Posted on 01/03/2007 11:04:31 AM PST by newgeezer
The Month of Apple Bugs project kicked off Monday by posting a zero-day vulnerability in Apple's QuickTime media player. It also posted an exploit that could be used by attackers to compromise, hijack, or infect computers running either Windows or Mac OS X.
The Month of Apple Bugs (MoAB), which will announce a new security vulnerability in Apple's operating system or other Mac OS X software each day in January, is a follow-on to November's "Month of Kernel Bugs" campaign, and is co-hosted by that project's poster, a hacker who goes by the initials "LMH," and a partner, Kevin Finisterre, a researcher who has posted numerous Mac vulnerabilities and analyses on his own site.
The debut vulnerability is in QuickTime 7's parsing of RTSP (RealTime Streaming Protocol); the protocol is used to transmit streaming audio, video, and 3-D animation over the Web. Users duped into clicking on an overlong rtsp:// link could find their PCs or Macs compromised. It also may be possible to automatically trigger an attack simply by enticing users to a malicious Web site.
"Exploitation of this issue is trivial," said LMH in the vulnerability's write-up on the MoAB Web site. The associated exploit code has been tested on Mac OS X running on Intel-based systems, and works against QuickTime 7.1.3, the current version of the player, LMH and Finisterre said.
Other security researchers rang alarms Tuesday. Danish vulnerability tracker Secunia, for example, pegged the bug as "highly critical," the second-from-the-top threat in its five-step score, and Symantec alerted customers of its DeepSight threat network of the vulnerability.
An Apple spokesman declined to confirm the vulnerability, or, if it was legitimate, when the flaw might be fixed. In an e-mail, he said that "Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users. We always welcome feedback on how to improve security on the Mac."
LMH, who didn't immediately reply to several questions sent via e-mail, said on the MoAB site that Apple's Mac OS X operating system was chosen as the target for the month of vulnerabilities because "we like to play with OS X, we enjoy hate e-mail, and it's not as crowded as (random software vendor), yet. Thus, it's really comfortable for research and there's so much to be worked out."
He also said that Apple -- and other vendors whose Mac OS X applications might be the focus of a bug posted during the month's run -- would not be notified in most cases before the information went live, and dismissed that practice. "The point is releasing them without vendor notification. The problem with so-called 'responsible disclosure' is that for some people, it means keeping others on hold for insane amounts of time, even when the fix should be trivial. And the reward (automated responses and euphemism-heavy advisories) doesn't pay off in the end."
LMH, Finisterre, and commercial security vendors recommended that users cripple QuickTime's ability to process rtsp:// links. In Windows, launch QuickTime, select Edit|Preferences|QuickTime Preferences, click the File Types tab, expand Streaming, and clear the box marked "RTSP stream descriptor." In Mac OS X, select System Preferences|QuickTime|Advanced|MIME Settings|Streaming|Streaming Movies and clear the "RTSP stream descriptor" box.
Apple's QuickTime was last in the news during December, when a bug in the player was exploited by fraudsters on MySpace. That vulnerability remains unpatched.
LMH expects to see more QuickTime attacks now that his newest flaw has gone public. He said, "It's a matter of time to see this getting abused in the wild."
LOL you haven't "caught" me on anything, you simply continued your endless defense of the Russian hackers just as you are doing now. Copyright infringement can obviously be criminal, if the value estimated to be lost reaches certain levels, and giving ways for OSX to be cracked internationally could certainly qualify. Just because these guys haven't been extradited to the US doesn't mean their activity isn't criminal, we know you're going to defend them even with lies to your last dying breath LOL but to claim facilitating mass copyright infringement can't be criminal is absurd, and just the sort of BS you're known for.
There we go, that's the list. It would take hours to go through them all.
Yes, it was.
Thanks for admitting, again, that you lie on purpose, "for fun" in addition to trying to protect criminal Russian hackers. Just not your day is it LOL.
got that other one handy by chance?
"Just because these guys haven't been extradited to the US doesn't mean their activity isn't criminal..."
Ahh...yes. Guilty until proven innocent...the cornerstone upon which societies like China are built.
Good to see again where your loyalties lie...
Let's review your stance again...
-Guilty until proven innocent.
-Knee-jerk support for Westboro Baptist Church.
-Defense of Planned Parenthood.
-Defense of UN laws for the US.
-Dilbert is Satanism because it uses the word "demons"
-Star of David is a symbol of the occult
-Waterfront property with former beauty queen (!)
-Asians bad
-Chooses to wager his money on frivolous bets designed to stroke own ego instead of maybe using that money to tithe the chruch of his choice, while calling me a blasphemer and condemning me to hell.
I think this pretty much sums it up, doesn't it?
That's for distribution of copyrighted works of a value in excess of the statutory amount. You're barking up the wrong legal tree here, as there is no evidence they distributed even one copy of OS X. The only way you can get close to criminality is by looking to a different aspect of copyright law, and you haven't provided evidence that could even bring that into relevance in this case.
When are you going to get it through your skull that I'm not defending hackers, but debating points of law? Look at my history, I love to debate law. You called them criminal, and I objected to that as a matter of law, not as a matter of defending anyone -- besides, the huge civil penalties possible under copyright law can make one wish he could have just gotten some time in jail instead.
You're welcome. So what's worse, somebody who admits to a ruse, or somebody who perpetrates lies and refuses to recant long after being caught?
Where's the troll scorecard? Did the owner add rants against Russians to that or is it still just China?
Another obvious lie, endlessly looking for legal loopholes for criminal Russian hackers is definitely defending them. Having your hell bound buddy FLAMING DEATH post more obvious lies isn't helping you either, LOL.
Yes, we know, you and the flaming dude from hell make defending both Russians and Chinese your formost objective. If they're commies, they can always count on you two to stir up as much BS as possible in their defense, LOL. As you've now admitted to, even lying on their behalf, for months at a time.
Another lie, of course, you obviously can't even post without creating more and more lies in your defense of criminals. You can easily be criminally prosecuted for cracking software, even if you don't distribute anything other than the crack itself. Here's a case against Russian hackers from 2002, where criminal charges were filed against Russian hackers, simply for cracking the password mechanism:
These are the kinds of scumbags you defend, with lies you tried to perpetrate for months, which you have now admitted to and claim were "fun". That makes you equal if not even lower than the Russian scumbags, of course, especially since you still are trying to defend them now with more lies.
"...flaming dude from hell".
"...your hell bound buddy, FLAMING DEATH..."
Pfft! Some Christian!
Isn't there some gambling you could be doing somewhere else, hypocrite?
"Having your hell bound buddy FLAMING DEATH post more obvious lies isn't helping you either, LOL."
He does realize those things he's calling "lies" are his own words, linked to directly, just as he said them?
He DOES realize that, right?
Seems odd to me that he calls links to his own posts "lies". Or, maybe he's just finally telling the truth?
Most every one of your posts are lies, as I've shown countlessly on other threads. Just like antiRepublican here, you can't come up with one (1, single, uno) actual lie that I made purposefully. I may have mispoken, but if I did it was only in defense of God and Country. You boys on the other hand, have admitted to making up lies on purpose, and your causes are not noble as are mine, your causes are always in defense of some leftist or foreign hacker/cracker. Which is why you attack me, of course, because I stand against such evil purposes. And you will continue to suffer, under my light, so long as you show your despicable face.
You're getting close, and now at least unknowingly you're referring to the right law, but you fail to spot the crucial difference between the cases.
And, despite your representation, the "hackers" in question were a Russian software company producing a product that is absolutely legal almost everywhere in the world. It is also a product that the FBI itself bought and used. Here's an exchange from the trial:
"Do you sell your software in Russia?" Burton asked.Yes, we were prosecuting for writing a program that is a favorite of our law enforcement itself. Oh, the irony!"Yes." Vladimir said. "We sell it on the Internet to all countries."
"Are there customers of your software that are in law enforcement?" Burton asked.
"Yes." Vladimir said.
"Can you give me an example of a customer?" Burton asked.
"Police Departments, FBI, IRS." Vladimir said.
"Police Departments, the FBI and the IRS are customers of yours?" Burton asked.
"Yes. They are purchasers of our programs." Vladimir said.
"Is the U.S. Department of Justice a customer?" Burton asked.
"Yes. We receive orders from them about once a month from different states." Vladimir replied.
"Are there state agencies that are customers of your software?" Burton asked.
"Yes." Vladimir said.
"Do District Attorneys purchase your products?" Burton asked.
"Yes." Vladimir said.
"Are there private companies?" Burton asked.
"Yes." Vladimir replied. "Adobe, Microsoft, Motorola, Siemens..."
"Adobe is one of your customers?" Burton asked, emphasizing Adobe ever so slightly as he said it.
"Yes." Vladimir said.
It's not about loopholes. It's about the law. It's about the proper legal venue for going after bad people.
No, no. Not Apple. It cures male pattern baldness and even backdates stock options for you.
You have GOT to be kidding me!
And you will continue to suffer, under my light, so long as you show your despicable face.
Now you say mistakes, but you never retracted until a long time after the fact when you were backed into a corner. If they were honest mistakes, and you were an honest person, you would have admitted the mistakes immediately. But of course you didn't.
And there is NO weaseling, claim of mistake, possible for your intentional distortion of my post with the intent to make it look like I was saying something other than what I said in its context.
Here's a bit of GE conversation in the manner that you like to quote me:
I, Golden Eagle, had sex with a goat, you say? I most certainly did not!
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.