Free Republic
Browse · Search
Smoky Backroom
Topics · Post Article

Skip to comments.

Mac, Windows QuickTime Flaw Opens 'Month Of Apple Bugs'
Information Week ^ | Jan 2, 2007 03:04 PM | Gregg Keizer

Posted on 01/03/2007 11:04:31 AM PST by newgeezer

The exploit could be used by attackers to compromise, hijack, or infect computers running either Windows or Mac OS X.

The Month of Apple Bugs project kicked off Monday by posting a zero-day vulnerability in Apple's QuickTime media player. It also posted an exploit that could be used by attackers to compromise, hijack, or infect computers running either Windows or Mac OS X.

The Month of Apple Bugs (MoAB), which will announce a new security vulnerability in Apple's operating system or other Mac OS X software each day in January, is a follow-on to November's "Month of Kernel Bugs" campaign, and is co-hosted by that project's poster, a hacker who goes by the initials "LMH," and a partner, Kevin Finisterre, a researcher who has posted numerous Mac vulnerabilities and analyses on his own site.

The debut vulnerability is in QuickTime 7's parsing of RTSP (RealTime Streaming Protocol); the protocol is used to transmit streaming audio, video, and 3-D animation over the Web. Users duped into clicking on an overlong rtsp:// link could find their PCs or Macs compromised. It also may be possible to automatically trigger an attack simply by enticing users to a malicious Web site.

"Exploitation of this issue is trivial," said LMH in the vulnerability's write-up on the MoAB Web site. The associated exploit code has been tested on Mac OS X running on Intel-based systems, and works against QuickTime 7.1.3, the current version of the player, LMH and Finisterre said.

Other security researchers rang alarms Tuesday. Danish vulnerability tracker Secunia, for example, pegged the bug as "highly critical," the second-from-the-top threat in its five-step score, and Symantec alerted customers of its DeepSight threat network of the vulnerability.

An Apple spokesman declined to confirm the vulnerability, or, if it was legitimate, when the flaw might be fixed. In an e-mail, he said that "Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users. We always welcome feedback on how to improve security on the Mac."

LMH, who didn't immediately reply to several questions sent via e-mail, said on the MoAB site that Apple's Mac OS X operating system was chosen as the target for the month of vulnerabilities because "we like to play with OS X, we enjoy hate e-mail, and it's not as crowded as (random software vendor), yet. Thus, it's really comfortable for research and there's so much to be worked out."

He also said that Apple -- and other vendors whose Mac OS X applications might be the focus of a bug posted during the month's run -- would not be notified in most cases before the information went live, and dismissed that practice. "The point is releasing them without vendor notification. The problem with so-called 'responsible disclosure' is that for some people, it means keeping others on hold for insane amounts of time, even when the fix should be trivial. And the reward (automated responses and euphemism-heavy advisories) doesn't pay off in the end."

LMH, Finisterre, and commercial security vendors recommended that users cripple QuickTime's ability to process rtsp:// links. In Windows, launch QuickTime, select Edit|Preferences|QuickTime Preferences, click the File Types tab, expand Streaming, and clear the box marked "RTSP stream descriptor." In Mac OS X, select System Preferences|QuickTime|Advanced|MIME Settings|Streaming|Streaming Movies and clear the "RTSP stream descriptor" box.

Apple's QuickTime was last in the news during December, when a bug in the player was exploited by fraudsters on MySpace. That vulnerability remains unpatched.

LMH expects to see more QuickTime attacks now that his newest flaw has gone public. He said, "It's a matter of time to see this getting abused in the wild."


TOPICS:
KEYWORDS: apple; bugs; moab; security; threadjester
Navigation: use the links below to view more comments.
first previous 1-20 ... 61-8081-100101-120 ... 541-557 next last
To: Swordmaker

So, that still doesn't answer my question. What is the Air Force using? I know they are using a bunch of stuff, but what are they mostly using?

I could careless what the Army is using. Kind of like how I don't care what my wife thinks is a good car for me to drive. Sure she has her opinion on what looks nice but she's far from any authority on the matter of what makes a good car.


81 posted on 01/04/2007 5:39:03 PM PST by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 79 | View Replies]

To: Swordmaker
Why are you so obsessed with Media Access Control?... it is "Mac"

Wow...that takes the cake...you really are a MAC bigot. Not only will you defend their system to the end, but you also defend the proper capitalization of their name. I wonder if you ever correct anyone (like me) when I say Micro$oft or M$?

Probably not. In fact, I'm willing to bet you never corrected anyone for referring to them as such. Only MAC...hmmmm...I wonder why? Are you an Apple employee?

82 posted on 01/04/2007 5:41:39 PM PST by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 80 | View Replies]

To: newgeezer

Speaking of QuickTime, does anybody know why so many digital camera makers (practically all of them) are using QuickTime for the video portion of their cameras? I refuse to buy anything with QuickTime.


83 posted on 01/04/2007 5:52:05 PM PST by my_pointy_head_is_sharp
[ Post Reply | Private Reply | To 1 | View Replies]

To: for-q-clinton
I hace been browsing this thread, and you seem particularly uspset about Macintosh computers and Mac users. Indeed, you are almost foaming at the mouth in some of your posts.

Yet, you have yet to say anything of substance, only posting derogatory messages toward those of us secure in our manhood.

I have used Macs since they came on the scene in the 80's. I have used most iterations of both hardware and system software. I am not an IT guy, and don't know much about the inner workings.

I signed onto my first BBS in the 80's, and was a charter subscriber with AOL (Compuserve was lousy and AOL was Mac friendly).

I have NEVER been infected with anything, and my computers always stay on, and am always hooked up to the cable modem, often with the browser (Firefox) open... (Wanna try to sneak past my Mac's built-in firewalls and security??? Call me when you give up!)

I just pay attention to what is coming into my computer, and I also know that I can always reload everything I have done. I learned about backup in the 80's! It is still the most effective tool to use in the computer world.

What I DO know is that those PC guys who make such daring and laughable statements against the Mac community are most assuredly impotent, and trying to assert their manhood by way of making absurd claims against a company that DELIVERS what it says, not just repeats empty promises. For a good example, see VISTA, a Mac clone... without the goods!

I just recently signed onto FR, and you seem an apt target for response, since your posts are so frothy. It's quite apparent you know little about the subject.

You can't even keep your story straight!

The US Army now runs its website on OS X because of that hardness to hack. -SM

What does the REAL IT unit of the military use for most of their servers? BTW: That's the Air Force not the Army.So, that still doesn't answer my question. What is the Air Force using? I know they are using a bunch of stuff, but what are they mostly using?-Clinton lover

I could careless what the Army is using.-Clinton lover

I guess I confue everone :-D I do like the idea that we make that part of the FR lexicon.--Clinton lover

You are so hyped on yourself that you wish to brag about your own spelling/typing inadequacies...? Get a life, and go try to fool someone that cares!

84 posted on 01/04/2007 6:08:01 PM PST by PageOne (You're kidding me, aren't you?)
[ Post Reply | Private Reply | To 81 | View Replies]

To: Space Wrangler
Apple has become public enemy #1 for many black hatters in no small part because of Jobs arrogant stance that his OS is immune to the security flaws, and in essence daring the black hatters to give it a go. Be careful what you ask for Steve.....

It is my understanding that no one, I repeat NO ONE, hacks a Mac because no one cares about their paltry market share. It's called "security by obscurity" and is proved to be the REAL reason that Macs haven't been hacked. That said, when did the tide turn. I mean, at what point did the "black hatters" decide to take a shine to Apple. The "arrogant stance" you refer to is not new. So what REALLY got to these guys? I believe, my dear Space Wrangler, that have unknowingly stumbled onto a conspiracy of monumental proportions. This "black hatter" community MUST have been bought off for the past six years. Yet, how did Jobs do it? It boggles, I tell ya'. (BTW, when the Big One hits, it will be a drop in the bucket compared to the sheer volume of security issues faced by Windows users. I run both and I MUST run anti-virus and all sort of system protection gadgets to assure a clean Windows system. We may need it on the Mac some day, but it will take a deluge of attacks to ever approach what MS has wrought.)
85 posted on 01/04/2007 6:27:26 PM PST by Leonard210
[ Post Reply | Private Reply | To 41 | View Replies]

To: Leonard210

You interrupted your lovemaking session with your Mac to type all of that?? Back to it now.


86 posted on 01/04/2007 6:39:51 PM PST by Space Wrangler
[ Post Reply | Private Reply | To 85 | View Replies]

To: for-q-clinton; HAL9000; antiRepublicrat
I agree it is curable. Go back and read the responses. One MAC (sic) supporter says the virus was only on OS9 the other says it was on OSX, but not in the wild. Which is it...was the virus I mentioned in the wild on OS9 or on OSX but not in the wild?

Go back and read what Hal9000 and Antirepublicrat actually stated. They are correct and neither has said that Leap-A or Oompa-A were OS 9 viruses.

In any case, here is your answer:

Leap-A/Oompa-Loompa-A's mode of attack was to spread to other Macs through iChat, using the iChat buddies list and sending copies of itself to the buddies and repeating the process, thus spreading. It failed miserably to do even that. As presented, it contained no "payload" that could damage a Mac.

Shortly after Secunia published the mode of attack, some other hacker tacked on a payload to the original file that supposedly would erase the files in a users home directory... and submitted it as Oompa-Loompa-B. It also did not work.

This so-called worm could not spread, and it did not damage the machines it was purposely installed on. As I mentioned earlier it took two Apple engineers and two security specialists from Secunia over six hours to merely get it to copy itself from an "infected" Mac to another Mac on the same local network... and even then it required the administrator of the targeted Mac to accept delivery of the package, unZIP it, Ignore the warning the file contained an application, install it, give it permission for a first run.

This kind of puts it in the category of instructions to pick up a hammer and hit yourself on the head.

So, that still doesn't answer my question. What is the Air Force using? I know they are using a bunch of stuff, but what are they mostly using?

What does the what the Air Force uses have to do with the fact that the US Army is using Macs to power its primary public web site... and that the reason the person in charge of making the decisions states that he made the choice because they were more secure than the Windows NT they had been using. Your question is just a red herring designed to shift the focus away from that fact.

Wow...that takes the cake...you really are a MAC bigot. Not only will you defend their system to the end, but you also defend the proper capitalization of their name. I wonder if you ever correct anyone (like me) when I say Micro$oft or M$?

Have I insulted you? Why do you feel it necessary to insult me?

I spell Microsoft just as I just did. However, only anti-Mac bigots repeatedly misspell "Mac" as "MAC, " especially after their error has been pointed out to them which Antirepublicrat did for you in an earlier post. After a while it becomes an irritant in discussions... all caps is considered shouting. Consider it part of my effort in curing your ignorance about things Mac.

As to defending Macs, I defend the truth. You have been repeating myths and FUD as if they were true despite the many times they have been debunked. Hence your posts deserve rebuttal. If you will notice, I generally back up what I post with sources.

87 posted on 01/04/2007 6:45:03 PM PST by Swordmaker (Remember, the proper pronunciation of IE is "AAAAIIIIIEEEEEEE!)
[ Post Reply | Private Reply | To 78 | View Replies]

To: Leonard210; Swordmaker
It is my understanding that no one, I repeat NO ONE, hacks a Mac because no one cares about their paltry market share. It's called "security by obscurity" and is proved to be the REAL reason that Macs haven't been hacked...

"Ignorance can be cured" Redux! (SM, I should have pinged you on the last post to the Clinton guy. my apology for improper form.)

I guess you haven't bothered to read this thread, huh? Macs are SECURE against the numerous ATTEMPTS to infect them. As of now, there are NO (read that as ZERO) successful attacks on OSX/any version. It isn't "obscurity", it is because it is a well designed (can we call it elegant?) codex, with lots of built-in safeguards.

Do you really think you fool anyone with "WE may need it on the mac some day"?

Do you understand the meaning of FUD?

88 posted on 01/04/2007 7:05:13 PM PST by PageOne (You're kidding me, aren't you?)
[ Post Reply | Private Reply | To 85 | View Replies]

To: for-q-clinton
What does the REAL IT unit of the military use for most of their servers? BTW: That's the Air Force not the Army.

The Army mainly uses Windows. As far as security, Army servers do get hacked, but there's no outside network access to most of the servers so security goes up.

However, while the regular Army web site runs on Mac, their biggest public-facing, limited-access web site runs on Solaris. They are very paranoid about having public-facing Windows servers.

89 posted on 01/04/2007 7:20:10 PM PST by antiRepublicrat
[ Post Reply | Private Reply | To 76 | View Replies]

To: PageOne

So you're new and you try to call me names? Clinton Lover...WTF? Learn to read then reply.


90 posted on 01/04/2007 8:18:02 PM PST by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 84 | View Replies]

To: Swordmaker

Ok, so you rebutted and corrected my spelling of MAC. Whoopdee doo. I have nothing against the MAC...just the high and mighty idiots that make grandeous claims about it. Ever since the first MAC they've been claiming how superior it is...when they finally get decent OS they claim "we really really really mean it this time...we even have real multi-tasking like windows NT did years and years ago."

I gave up on Mac a long time ago when I was duped into buying one to find out it crashed more than my windows box (but it did give me a pretty little bomb to look at as opposed to a blue screen with meaningful data on it to figure out what went wrong).

You ever heard of the story of the little boy that cried wolf? That's what the Mac user fan club reminds me of.


91 posted on 01/04/2007 8:27:17 PM PST by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 87 | View Replies]

To: Swordmaker
What does the what the Air Force uses have to do with the fact that the US Army is using Macs to power its primary public web site

Well if the Air Force bought a new rifle to give to their admin troops...would that imply it was the best rifle around? Or just that it was ok for what they needed? If I want to buy a gun or tank I'll look at what the Army is doing. If I'm concerned about Computers and want to know what the best of the best the military is using in IT...I'd look at the Air Force. So saying the Army is using MAC is like saying Food lion uses Scott's tissue in their bathroom...so what?

92 posted on 01/04/2007 8:31:11 PM PST by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 87 | View Replies]

To: ShadowAce

ping


93 posted on 01/04/2007 8:32:58 PM PST by KoRn
[ Post Reply | Private Reply | To 1 | View Replies]

To: antiRepublicrat
Also it looks like the people behind the MOAB agree with me.

Why Apple and not (random software vendor)? We like to play with OS X, we enjoy hate e-mail and it's not as crowded as (random software vendor), yet. Thus, it's really comfortable for research and there's so much to be worked out http://projects.info-pull.com/moab/

94 posted on 01/04/2007 8:37:49 PM PST by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 89 | View Replies]

To: for-q-clinton; antiRepublicrat; HAL9000
I gave up on Mac a long time ago when I was duped into buying one to find out it crashed more than my windows box (but it did give me a pretty little bomb to look at as opposed to a blue screen with meaningful data on it to figure out what went wrong).

I see. So your experience with a Mac is at least 6 years out of date. . . probably a lot longer. Apparently your psyche was so damaged by seeing the bomb that you hold animosity to a computer to this day. Sad.

. . . when they finally get decent OS they claim "we really really really mean it this time...we even have real multi-tasking like windows NT did years and years ago."

Mac multitasking was introduced in Multifinder in 1988 and included with the OS in 1991. I will grant you that it was cooperative multitasking but it was available five years before Windows NT's introduction in 1993. (Both were eclipsed by the Pre-emptive multitasking in the Amiga 1000 in 1985.)

Have you ever USED an OS X Mac? I suggest that you do not have the experience to make a judgement whether claims are "grandiose" of not. There must be a reason why people who switch from Windows to Mac say they'll never go back. Has it ever occurred to you that the claims are NOT grandiose but are literally true?

Ok, so you rebutted and corrected my spelling of MAC. Whoopdee doo

Now that your ignorance has been corrected about the proper spelling of "Mac" you continue to misspell it. That moves from ignorance to willful ignorance. Your continued use of it probably puts you into the same category as the hackers who want to "stick a lit cigarette into the eyes of Mac users."

If you are so turned off on the Mac, what are you doing trolling in a Mac thread?

95 posted on 01/04/2007 8:51:48 PM PST by Swordmaker (Remember, the proper pronunciation of IE is "AAAAIIIIIEEEEEEE!)
[ Post Reply | Private Reply | To 91 | View Replies]

To: antiRepublicrat; for-q-clinton; HAL9000
However, while the regular Army web site runs on Mac, their biggest public-facing, limited-access web site runs on Solaris.

Yup... proof:


96 posted on 01/04/2007 9:03:48 PM PST by Swordmaker (Remember, the proper pronunciation of IE is "AAAAIIIIIEEEEEEE!)
[ Post Reply | Private Reply | To 89 | View Replies]

To: Swordmaker
There must be a reason why people who switch from Windows to Mac say they'll never go back. Has it ever occurred to you that the claims are NOT grandiose but are literally true?

Ok by your logic the same for the inverse must be true as well. It's too bad Mac lost most users early in on their products life-cycle. Many Mac users went to windows and will never go back.

And when I say Mac didn't have mutlti-tasking...Windows3.1 had multi-tasking, but you know pre-emptive isn't what I was talking about or I would have said win3.1 and not WinNT.

Keep trying to win a point be forcing a square peg in a round hole. Not only do you go crazy when I say MAC instead of Max, but also you try to defend coop multitasking as Mac's multitasking.

I'm not turned off by MACs just their zealot fans. And when I see a thread proving them wrong...I enjoy to see how they come out of the woodwork trying to defend it. It's been a lot of fun waiting to see what outlandish claims they'll make next....and then next month they'll claim they never said that. It's fun to watch the worm squirm.

97 posted on 01/04/2007 9:24:33 PM PST by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 95 | View Replies]

To: Swordmaker
Yup... proof:

Ok what about the USAF. BTW: A public facing website really doesn't have a lot of secure data. Now if you're referring to their public portal for Army members only then yes it does.

But still what about the USAF...what do they run on most of their servers and desktops? I'm not 100% certain, but I'd bet windows has a lion share. So by your logic Windows is better than Mac because the USAF uses it throughout their enterprise.

98 posted on 01/04/2007 9:26:48 PM PST by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 96 | View Replies]

To: for-q-clinton; antiRepublicrat; HAL9000
. . .and there's so much to be worked out.

And these guys don't seem to really be testing an out-of-the-box OS X Mac.

On almost every Mac site you will find posts from Mac users who have attempted to try their demonstration "exploits" and found they DO NOT WORK!

Why is that?

Out of the four flaws found so far, according to their requirements to duplicate their "flaws," flaws #1, #3 and #4 require an installed "working Ruby interpreter" and #2 requires an installed "working Perl interpreter."

Ruby and Perl are UNIX programming languages that are NOT installed by default on OS X. They probably exist on MOAB's computers 'cause that's what they are doing... writing programs in UNIX that they claim are flaws in OS X. They have chosen at some time in the past to install Ruby and Perl... and probably Python and several other UNIX languages.

BUT, for-q, those are NOT part of a default OS X Installation!

Like Maynor and Ellch, apparently they are not above tossing ringers into the mix either... but then Maynor is one of of their code contributers. Or are they just sticking "lit cigarettes into the eyes of Mac users?"

99 posted on 01/04/2007 9:28:24 PM PST by Swordmaker (Remember, the proper pronunciation of IE is "AAAAIIIIIEEEEEEE!)
[ Post Reply | Private Reply | To 94 | View Replies]

To: Swordmaker

Ok, so we only count the OS out of the box with OS patches (I presume).

Well that makes the MAC even more useless if you can't install the handfull of programs on it without making it a security risk. I thought the OS was so well designed the OS wouldn't allow a program to do such things.

I guess I was misled (again) by the MAC fanbase claiming it was uber secure and nothing could break their security model...not even the typical non-techy, peacenik, MAC user. (I'm not saying you're a peacenik or non-techy, but the majority of Mac users are).


100 posted on 01/04/2007 9:42:32 PM PST by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 99 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-20 ... 61-8081-100101-120 ... 541-557 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
Smoky Backroom
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson