Posted on 01/03/2007 11:04:31 AM PST by newgeezer
The Month of Apple Bugs project kicked off Monday by posting a zero-day vulnerability in Apple's QuickTime media player. It also posted an exploit that could be used by attackers to compromise, hijack, or infect computers running either Windows or Mac OS X.
The Month of Apple Bugs (MoAB), which will announce a new security vulnerability in Apple's operating system or other Mac OS X software each day in January, is a follow-on to November's "Month of Kernel Bugs" campaign, and is co-hosted by that project's poster, a hacker who goes by the initials "LMH," and a partner, Kevin Finisterre, a researcher who has posted numerous Mac vulnerabilities and analyses on his own site.
The debut vulnerability is in QuickTime 7's parsing of RTSP (RealTime Streaming Protocol); the protocol is used to transmit streaming audio, video, and 3-D animation over the Web. Users duped into clicking on an overlong rtsp:// link could find their PCs or Macs compromised. It also may be possible to automatically trigger an attack simply by enticing users to a malicious Web site.
"Exploitation of this issue is trivial," said LMH in the vulnerability's write-up on the MoAB Web site. The associated exploit code has been tested on Mac OS X running on Intel-based systems, and works against QuickTime 7.1.3, the current version of the player, LMH and Finisterre said.
Other security researchers rang alarms Tuesday. Danish vulnerability tracker Secunia, for example, pegged the bug as "highly critical," the second-from-the-top threat in its five-step score, and Symantec alerted customers of its DeepSight threat network of the vulnerability.
An Apple spokesman declined to confirm the vulnerability, or, if it was legitimate, when the flaw might be fixed. In an e-mail, he said that "Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users. We always welcome feedback on how to improve security on the Mac."
LMH, who didn't immediately reply to several questions sent via e-mail, said on the MoAB site that Apple's Mac OS X operating system was chosen as the target for the month of vulnerabilities because "we like to play with OS X, we enjoy hate e-mail, and it's not as crowded as (random software vendor), yet. Thus, it's really comfortable for research and there's so much to be worked out."
He also said that Apple -- and other vendors whose Mac OS X applications might be the focus of a bug posted during the month's run -- would not be notified in most cases before the information went live, and dismissed that practice. "The point is releasing them without vendor notification. The problem with so-called 'responsible disclosure' is that for some people, it means keeping others on hold for insane amounts of time, even when the fix should be trivial. And the reward (automated responses and euphemism-heavy advisories) doesn't pay off in the end."
LMH, Finisterre, and commercial security vendors recommended that users cripple QuickTime's ability to process rtsp:// links. In Windows, launch QuickTime, select Edit|Preferences|QuickTime Preferences, click the File Types tab, expand Streaming, and clear the box marked "RTSP stream descriptor." In Mac OS X, select System Preferences|QuickTime|Advanced|MIME Settings|Streaming|Streaming Movies and clear the "RTSP stream descriptor" box.
Apple's QuickTime was last in the news during December, when a bug in the player was exploited by fraudsters on MySpace. That vulnerability remains unpatched.
LMH expects to see more QuickTime attacks now that his newest flaw has gone public. He said, "It's a matter of time to see this getting abused in the wild."
Apple has been flying under the hackers radar. Just like Linux once did. Their smugness has led hackers to show they aren't perfect either. We all know Windows isn't perfect, but the reason they have the most exploits found is because they have the biggest footprint and hackers won't waste time trying to attack a handful of machines.
If you're saying no exploits makes an OS secure, then you will want to buy the one I wrote as it has yet to be exploited. Of course I'm the only one that has ever used it, but it must be secure since no one has ever hacked it. /sarcasm
Once again...security by obscurity is no security. Reason they don't exist is because there's not enough bang for the buck for the hackers. Oh and btw, they do exist...ever heard of Leap-A or Oompa-A. Now what's your defense.
I can take your word for that. I've heard of PC users who've had problems running QuickTime.
Although QuickTime does not contain spyware, looking at the technical details of this latest vulnerability, it's feasible that QuickTime could be a attack vector for loading spyware or performing some other malicious act. But the attack would have to lure the user into taking some action, like clicking on a link, so it's not an efficient way to propagate malware. The risk to the average QuickTime user is negligible. Another complication is that QuickTime is available for three platforms (Windows, PowerPC Macs and Intel Macs), and it would be difficult to create an exploit that works on all three.
Apple needs to fix some things, like checking for buffer overflows and checking for code following a colon character in URLs. These fixes should be simple to apply. I'm sure Apple is a little embarrassed that these bugs exist, but they should not cause any widespread problems.
The reason it wont' cause widespread harm is because there aren't enough MACs to make a dent on the news cycle, so hackers won't waste their time.
The Windows version is already fixed, but that requires someone to install the patch. Does quicktime autocheck for security patches?
But to lure someone to a link is pretty easy nowadays...a simple email with a funny video will do the trick. Users will click all your links if you give them one or two funny videos to watch.
Previous versions of Mac OS had lots of viruses in the wild, and they had nowhere near the market penetration or visibility of OS X, which has none.
Oh and btw, they do exist...ever heard of Leap-A or Oompa-A. Now what's your defense.
Leap-A/Oompa-A was a trojan, requiring the person to purposely run it and be running as administrator (which is not as common in the Mac world due to the better permissions set up in UNIX). I believe the first malware for OS X was a supposed pirated copy of MS Office, which if ran deleted files in the user's profile (but couldn't hose the system due to lack of root permission). There was one reported case of getting nailed by the latter, none that I heard of with the former.
There are no Mac viruses in the wild, no self-propagating malware, so the odds of getting infected are very low. People without antivirus are just playing the odds that they won't be among the first to get hit, and given that those odds are probably millions to one, it's not too bad a bet for most people.
AV sellers have been hyping every proof of concept (some of which they probably create) to boost sales, and so far nobody is listening. Only expect OS X AV sales to go up when there's actually something out there to worry about.
Apple had occasional problems with viruses several years ago when they were selling far fewer computers. Since then, Apple has switched to Mac OS X and is selling Macs in record numbers - and not a single virus has spread in the wild. Your theory is discredited.
The basic point is that there are better design decisions on the Mac side which explain the lack of exploits and viruses.
The best debunking of the security through obscurity myth is here.
It's a social engineering bug. People who click unknown links deserve what awaits them.
Assholes.
Hand him a 512MB video card and have him let you know when he's got it installed in the Mini.
Well, Apple chose to go from... MIPS? to Intel. Now there's essentially one homogenous processor used by everybody. So you can imagine the implications.
If you spent your time posting about every Windows exploit, you'd never leave your computer.
I'm not so sure that will continue with Apple's embracing of the Intel processor. Granted, dll-loading and system API calls within the virus code designed for Windows will not work, but I'd still think hackers could now have the capability to write platform-agnostic viruses for Intel that could do a phenomenal amount of damage. Your thoughts?
If the attack is designed in machine code, it probably won't be very portable. But it's possible to use cross-platform scripting and network vulnerabilities to attack different operating systems, even with different CPU architectures.
But there have been as noted above. The new vista requires users to say yes when running as admin as well; however, I bet the excuse antirepublicrat uses won't be acceptable for Microsoft when idiot users click on a link and say yes to allow admin access and wammo virus hits. The fact that most machines will be windows it's more likely that a virus writer will gamble that even if 1% of the users are dumb enough to say yes...they'll catch hundreds of thousands if not millions of users with their virus. If you catch 1% of the mac users that say yes to an admin access request...then you have caught hundreds of people. Not exactly newsworthy.
But those viruses were for Mac OS 9 and earlier operating systems that were discontinued years ago. There have been zero viruses in the wild for Mac OS X since it was introduced five years ago.
The vast majority of Mac OS X users don't even have anti-virus software. In the Windows world, they would be sitting ducks.
For trojans of this type, it'll still be the user's fault. However, Microsoft's implementation has its own problems in that it makes that box pop up so much in normal usage that users will get used to simply typing in the password to keep working with their normal stuff, and they may not notice that they just allowed something they shouldn't have.
And please learn something about the platform you denigrate before posting about it. There is less relation between OS 9 and OS X than between Windows 3.1 and Vista.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.