Posted on 01/03/2007 11:04:31 AM PST by newgeezer
The Month of Apple Bugs project kicked off Monday by posting a zero-day vulnerability in Apple's QuickTime media player. It also posted an exploit that could be used by attackers to compromise, hijack, or infect computers running either Windows or Mac OS X.
The Month of Apple Bugs (MoAB), which will announce a new security vulnerability in Apple's operating system or other Mac OS X software each day in January, is a follow-on to November's "Month of Kernel Bugs" campaign, and is co-hosted by that project's poster, a hacker who goes by the initials "LMH," and a partner, Kevin Finisterre, a researcher who has posted numerous Mac vulnerabilities and analyses on his own site.
The debut vulnerability is in QuickTime 7's parsing of RTSP (RealTime Streaming Protocol); the protocol is used to transmit streaming audio, video, and 3-D animation over the Web. Users duped into clicking on an overlong rtsp:// link could find their PCs or Macs compromised. It also may be possible to automatically trigger an attack simply by enticing users to a malicious Web site.
"Exploitation of this issue is trivial," said LMH in the vulnerability's write-up on the MoAB Web site. The associated exploit code has been tested on Mac OS X running on Intel-based systems, and works against QuickTime 7.1.3, the current version of the player, LMH and Finisterre said.
Other security researchers rang alarms Tuesday. Danish vulnerability tracker Secunia, for example, pegged the bug as "highly critical," the second-from-the-top threat in its five-step score, and Symantec alerted customers of its DeepSight threat network of the vulnerability.
An Apple spokesman declined to confirm the vulnerability, or, if it was legitimate, when the flaw might be fixed. In an e-mail, he said that "Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users. We always welcome feedback on how to improve security on the Mac."
LMH, who didn't immediately reply to several questions sent via e-mail, said on the MoAB site that Apple's Mac OS X operating system was chosen as the target for the month of vulnerabilities because "we like to play with OS X, we enjoy hate e-mail, and it's not as crowded as (random software vendor), yet. Thus, it's really comfortable for research and there's so much to be worked out."
He also said that Apple -- and other vendors whose Mac OS X applications might be the focus of a bug posted during the month's run -- would not be notified in most cases before the information went live, and dismissed that practice. "The point is releasing them without vendor notification. The problem with so-called 'responsible disclosure' is that for some people, it means keeping others on hold for insane amounts of time, even when the fix should be trivial. And the reward (automated responses and euphemism-heavy advisories) doesn't pay off in the end."
LMH, Finisterre, and commercial security vendors recommended that users cripple QuickTime's ability to process rtsp:// links. In Windows, launch QuickTime, select Edit|Preferences|QuickTime Preferences, click the File Types tab, expand Streaming, and clear the box marked "RTSP stream descriptor." In Mac OS X, select System Preferences|QuickTime|Advanced|MIME Settings|Streaming|Streaming Movies and clear the "RTSP stream descriptor" box.
Apple's QuickTime was last in the news during December, when a bug in the player was exploited by fraudsters on MySpace. That vulnerability remains unpatched.
LMH expects to see more QuickTime attacks now that his newest flaw has gone public. He said, "It's a matter of time to see this getting abused in the wild."
Absolutely it's a linux vulnerability. I know a bunch of people that dabble with linux and choose to install everything. Besides how many users need to install software to make it "count" as a vulnerability. You've gone overboard trying to prove a point that you lost a long time ago. FACT: MOAB proves mac has some serious issues. FACT: One can exploit those vulnerabilities today.
Using your logic I could claim Windows is Uber secure because they should be running the latest windows Vista and or Windows 2003. And only install EXACTLY what they need...and if any of those things are optional they don't count. TCP/IP...who needs that? I don't need to install a network card...that's optional too I guess. So unless 100% of the machines are running the code it doesn't count. And even if it is Microsoft says to run AV and firewalls so if the user doesn't the vulnerabilities don't count.
Well I chose to install TCP/IP on my windows box, so all the hacks that come from the Internet don't count. See how silly that is. Fact: It's on the install disk and distro'd by Apple with the OS. Fact: if you install it you're vulnerable. Fact: Apple will fix it.
It's not a big deal. Just accept that the mac isn't perfect and is susceptible to exploits. Not as many as windows currently, but still vulnerable.
this just proves what we all know. Most mac users don't really know much about computers that why they chose mac.
I have never said that Mac OS X is not susceptible to exploits. Nor will you find anywhere where I have said that it is perfect. That is a straw man argument set up by you.
Yes, the Ruby and Perl are distributed by Apple... but not on the OS X install disk. It is a separate disk with extra utilities such as X11 and a host of UNIX apps.
Yes. If I install it, I'm vulnerable... if I run it in the background. I can think of no reason to do that since I am not coding all day.
Incidentally, the #4 MoAB merely crashes the iPhoto application and cannot execute any code. The crash point is an invalid call to a data location. It is a bug but not a vulnerability:
In this case (MOAB 4), a function (vsprintf) is called with invalid parameters, making this function use a pointer that is invalid, to access data, not to execute code, it crashes with a memory access error.This particular bug can't cause the execution of arbitrary code, it's not what happens with his example, and even if he changes the parameters, it's NOT going to happen, ever!
Some bugs can cause either invalid access to memory, or execution of arbitrary code, but certainly not this one. . .
vprintf is just accessing data, it's not using any pointers to execute code, and this bug is NOT changing the return address, and never will.
Since it is a "bug" I won't criticize their including it in the Month of Apple Bugs. I will criticize their hyperbolic claim that it will allow arbitrary code execution.
So what about MOAB 1, 2, & 3? Are those exploits or bugs?
Also as far as does it count because it uses ruby to get to the exploit. So if Windows services for Unix is installed and allows anyone in the world to do whatever they want on a windows 2003 server...that wouldn't count as a Microsoft OS vulnerability? And you'll be on FR arguing how it's not a real issue becaues it not an OS bug but only impacts those users/businesses that chose to install unix services on Windows?
See now doesn't that sound crazy?
Re-read that and, if you can, try to realize how asinine that statement is. Of the few Apple networks that I'm familiar with, I can tell you that they are no less prone to any of the issues that any other Server/OS environment would experience. Spotting you a 70% decrease in computer/network maintenance, the proprietary nature of Apple computers would still be more expensive to maintain due to the fact that the hardware cost is double what a PC is, and the extremely small pool of individuals possessing the knowledge makes cost not a factor, but the factor in why Apple has a 6-8% market share. Do you really believe that a mass change over to Apple systems would eliminate all computer maintenance issues? Really??
To me he sounds like a Unix guy from the 80's who is still bitter that their hayday of charging whatever they wanted to run the computers is no longer there.
Unix was replaced by windows as mainstream servers because they are cheaper to maintain and buy. Either that or the CIOs and CFOs in the world's largest companies are really really stupid (and I doubt that many people in that high of a position are stuipd).
No it isn't! An Adobe Acrobat exploit was just found, and it's on almost every Windows system, but I wouldn't count that as a Windows exploit, because it's a problem with Acrobat, not Windows. IIS exploit? That's Windows. Apache? Not part of Windows. If the vendor wrote it and shipped it with the OS, and it's among the regular component options, then it's part of the OS. If not, it's just packaged third-party tools with their own problems.
This does get a little vague with open source, but when you're talking about a desktop, Perl and Ruby almost never come into the picture. To hype them as desktop exploit vectors is pure FUD (aside from the fact that it took a lot of deliberate effort just to get the vector to work on a target machine).
You also get problems with different Windows versions, because an exploit on XP Pro could have no effect on XP Home. Then you have to specify which version the exploit counts against.
But given all of that, I do like the work that MOAB is doing, although I always disagree with 0-day disclosure policies. The vendor should always have a chance to fix it first. Microsoft is known to sit on exploit notices for months before fixing them, and in those cases I definitely understand a pre-fix release (this has actually gotten third-parties to fix Windows holes before MS did). But in general, Apple is basically getting free security testing, and that's good.
Once again...this is getting really really old and you've been schooled on this in the past. But here goes.
Is Adobe distro'd with Windows? If so then the update will be available via windowsupdate and will "self-heal". If not then it's adobe's job to fix it. I could careless who wrote it. do you really think all windows software/code is written by MS? If it ships with the OS it's M$ responsibility. If it was 3rd party add-on after the OS ships then it's the 3rd party.
BTW: I don't believe acrobat is on windows by default, so it's not a MS bug. However, if Mac ships with adobe on the OS install disk then yes it's a mac bug that apple has to be sure it gets fixed.
also by your logic if notepad has a bug that's exploitable by opening a text file, it's an a windows issue.
somehow I believe you'd be on here complaining about how bad windows is even if the problem was in notepad.
Let me fix that....
also by your logic if notepad has a bug that's exploitable by opening a text file, it's NOT a windows issue.
So we are ONLY talking about desktops now? What about the Army and their webservers? Think they may be running Ruby or Perl? So which is it...do you withdraw your desktops only comment or the Army uses Mac for a server?
the typical discussion I seem to have with you...you keep changing the target to fit your twisted logic, but if you step back you'll see that it's full of holes.
That's logical given it's part of the standard system. It's unfair to any vendor to lump vulnerabilities in all software onto the OS. It's also unfair to the users, giving too rosy a picture, to include only the kernel and core libraries.
The middle ground is better. It has IE exploits counting against Windows, Safari exploits against OS X. QuickTime should count against OS X, since it is the OS's player, but not against Windows, but WMP exploits should count there.
If there were a virus that only spread by person to person contact and only red-haired people with blue eyes could catch it, it wouldn't successfully replicate.
Like red headed, blue eyed people, Macs are actually kind of rare.
A new Gartner report (reported by AppleInsider) notes that despite increased sales, the Mac has yet to gain a market share increase.The report, however, partially conflicts with a previous ZDNet report based on preliminary Gartner data.
Worldwide Mac Market Share
1Q 2005: 2.2%
1Q 2006 (ZDNet): 2.3%
1Q 2006 (AI): 2.0%
Like their cyber counterparts, biological viruses do not infect everyone who is exposed. Lets say we have a really virulent virus that successfully infects 10% of those exposed. You are now looking at .2% of the computers in operation having to be in contact with another member of the .2% vulnerable community. Odds of random contact are about 1 in 500. If the virus spreads at all, it will spread VERY slowly.
Since hacking is all about reputation, there is no real incentive to create a virus that will likely never be noticed. Now that Jobs has thrown down the gauntlet, SOME hackers have taken notice, but, trust me, the really talented, nasty, hackers in Eastern Europe and Asia are in it for the bucks, and there ain't no bucks in hacking Macs.
Not necessarily. But FYI the Army is running, as you'd have seen if you'd seen graphic on post 96, WebStar. With a little more searching you'll find they run PHP (also a Windows language).
If you tell me there's an exploit in PHP, then that's not OS X. If an exploit in PHP allows you to take advantage of an OS X exploit, then that's two different exploits. Even then, it would help if the exploit actually worked.
the typical discussion I seem to have with you...you keep changing the target to fit your twisted logic
It works for either. A desktop is likely to be running Perl only if the user is a developer. A web server is only going to be running Perl if that's their third-party language of choice. Either way, it's only on there by specific choice (not default), and it's Larry Wall's responsibility.
I bought a Mac and used it for a year in parallel with my XP and Linux boxes. The Mac now sits there, turned off. I use the Linux and XP boxes every day.
It isn't that the Mac was bad, it just didn't run the programs I wanted to use or experiment with. The Mac is a good product without the variety of software I want. It doesn't run Doom and it's way to expensive to turn into a server.
Your question implies that I made such a overreaching statement. I didn't.
Switching to Macs doesn't eliminate problems - but it significantly reduces them compared to Windows. Macs are a good way for an enterprise to boost productivity and reduce unnecessary expenses.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.