Posted on 01/03/2007 11:04:31 AM PST by newgeezer
The Month of Apple Bugs project kicked off Monday by posting a zero-day vulnerability in Apple's QuickTime media player. It also posted an exploit that could be used by attackers to compromise, hijack, or infect computers running either Windows or Mac OS X.
The Month of Apple Bugs (MoAB), which will announce a new security vulnerability in Apple's operating system or other Mac OS X software each day in January, is a follow-on to November's "Month of Kernel Bugs" campaign, and is co-hosted by that project's poster, a hacker who goes by the initials "LMH," and a partner, Kevin Finisterre, a researcher who has posted numerous Mac vulnerabilities and analyses on his own site.
The debut vulnerability is in QuickTime 7's parsing of RTSP (RealTime Streaming Protocol); the protocol is used to transmit streaming audio, video, and 3-D animation over the Web. Users duped into clicking on an overlong rtsp:// link could find their PCs or Macs compromised. It also may be possible to automatically trigger an attack simply by enticing users to a malicious Web site.
"Exploitation of this issue is trivial," said LMH in the vulnerability's write-up on the MoAB Web site. The associated exploit code has been tested on Mac OS X running on Intel-based systems, and works against QuickTime 7.1.3, the current version of the player, LMH and Finisterre said.
Other security researchers rang alarms Tuesday. Danish vulnerability tracker Secunia, for example, pegged the bug as "highly critical," the second-from-the-top threat in its five-step score, and Symantec alerted customers of its DeepSight threat network of the vulnerability.
An Apple spokesman declined to confirm the vulnerability, or, if it was legitimate, when the flaw might be fixed. In an e-mail, he said that "Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users. We always welcome feedback on how to improve security on the Mac."
LMH, who didn't immediately reply to several questions sent via e-mail, said on the MoAB site that Apple's Mac OS X operating system was chosen as the target for the month of vulnerabilities because "we like to play with OS X, we enjoy hate e-mail, and it's not as crowded as (random software vendor), yet. Thus, it's really comfortable for research and there's so much to be worked out."
He also said that Apple -- and other vendors whose Mac OS X applications might be the focus of a bug posted during the month's run -- would not be notified in most cases before the information went live, and dismissed that practice. "The point is releasing them without vendor notification. The problem with so-called 'responsible disclosure' is that for some people, it means keeping others on hold for insane amounts of time, even when the fix should be trivial. And the reward (automated responses and euphemism-heavy advisories) doesn't pay off in the end."
LMH, Finisterre, and commercial security vendors recommended that users cripple QuickTime's ability to process rtsp:// links. In Windows, launch QuickTime, select Edit|Preferences|QuickTime Preferences, click the File Types tab, expand Streaming, and clear the box marked "RTSP stream descriptor." In Mac OS X, select System Preferences|QuickTime|Advanced|MIME Settings|Streaming|Streaming Movies and clear the "RTSP stream descriptor" box.
Apple's QuickTime was last in the news during December, when a bug in the player was exploited by fraudsters on MySpace. That vulnerability remains unpatched.
LMH expects to see more QuickTime attacks now that his newest flaw has gone public. He said, "It's a matter of time to see this getting abused in the wild."
If you wanted "meaningful data" about a crash, why didn't you install the free Macsbug utility from Apple and Motorola? It would invoke the interactive debugger instead of the bomb screen when a crash occurred.
Ok what about the USAF. . . .I'm not 100% certain, but I'd bet windows has a lion share.
You lose.
Most of the Air Force sites I found are using LINUX. The US Air Force Academy was using Solaris but this month switched the OS to LINUX while retaining the Sun server software.
However, the Air Force Reserve web site, www.afreserve.com, and the Air Force Research Lab web site, www.afrl.af.mil, runs on Windows. I hope that pleases you.
BTW: A public facing website really doesn't have a lot of secure data.
However, the military web sites ARE prominent, attractive targets for crackers from the lunatic left who regularly defaced them when they were running less secure software or OSes.
Let's double-check that. I believe that Perl and Ruby are part of the standard distribution. Open your Terminal.app and try a couple of commands -
perl -v
ruby -v
That will print the version numbers if they're installed on your system.
So far, moab is not attacking Ruby - they're using Ruby to generate the attack.
Ok, so we only count the OS out of the box with OS patches (I presume). . . Well that makes the MAC even more useless if you can't install the handfull of programs on it without making it a security risk.
You are being deliberately obtuse. The programs that MOAB seems to be relying on are "RUN TIME INTERPRETERS" or the actual programing languages for their specific exploits. The point is that 99.9% of Mac users will never install a "programming language" on their Mac and NEVER be at risk from these very obscure vulnerabilities. That makes them FUD.
Take a PC out of the box and don't install the AV, AS, and AA applications and see how long your computer lasts before it is infested. Do the same with a Mac and it will last for years. As an experiment, I have been running my Mac OS X.4.8 G5 without a firewall. It has been on 24/7 for the last 10 months, being restarted only for OS updates, and is perfectly safe and uncompromised.
I can take an out-of-the-box Mac and make it just as vulnerable to web rats and cockroaches as any unprotected Windows machine by opening all the ports and turning on all the services that no average user will ever use. That is what the guy in Sweden did and his Mac got pwned by Gwerdna in under 30 minutes.
I guess I was misled (again) by the MAC fanbase claiming it was uber secure and nothing could break their security model...
It is "uber secure" but if you break the security model, it will no longer BE secure.
I thought the OS was so well designed the OS wouldn't allow a program to do such things.
Just as on Windows, a program can be designed to do a lot of things. However a user on a Mac, implementing a malicious program can only damage his own files, not the system or application files or any other user's files. 99% of Windows users are running at administrator level by default... and can trash everything. They have access to that mess called the Registry and an application running with their user privileges can hose the entire system. Vista is making some improvements in this... finally.
(I'm not saying you're a peacenik or non-techy, but the majority of Mac users are).
Your proof? President Bush uses Macs, Rush Limbaugh uses Macs... there are more.... Al Gore uses... oh, damn... Macs. However, go to any IT convention and see what the IT managers are carrying. More and more they are carrying Macbooks. Techies are choosing Macs.
No, they require a runtime interpreter for Ruby.
I've installed them because I installed X11 to run some UNIX apps so my system is not a good test for this..
I hadn't tested this... but yesterday, none of the demonstration exploits would work on my Mac. The MOAB guys did say a "working" version of Perl and Ruby. After you mentioned double-checking, I invoked Perl from a terminal and then tried the #2 exploit and it worked. Tried 1,3,& 4 and they didn't. Then I Invoked Ruby and they worked. The programing languages have to be running... then their vulnerabilities work. Thanks for the heads up.
Ruby is required to run the proof-of-concept code, but that's really just an implementation detail. Equivalent attacks could be coded in many other languages besides Ruby.
True.
It does. There's constant fretting over Windows servers doing down, while the Sun, HP and IBM UNIX servers just keep humming for years.
I think the reason Windows has so much presence in the servers is because of cost-cutting measures back when UNIX was far more expensive than Windows. The government wanted to save money, so it started migrating from UNIX. What the government didn't realize was that what it was saving in purchase price it was losing in extra personnel hours, down time and complexity (several cheaper boxes to do the job of one solid expensive one). Do you realize what a headache it is to run Exchange to provide email for 20,000 people? It's frickin' insane!
At that time I never heard of it and neither did the 20 or so Mac guys that turned me on to the Mac. Besides with Windows it was so easy. I just look at the bug crash and at that time (before I knew how to debug) I could just search on the stop code on technet for a possible cause. Plus it showed you which driver was on the stack when it crashed so I had a reasonable idea of what is broken. I didn't have to install anything.
Besides MACS have never been about install debug tools...they were just supposed to work out of the box since it was a closed system. All I had was a MAC with all the Mac bundled software and it still crashed!!!!
Wow, so you're saying you know what the AF runs internally? Also what do they run on their desktops. BTW: I'll give you a hint...it's not Linux nor Mac.
Finally, what is the AF running on their internal websites for collaboration? Hint: it's not Mac.
So is it safe to say you were wrong on the subject that started this whole discussion? :-D
When will you be installing your anti-virus protection for Mac? I recommend staying away from Norton/Symantec as they have been horrible on the Windows platform causing about 50% of all the blue screens I've ever seen and they can corrupt data.
Be Sure to read his post where he confirmed the exploits listed in the MOAB (with special credit to Hal9000 as he explained how to do it properly).
I just want to make sure the Mac zealots don't think their system is 100% secure. I'm sure it's a fine OS (now), and it works good for the 5 to 10% of users that want to be unique but don't want to mess with BSD or Linux.
FYI...our very own FR MAC fan has confirmed the MOAB attacks. If you run a Mac it's time to get some AV protection.
Gotta read what Swordmaker finally confirmed...Mac has some exploits available. Looks like you and I were right...who knew you'd be proven so right so quickly?
Looks like the MOAB is true as swordmaker confirmed. Read a few posts up and you'll see Mac needs some AV protection as do all computer systems.
I guess when I know I'm right I will come off as arrogant which will attract moths to my flame. But you know what happens to the moth when it gets too close to the flame?
"Hand him a 512MB video card and have him let you know when he's got it installed in the Mini."
Irrelevant. The Mini is just a well designed micro PC, not intented for the uber cards for gaming or 3-d, but it's specs are as good or better than your average desktop tower. (Which will never get a $500 video card, either, not everyone is an uber gamer or CAD user). Yes, it has limitations - it uses slower laptop drives, limited in the amount of ram it can have, small power supply, but it's got a LOT of bang for it's buck - and the thing is really dinky -they did a great job engineering the thing. Expect a refresh at Macworld next week, or sometime this spring.
Apple did'nt invent the form factor, but they improved on it (and been copied already), and as a cheap entry to the Mac world it can't be beat, as it'll run most applications just fine, and now the Intel version will dual boot to Windows XP or run XP in Parallels in a virtual box. Not bad for $500 - or cheaper if you pick one up used.
I hear it runs Vista just fine, too...
I'm not saying unix is a bad OS. But to say they are fretting of windows is silly. You have to compare how the windows machine is maintained and managed vs. the unix system. The unix systems tend to have knowledgeable IT guys making 6 figures running them. Windows has 1 6 figures guy managing a bunch of guys in the 50-80K range. You don't get to touch the unix system til your certified but windows they throw the keys at you.
Plus a lot of windows servers are kept at people's desk and have no UPS or AV protection. Sure cost has a big part to play in it, but it's not as much the hardware costs but the operations costs.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.