Posted on 01/03/2007 11:04:31 AM PST by newgeezer
The Month of Apple Bugs project kicked off Monday by posting a zero-day vulnerability in Apple's QuickTime media player. It also posted an exploit that could be used by attackers to compromise, hijack, or infect computers running either Windows or Mac OS X.
The Month of Apple Bugs (MoAB), which will announce a new security vulnerability in Apple's operating system or other Mac OS X software each day in January, is a follow-on to November's "Month of Kernel Bugs" campaign, and is co-hosted by that project's poster, a hacker who goes by the initials "LMH," and a partner, Kevin Finisterre, a researcher who has posted numerous Mac vulnerabilities and analyses on his own site.
The debut vulnerability is in QuickTime 7's parsing of RTSP (RealTime Streaming Protocol); the protocol is used to transmit streaming audio, video, and 3-D animation over the Web. Users duped into clicking on an overlong rtsp:// link could find their PCs or Macs compromised. It also may be possible to automatically trigger an attack simply by enticing users to a malicious Web site.
"Exploitation of this issue is trivial," said LMH in the vulnerability's write-up on the MoAB Web site. The associated exploit code has been tested on Mac OS X running on Intel-based systems, and works against QuickTime 7.1.3, the current version of the player, LMH and Finisterre said.
Other security researchers rang alarms Tuesday. Danish vulnerability tracker Secunia, for example, pegged the bug as "highly critical," the second-from-the-top threat in its five-step score, and Symantec alerted customers of its DeepSight threat network of the vulnerability.
An Apple spokesman declined to confirm the vulnerability, or, if it was legitimate, when the flaw might be fixed. In an e-mail, he said that "Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users. We always welcome feedback on how to improve security on the Mac."
LMH, who didn't immediately reply to several questions sent via e-mail, said on the MoAB site that Apple's Mac OS X operating system was chosen as the target for the month of vulnerabilities because "we like to play with OS X, we enjoy hate e-mail, and it's not as crowded as (random software vendor), yet. Thus, it's really comfortable for research and there's so much to be worked out."
He also said that Apple -- and other vendors whose Mac OS X applications might be the focus of a bug posted during the month's run -- would not be notified in most cases before the information went live, and dismissed that practice. "The point is releasing them without vendor notification. The problem with so-called 'responsible disclosure' is that for some people, it means keeping others on hold for insane amounts of time, even when the fix should be trivial. And the reward (automated responses and euphemism-heavy advisories) doesn't pay off in the end."
LMH, Finisterre, and commercial security vendors recommended that users cripple QuickTime's ability to process rtsp:// links. In Windows, launch QuickTime, select Edit|Preferences|QuickTime Preferences, click the File Types tab, expand Streaming, and clear the box marked "RTSP stream descriptor." In Mac OS X, select System Preferences|QuickTime|Advanced|MIME Settings|Streaming|Streaming Movies and clear the "RTSP stream descriptor" box.
Apple's QuickTime was last in the news during December, when a bug in the player was exploited by fraudsters on MySpace. That vulnerability remains unpatched.
LMH expects to see more QuickTime attacks now that his newest flaw has gone public. He said, "It's a matter of time to see this getting abused in the wild."
So according to the admitted liar, Apple wasn't justified in sending the threatening letter. They couldn't have possibly suffered any damages, and there is no chance any of the Russian hackers could have been criminally charged. It was all BS by Apple, that is your latest defense of the Russian hackers, correct?
l33t doesn't mean "hacker"
this coming from the same dude who seems to equate anything with Linux or *BSD as Communist, and open source software with RMS...
They were completely justified, but C&Ds usually go way over the top in their threats, because that's their purpose -- to threaten.
They couldn't have possibly suffered any damages
They possibly could have, which is why they would sue for damages.
there is no chance any of the Russian hackers could have been criminally charged
You haven't proven the proper conditions exist according to the information in the article.
He did actually get your name right. So give him credit for basic reading skills, even if he does exhibit a total lack of comprehension.
I am! I'm always digging into my software and hardware to learn more about how it works, tweaking it if possible to make it better. Hacking is a great thing that made computing as we know it possible, raising a generation of competent programmers and hardware designers. IMHO the Woz, creator of the hardware and software for the original Apple I and II, was the ultimate hacker.
Oh, you were maybe suffering from the common layman perception of what a hacker is? I would expect that from you.
That's wrong. IIRC, he gives BSD a break even though it has a license that's even more permissive for commie use than the GPL. Boy, did he rack up the lies the last time we caught him on that.
good point--never thought about it that way...
in that regard, then i be a hacker as well...
i've been out of the loop quite a bit--as of the last time i was actively involved he was attacking BSD.
but if he stopped, then that's certainly a good thing 8^)
Why else would someone put 3's in their username? You're studying to be a defense lawyer? ROFL.
Obviuosly as am I then. Apple refers to the actions of the hackers as likely criminal and so do I. You can oppose Apple and I on this issue if you want, as we already know you're willing to lie for months on end in defense of the Russian hackers, but don'y try to claim I'm not justified in cqlling them criminal when Apple has officially threatened them with criminal liabilty as well. Take it up with Apple's legal counsel if change your mind that we are not justified, which you probably will LOL.
apparently, the concept of people using numbers or other characters in their screennames is lost on you?
so what if n3wbi3 uses two threes instead of the letter e in his SN? what difference does it make?
It's a screen name. Do you not have anything better to worry about than someone's screen name on an online politics forum?
seriesly, Iggle. Get a life.
You still haven't shown a single time I purposefully lied, anywhere, while you're on record admitting you lied purposefully for months in defense of criminal Russian hackers, along with all the countless lies you've racked up on this thread now trying to deny it.
Sounds like a lie to me, BSD is an American product I usually support verses the foreign clone Linux. You must be referring to when I busted you for claiming Microsoft "lifted" BSD code for Windows, when I gave a link to a BSD site admin indicating they hadn't. Lies lies lies, got anything else?
You're the one trying to claim it couldn't possibly mean he is or supports hackers. Still don't have a reasonable explantion yet, the best you've mumbled so far is "everybody does it" LOL with no proof of that either.
#298. You later tried to claim mistake on one, and I will actually let that slide. However, there are two other factual, proven, documented lies addressed in that post that you didn't admit mistake on, and now it's too late for that. That post also records you blatantly taking my words out of context in order to libel me. The proof is right there, with links to posts I found in YOUR reference. Yes, YOUR reference, so YOU are expected to know what's in it. Ignorance is not an excuse.
Being an admitted liar, you're simply not believable, especially when you don't quantify what you're talking about. Probably because most every time you try to claim I lied it simply ends up being more lies of your own LOL.
As with the Stallman/patent incident, you now start quietly tempering your words once you lose. "Likely" makes it a tempered statement, not the absolute claim of criminal you earlier made. "May be" would be still a better addition to your claim, since, while there is ZERO evidence in the article that meets the criteria for a criminal case, it is still possible that they do meet the criteria. But it's still not mentioned, so you have to fabricate "facts" in order to be able to call them criminal.
Apple has officially threatened them with criminal liabilty as well.
They usually do, even when the criteria for criminal punishment have not been met. Notice Apple said "may" be criminal. But that "may" is conditional upon facts simply not present.
No like Apple I simply take the side that they are peforming illegal activities and are subject to criminal and civil liability for those actions.
You on the other hand, take the side of the Russian hackers, and have gone so far as to knowingly and purposefully lie in their defense, even claiming Russian hackers wrote software for our DoD which was a lie you admit you knew was a lie when you posted it.
This is about when you slammed Linux for its open source code enabling the Chinese to have American technology for free (remember "for free," it's important). Yet BSD, with its even more permissive license, gets a pass from you.
And Microsoft did "lift" BSD code. Here's the story: Early in NT, Microsoft was still using Netbeui, but they wanted to add TCP/IP. Unfortunately, the user mode API (Netbios) couldn't easily be changed to handle TCP/IP. So they bought a TCP/IP stack from Spider Systems (that included some utility programs) and wrote the winsock API for it.
Since Spider's stack depended on STREAMS, which Microsoft didn't need, this was considered a temporary measure until Microsoft could write their own stack, which they did in time for shipping with NT 3.5.
And Spider's stack was based on the BSD stack. Simple proof (which you have seen before) is in the supporting programs that Microsoft never bothered to replace from scratch. Just look for "Copyright (c) 1983 The Regents of the University of California" buried within c:\Windows\System32\ftp.exe, rcp.exe and rsh.exe. Yes, the copyright date is the same for all of them.
Now normally this would be completely legal due to the BSD license if Spider and Microsoft kept the credits in the stack as they did in those programs. There's no reason to think they didn't.
The only real value this trivia question has is that when Microsoft goes on an anti-OSS campaign you can say "But you yourself use open source and benefit from it."
According to Apple's words, they "may be" subject, not "are" subject. Unfortunately, your claim that they "are" criminal has no basis. You made up the facts that would have them be criminal.
even claiming Russian hackers wrote software for our DoD which was a lie you admit you knew was a lie when you posted it.
Being shown for the fool and fraud you are is really burning you up, isn't it?
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.