Posted on 01/03/2007 11:04:31 AM PST by newgeezer
The Month of Apple Bugs project kicked off Monday by posting a zero-day vulnerability in Apple's QuickTime media player. It also posted an exploit that could be used by attackers to compromise, hijack, or infect computers running either Windows or Mac OS X.
The Month of Apple Bugs (MoAB), which will announce a new security vulnerability in Apple's operating system or other Mac OS X software each day in January, is a follow-on to November's "Month of Kernel Bugs" campaign, and is co-hosted by that project's poster, a hacker who goes by the initials "LMH," and a partner, Kevin Finisterre, a researcher who has posted numerous Mac vulnerabilities and analyses on his own site.
The debut vulnerability is in QuickTime 7's parsing of RTSP (RealTime Streaming Protocol); the protocol is used to transmit streaming audio, video, and 3-D animation over the Web. Users duped into clicking on an overlong rtsp:// link could find their PCs or Macs compromised. It also may be possible to automatically trigger an attack simply by enticing users to a malicious Web site.
"Exploitation of this issue is trivial," said LMH in the vulnerability's write-up on the MoAB Web site. The associated exploit code has been tested on Mac OS X running on Intel-based systems, and works against QuickTime 7.1.3, the current version of the player, LMH and Finisterre said.
Other security researchers rang alarms Tuesday. Danish vulnerability tracker Secunia, for example, pegged the bug as "highly critical," the second-from-the-top threat in its five-step score, and Symantec alerted customers of its DeepSight threat network of the vulnerability.
An Apple spokesman declined to confirm the vulnerability, or, if it was legitimate, when the flaw might be fixed. In an e-mail, he said that "Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users. We always welcome feedback on how to improve security on the Mac."
LMH, who didn't immediately reply to several questions sent via e-mail, said on the MoAB site that Apple's Mac OS X operating system was chosen as the target for the month of vulnerabilities because "we like to play with OS X, we enjoy hate e-mail, and it's not as crowded as (random software vendor), yet. Thus, it's really comfortable for research and there's so much to be worked out."
He also said that Apple -- and other vendors whose Mac OS X applications might be the focus of a bug posted during the month's run -- would not be notified in most cases before the information went live, and dismissed that practice. "The point is releasing them without vendor notification. The problem with so-called 'responsible disclosure' is that for some people, it means keeping others on hold for insane amounts of time, even when the fix should be trivial. And the reward (automated responses and euphemism-heavy advisories) doesn't pay off in the end."
LMH, Finisterre, and commercial security vendors recommended that users cripple QuickTime's ability to process rtsp:// links. In Windows, launch QuickTime, select Edit|Preferences|QuickTime Preferences, click the File Types tab, expand Streaming, and clear the box marked "RTSP stream descriptor." In Mac OS X, select System Preferences|QuickTime|Advanced|MIME Settings|Streaming|Streaming Movies and clear the "RTSP stream descriptor" box.
Apple's QuickTime was last in the news during December, when a bug in the player was exploited by fraudsters on MySpace. That vulnerability remains unpatched.
LMH expects to see more QuickTime attacks now that his newest flaw has gone public. He said, "It's a matter of time to see this getting abused in the wild."
No it's not. I've supported well over that number. The key is you have to buy the right hardware up front. Then Exchange runs like a champ. But it also requires a sound AD implementation.
If I install Perl and Ruby on my XP box, will you call those Windows vulnerabilities?
I'm not so sure that will continue with Apple's embracing of the Intel processor. "Granted, dll-loading and system API calls within the virus code designed for Windows will not work, but I'd still think hackers could now have the capability to write platform-agnostic viruses for Intel that could do a phenomenal amount of damage. Your thoughts?
As far as I know, viruses are not written for processors... they are written to exploit flaws in operating systems. There have been a few viruses aimed at BIOSes, but none that are aimed at specific processors. For example, most Windows viruses work just fine on a PowerPC chip based Mac running a Windows installation in VirtualPC yet the PowerPC is completely different from the Intel/AMD X86 design."
If there is someone capable of writing machine level code that exploits not only at the chip level, but through two unique and different OSes, find them and hire them, because they will make you billions. That kind of talent *may* exist, but I doubt it's being used to write malware or spam trojans. (Or I hope to god they're not...)
You're missing the point. First, if windows has them installed then YES they are windows vulnerabilities. if you installed them and they didn't come with the isntall disk then no they aren't.
But I think the point is they are just using those as ONE way to launch the exploit. Kind of like using vbscript to launch an exploit to attack the real exploit. So it's not ruby that's causing the exploit it's just a mechanism by which they attack it.
This is a good thread with some serious eating of crow by the Mac bigots ;-) It takes a while but they do get nailed pretty hard.
I know what the mini is for, thanks. The statement that prompted the reply is still false.
I recommend quoting who you're responding to this way it helps to keep the lazy Mac fans from wasting their attacks on you.
Yes that's a cheapshot and only meant in fun.
To the contrary - I like making them work for a change.
"Ok, so you rebutted and corrected my spelling of MAC. Whoopdee doo. I have nothing against the MAC...just the high and mighty idiots that make grandeous claims about it. Ever since the first MAC they've been claiming how superior it is...when they finally get decent OS they claim "we really really really mean it this time...we even have real multi-tasking like windows NT did years and years ago."
I gave up on Mac a long time ago when I was duped into buying one to find out it crashed more than my windows box (but it did give me a pretty little bomb to look at as opposed to a blue screen with meaningful data on it to figure out what went wrong).
You ever heard of the story of the little boy that cried wolf? That's what the Mac user fan club reminds me of."
And you are the perfect poster child of the Windows Troll crowd - you're holding a grudge over a piece of equipment from years past, nothing will change YOUR mind, nope, and you know it all, simply because you bought a copy of Windows, doncha? Your post DRIP with seething, childish anger and petulance, something anyone who uses a Macintosh has had to endure now for a long, long time.
It's a computer.
Get over it.
And while you're at it, get over yourself. What OS you use or don't use does not define nor improve you, it's a tool, not a definition. Try and understand that.
I use Macs and Windows machines, and have dabbled with Linux. I prefer Macs, as I've used them since the Mac II and System 7. I'll be the first to admit, there are those among the Mac user crowd who are pretentious and annoying, and make ridiculous claims, and annoy everyone - along with us Mac users - just as there are those among the Windows "faithful" who are just as annoying. I'll even admit my share in the Platform Wars over the years, but I approached it as a game, not something I really took seriously, nor did I ever actually judge someone based on what kind of effing computer they used - something I see in the Windows crowd and makes me embarrassed for them. I also try to correct some of the more outrageous claims Windows users tend to make, just as I would expect a knowledgeable Windows users to correct a Mac User making specious claims about Windows.
I don't care what you use, I care about what you can DO with a computer. It's just a tool. I've found, and it's quite amusing, that the most heated and obnoxious defenders of the their platform, be it Windows, Mac, or else, are the ones who do the least with their computer - while the rest of us are learning our skills, and pushing the envelope, they're online waving virtual epeens at each other trying to gains some kind of wierd computer geek alpha dog status, and can't really do much with their computers beyond typing (and they tend to be bad at that, as well).
Give me a copy of Photoshop and a computer, and I can make art and money - it doesnt matter which platform.
What can YOU do? Besides annoy people? That's what matters. Owning Windows is easy. Doing something with it that matters is what counts. That someone else chooses a Mac, is none of your regard, and your posturing and blowhard attacks just serve to make you look like the greater fool.
Having said that, it's time to go make some money with my G5.
Though I am somewhat new to the data security game, I have known for several months about some proof of concept exploits that Macs were susceptible to under certain conditions. I am pretty much ambivalent when it comes to OS's. I personally run Windows, Mac, and a half dozen or so Linux distros. Data security and penetration testing requires lots of research in real time in order to keep up with any potential new threats. What blows my mind is the zealotry of the typical Mac user. A mere mention of a potential threat, or the recent forming of truly collaborative efforts in the black hat community seems to evoke responses filled with dripping sarcasm and ridicule. I wouldn't hold my breath for any apologies. There is something about these OS wars that seems to bring out the worst in people.
Remember, I'm comparing to UNIX solutions. I've always had a few questions, like why can't I have all three nodes in a three-node cluster active? I'm forced to have one idle. What a waste. And do you realize it uses the JET Blue (MS Access) database engine? Ick!
If Microsoft wants to impress me, allow a full Exchange cluster, and have it use an SQL Server cluster as the back-end. Then both the data and the application will be in full failover.
"I guess I was misled (again) by the MAC fanbase claiming it was uber secure and nothing could break their security model...not even the typical non-techy, peacenik, MAC user. (I'm not saying you're a peacenik or non-techy, but the majority of Mac users are)."
Bullshit. Utter, reeking, made-up bullshit.
You really are a child.
Computers are tools, not a flag of one's politics or lifestyle or ability. I don't know a single person who chose a computer platform based on politics. Maybe in your small, bizarre world they do, but out here in reality, most people buy what they learned from school or what they use at the office, or whatever is cheapest at BestBuy.
Back up your pie hole with facts, or just shut up already, every time you post you look more and more like a complete buffoon. Not only do you make Windows users look like arrogant knobs, but now you're just making computer users look bad.
That is a horrible way to measure security. If they are not part of the normal Windows install, and they don't use Windows components, then they are not Windows vulnerabilities, but vulnerabilities in a Windows application. Unfortunately for Windows, many apps use mshtml.dll to render html, so their vulnerabilities can become Windows vulnerabilities (conversely, mshtml.dll vulnerabilities can make the program vulnerable).
The average Linux disk comes with hundreds of third-party programs, few of which ever get installed by the average user. Do you count some obscure program used by very few people as a Linux vulnerability?
The standard should be based on the standard install if we're talking about the general public. None of this gets installed by the average user, who probably thinks Perl and Ruby have something to do with jewelry.
So it's not ruby that's causing the exploit it's just a mechanism by which they attack it.
An exploit is just a theoretical exercise without a vector.
And YOU are missing the point. I installed both Ruby and Perl when I installed X11 to run some UNIX apps on my Mac. They were not installed as part of the default OS X installation.
The vast majority of Mac users posting on the websites discussing MoAB have been unable to make their examples work.
No, he doesn't. How many Mac users are going to have Perl and Ruby even installed, much less running in the background? They are provided on a disk of UNIX utilities that are optional to install if the user needs them or wants them.
Even if installed on the hard drive, they do not start automatically nor are they running in the background on a default Mac. The MoAB "exploits" did not work without the USER, me, doing some extraordinary things to get them to work.
They might be a threat to a Mac user using a MySQL database because Ruby seems to be required for that... but again, a very small minority of Mac users.
The GLEE you've shown with your flurry of replies definitely puts you into the "cigarette in the eye" crowd, for-q.
And, no, I won't be installing any AV anytime soon. Show me a virus in the wild and then I will worry. NONE of the MoAB rise to that level. Yet.
I can't share your OS philosophy. Ambivalence suggests that they're all the same, and one is just as good as the other - or that it doesn't matter. It's like saying there is no difference between Democrats and Republicans.
What blows my mind is the zealotry of the typical Mac user.
There are plenty of Windows and Linux zealots too. The Mac and Linux zealots tend to be driven by a passion for excellent technology. The Windows zealots are typically motivated by job security concerns. The mediocre quality of Windows keeps a lot of mediocre technicians employed. Their jobs would be eliminated as an unnecessary expense if their company switched to better computer systems, so the Windows zealots are engaged in a campaign of falsehoods and fear-mongering to help maintain their positions. If my job depended on fixing computer problems, I'd be a Windows zealot too.
There is something about these OS wars that seems to bring out the worst in people.
Agreed.
I haven't told people they MUST use windows to be safe, cool, hip, fun, whatever. Believe it or not you and I probably have a lot more in common on our ideas the computer is a tool. I'm not the one claiming windows is infallable or only an idiot would use a mac. However, I do point out the idiots that claim the mac can't get hit with a virus. Linux users used to say the same thing til the linux web server got a large market share and then guess what happened? viruses (or is that virii) galore.
I'm not saying to use Windows because the Air Force does...I'm just illustrating the absurd with the absurd.
I agree. I have no gripe about the mac specifically it's just the zealots that get under my skin so I like to poke them to watch them explode.
This shows how little you know about Exchange and SQL. using SQL for a bunch of small messages would yield much lower performance. JET Blue isn't exactly Access, but it is close enough for comparisons. Having said that what makes Access a bad database is a strength for messaging (once modified).
I understand Microsoft looked at using SQL for exchange and it just couldn't pump the messages out quick enough. Completely different technology. Just because SQL makes a great database doesn't make it a great email server.
Just because your computer of choice puts you closer to the libs doesn't mean you're a lib. take a chill pill. But if you want to really know...look at what swordmaker posted about needing CONSERVATIVE mac users to vote on a poll becuase the libs were killing the vote (something with GW on the Mac and killing him or something like that).
Having a mac doesn't make you a lib, but those that are libs would be more likely to buy macs. Arguing otherwise is like saying the sky isn't blue. What is mac known for? Art programs. Last I heard art types are more liberal than conservative...unless something has changed over the last 100 years in the last I bet it's the same.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.