smear me and Christians all at the same time.

[for-q-clinton]

Perhaps, since you obviously know SOOOO much about the subject, you should've called him on it the very first post, hmmm?

This post is so full of BS it requires 2 responses from me.

Since when does everyone know everything and enough to expose/prove a lie. It appears GE made the mistake of trusting Miss Information (Anti-R). I'm sure that's a mistake he regrets and won't make again. Besides even if you're right I'm not sure what it proves. Often in my daily work where I'm an expert if someone says X happened I take them at face value and unless I have first hand knowledge that it is incorrect.

Example, If I tell you TCP stands for "Total Control Protocol" you'd quickly correct me because you clearly know the true meaning of TCP. However, if I told you that the the reason that we refer to a bug as "bug" is because On the 9th of September, 1945, when a computer was experiencing problems, an investigation showed that there was a cockroach trapped between the points of Transistor #70, in Panel E.

And if you are vaguely familiar with the first bug, you'd agree with the said statement even though it has manu incorrect items in it. For exmaple it was a moth and it was a relay not a transister. And finally it was Panel E.

See the difference?

[for-q-clinton]

Don't worry about it...he even accused me of actually being you!