Posted on 01/03/2007 11:04:31 AM PST by newgeezer
The Month of Apple Bugs project kicked off Monday by posting a zero-day vulnerability in Apple's QuickTime media player. It also posted an exploit that could be used by attackers to compromise, hijack, or infect computers running either Windows or Mac OS X.
The Month of Apple Bugs (MoAB), which will announce a new security vulnerability in Apple's operating system or other Mac OS X software each day in January, is a follow-on to November's "Month of Kernel Bugs" campaign, and is co-hosted by that project's poster, a hacker who goes by the initials "LMH," and a partner, Kevin Finisterre, a researcher who has posted numerous Mac vulnerabilities and analyses on his own site.
The debut vulnerability is in QuickTime 7's parsing of RTSP (RealTime Streaming Protocol); the protocol is used to transmit streaming audio, video, and 3-D animation over the Web. Users duped into clicking on an overlong rtsp:// link could find their PCs or Macs compromised. It also may be possible to automatically trigger an attack simply by enticing users to a malicious Web site.
"Exploitation of this issue is trivial," said LMH in the vulnerability's write-up on the MoAB Web site. The associated exploit code has been tested on Mac OS X running on Intel-based systems, and works against QuickTime 7.1.3, the current version of the player, LMH and Finisterre said.
Other security researchers rang alarms Tuesday. Danish vulnerability tracker Secunia, for example, pegged the bug as "highly critical," the second-from-the-top threat in its five-step score, and Symantec alerted customers of its DeepSight threat network of the vulnerability.
An Apple spokesman declined to confirm the vulnerability, or, if it was legitimate, when the flaw might be fixed. In an e-mail, he said that "Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users. We always welcome feedback on how to improve security on the Mac."
LMH, who didn't immediately reply to several questions sent via e-mail, said on the MoAB site that Apple's Mac OS X operating system was chosen as the target for the month of vulnerabilities because "we like to play with OS X, we enjoy hate e-mail, and it's not as crowded as (random software vendor), yet. Thus, it's really comfortable for research and there's so much to be worked out."
He also said that Apple -- and other vendors whose Mac OS X applications might be the focus of a bug posted during the month's run -- would not be notified in most cases before the information went live, and dismissed that practice. "The point is releasing them without vendor notification. The problem with so-called 'responsible disclosure' is that for some people, it means keeping others on hold for insane amounts of time, even when the fix should be trivial. And the reward (automated responses and euphemism-heavy advisories) doesn't pay off in the end."
LMH, Finisterre, and commercial security vendors recommended that users cripple QuickTime's ability to process rtsp:// links. In Windows, launch QuickTime, select Edit|Preferences|QuickTime Preferences, click the File Types tab, expand Streaming, and clear the box marked "RTSP stream descriptor." In Mac OS X, select System Preferences|QuickTime|Advanced|MIME Settings|Streaming|Streaming Movies and clear the "RTSP stream descriptor" box.
Apple's QuickTime was last in the news during December, when a bug in the player was exploited by fraudsters on MySpace. That vulnerability remains unpatched.
LMH expects to see more QuickTime attacks now that his newest flaw has gone public. He said, "It's a matter of time to see this getting abused in the wild."
Boy this is a tough decision. Do I listen to the one guy on the Internet claiming macs can save me money or do I look at what the best businesses around the world are running?
Hmmmmm.....that's a tough call. I'll go with the guy on the Internet because I is too smart juzt like him. Them CIOs are all stoopid and stuff.
Also as far as does it count because it uses ruby to get to the exploit. So if Windows services for Unix is installed and allows anyone in the world to do whatever they want on a windows 2003 server...that wouldn't count as a Microsoft OS vulnerability? And you'll be on FR arguing how it's not a real issue becaues it not an OS bug but only impacts those users/businesses that chose to install unix services on Windows?
#1 is a flaw in Quicktime affects on Windows and Intel OS X Macs:
Requires a working Ruby interpreter. The exploit provided will create a QTL file, which can be locally opened or served remotely via web server. The exploit source code includes notes and other comments about the different options available.
Quicktime is not shipped with Windows as far as I know but it is shipped with all versions of OS X. However, on OS X it is a security vulnerability for those who have Ruby installed and running. A fix is already available.
#2 is a flaw in VLC Media Player and affects both Windows and OS X.
Apparently it crashes the app on Mac OS X. It is not shipped with nor is it a part of OS X or Windows. This is not an Apple flaw but a flaw in VLC. VLC has announced a fix.
Requires a working Perl interpreter. The exploit(s) provided will create a M3U file, which can be locally opened or served remotely via web server. The exploit source code includes notes and other comments about the different options available. Both x86 and PowerPC versions are provided.
As stated this is not a flaw in either Apple or Windows. It is a flaw in VLC. Apparently on both platforms, according to several security experts who have examined BoAB's claims, it merely crashes the application.
#3 in a Quicktime vulnerability that seems to only affect the Windows version of Quicktime.
It is related to the MySpace worm that My space fixed on their website.
Requires a working Ruby interpreter. If 'serve' argument is passed, it will launch both a web server (via Webrick) and a non-standard (aka quick hack) FTP server. The exploit uses Microsoft Text Driver ADODB connection which requires an anonymous FTP login to the exploit location, for an unknown reason. The FTP hack hasn't been fully tested and thus it's been removed from the public version. It will generate the files for the location of your choice.While this is not an OS X vulnerability of flaw, it is an Apple application and needs to be fixed.
Ok, finally an reasonable answer.
So #1 is a problem that ships with the OS that is exploitable.
Now all I need to do is bookmark this for the next time I hear someone claim Mac is foolproof.
Start digging around on some of the hacking boards that you can get access to and you'll see the trend. For various reasons I'm not going to post links or reveal much detail on what I do for a living, but a big part of my work requires me to monitor these activities. I am also relatively new to this field, but the collaborative targeting of Macs is indeed a recent phenomenon.
The reputation is in being the first. And that position has gone unfulfilled for six years.
This isn't really about Apple, but of the solid stability and security of BSD. BSD has been its own full OS, on the net and hacked on, since before Microsoft even released its first graphical shell to MS-DOS 3.1. Work began on the FreeBSD branch that Apple uses around the same time Microsoft released NT -- an OS designed to work with trusted users on small local networks. Other hardened systems use FreeBSD, such as VXWorks (the RTOS used in the Mars Rover and newer Linksys routers) and various other routers and firewalls.
You really must try to be this ignorant because even noobs can understand this. He gave an analogy of why a Mac virus wouldn't spread easily in the wild. So the first has already happened. A couple times but it keeps getting dismissed. Remember we spoke about 1 year ago on the exploit available in the initial release of OSX. Yes it was patched but if you install osX without patching you would be vulnerable out of the box. Now with MOAB #1 we have again proof that osX is exploitable, but the mac faithful keep downplaying it and obfuscating the issue. They can do this by saying it's not in the wild. Reason it's not in the wild is as crusher detailed...there aren't enough machines to spread it properly.
Remember just because it isn't in the wild doesn't mean it can't exist. An exploitable hole is an exploitable hole.
Name one. The two you named are dismissed because they have never spread in the wild, only under lab conditions with engineers trying to get it to spread.
Reason it's not in the wild is as crusher detailed...there aren't enough machines to spread it properly.
You also seem to like percentages. How about hard numbers. There are over 25 million OS X boxes out there not getting infected. The sadmind worm spread widely through Solaris 7, and I think we all agree there weren't even close to 25 million unpatched Solaris 7 boxes out there (Sun had issued a fix two years before). The IIS component of sadmind is irrelevant, since it only modified web content, not using IIS as a vector.
There have been propagating virus/worms for devices with a far smaller installed base, and you don't think OS X with 25 million installs has a critical mass? Rubbish.
We already discussed the first exploit available on the mac over 1 year ago. In fact N3WBI3 left FR for 1 month because he lost the bet we had (loser had to leave for 1 month).
The setup was take an upatched OSX box (which some users have) and execute an exploit that will run unwanted code on the machine. I won and he left for 1 month.
If you're really interested in Mac security you'd already know about the exploit. Instead you're more interested in misdirection, arguing, and attacking windows.
The more you drag it on the more foolish you make yourself look. Heck just look at exploit #1 for MOAB...you don't even need to go back to the original OSX install.
BTW: you should change your screen name to Capt Titanic.
Your argument sounds a lot like his. We can't sink, let's go through the iceberg.
Windows admins typically use Windows because a)that is what most businesses use and they are therefore a product of the modern landscape and b)they have lives outside of tweaking software endlessly and prefer a simple and complete integrated environment from a single vendor. Those are the reasons I use it for example.
Your claim that they are using an inferior product because of their inferior skills is a logical fallacy, if the average admin wanted or needed software complexity or major incompatibility issues, they would most all certainly be using Linux or some other obscure half baked product. But of course they do not, nor will they ever, they will use what is easiest, to most everyone on the planet, that of course at this point in history being Windows.
You seem particularly sore that most people in the US and the entire world choose to use Windows, but to claim they do it because it has more bugs or is harder to manage than something like linux is completely absurd. Few people use Linux on a large scale because it sucks to manage, not the other way around.
Exactly correct, these guys are programmers and maybe great at that but know little about system management. To listen to them everyone should rip out our Windows servers which we already know through experience are easier to manage and put in eight flavors of *nix and spend all day hammering out incompatibilities at the core level instead.
While it may not be a "linux" vulnerability, they are certainly "linux distribution" vulnerabilities when they are shipped as part of a linux distribution, but more importantly if the user must wait on the linux vendor to release the patch. You see it all the time, some hole in what they want to call a "3rd party" product, but the appropriate patch can't come from the third party, the patch has to come direct from the linux vendor such as Red Hat. You often for example can't just take the patch from the "3rd party" vendor, you have to wait for the patch made specifically for that particular linux distro. Hence, it's obviously a hole in that linux distro, since a patch for that distro is required.
Exactly correct, I transferred many expensive and difficult Unix servers to cheaper and easier Windows boxes back almost 15 years ago now. We didn't even need to read the documentation, it was so easy, I am not kidding, on the fileservers the hardest part was typing in the usernames and passwords.
I'm pretty sure perl is standard and part of the basic install on Mac OS X.
All of my responses to you have been reasonable.
So #1 is a problem that ships with the OS that is exploitable.
False. While it does ship with the OS, it is not part of the OS, and is not factory installed on the computer.
You use this and it will make you look the fool to anyone who knows the actual facts. There is also a difference between a vulnerability and an exploit and between an exploit and a proof-of-concept. At most, that is what this is... another proof-of-concept file that, in very unusual circumstances, could, if loaded with a maliciously designed URL, execute a PREVIOUSLY PLACED AND LOADED malicious application on the target computer. Tell me, for-q, how did that previously placed malicious application get placed on the MAc without the user's knowledge??? That's trivially easy to do on a Windows box... but not on a Mac.
There have been prior vulnerabilities in OS X and all that have been found have been repaired within a short period of time. The fix for this one is already available.
No it's not, if the vendor shipped it as part of their O/S "distribution", and the user is subsequently dependent on that O/S vendor for a compatible patch. Patches for what you want to call "3rd party" are only compatible if they come from the linux distro vendor, hence, it's a linux distro hole.
He's a Microsoft troll and the facts will NEVER satisfy him.
See you on another Mac thread.
This is very true, also most hackers are cowards and afraid of the massive publicity that would rain down on them if a destructive "Mac virus" was ever traced back to them. These guys behind this "month of bugs" bs are only providing exploits, not actual destructive code, as destructive code is what gets the law calling. That being said, writing a successful Mac virus (which by definition requires user interaction) would not be easy, even if anyone had the guts to write and release it.
Well that's not quite as bad as actually shipping a Windows virus to Windows iPod users, then trying to blame Microsoft. ;-)
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.