Posted on 01/03/2007 11:04:31 AM PST by newgeezer
The Month of Apple Bugs project kicked off Monday by posting a zero-day vulnerability in Apple's QuickTime media player. It also posted an exploit that could be used by attackers to compromise, hijack, or infect computers running either Windows or Mac OS X.
The Month of Apple Bugs (MoAB), which will announce a new security vulnerability in Apple's operating system or other Mac OS X software each day in January, is a follow-on to November's "Month of Kernel Bugs" campaign, and is co-hosted by that project's poster, a hacker who goes by the initials "LMH," and a partner, Kevin Finisterre, a researcher who has posted numerous Mac vulnerabilities and analyses on his own site.
The debut vulnerability is in QuickTime 7's parsing of RTSP (RealTime Streaming Protocol); the protocol is used to transmit streaming audio, video, and 3-D animation over the Web. Users duped into clicking on an overlong rtsp:// link could find their PCs or Macs compromised. It also may be possible to automatically trigger an attack simply by enticing users to a malicious Web site.
"Exploitation of this issue is trivial," said LMH in the vulnerability's write-up on the MoAB Web site. The associated exploit code has been tested on Mac OS X running on Intel-based systems, and works against QuickTime 7.1.3, the current version of the player, LMH and Finisterre said.
Other security researchers rang alarms Tuesday. Danish vulnerability tracker Secunia, for example, pegged the bug as "highly critical," the second-from-the-top threat in its five-step score, and Symantec alerted customers of its DeepSight threat network of the vulnerability.
An Apple spokesman declined to confirm the vulnerability, or, if it was legitimate, when the flaw might be fixed. In an e-mail, he said that "Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users. We always welcome feedback on how to improve security on the Mac."
LMH, who didn't immediately reply to several questions sent via e-mail, said on the MoAB site that Apple's Mac OS X operating system was chosen as the target for the month of vulnerabilities because "we like to play with OS X, we enjoy hate e-mail, and it's not as crowded as (random software vendor), yet. Thus, it's really comfortable for research and there's so much to be worked out."
He also said that Apple -- and other vendors whose Mac OS X applications might be the focus of a bug posted during the month's run -- would not be notified in most cases before the information went live, and dismissed that practice. "The point is releasing them without vendor notification. The problem with so-called 'responsible disclosure' is that for some people, it means keeping others on hold for insane amounts of time, even when the fix should be trivial. And the reward (automated responses and euphemism-heavy advisories) doesn't pay off in the end."
LMH, Finisterre, and commercial security vendors recommended that users cripple QuickTime's ability to process rtsp:// links. In Windows, launch QuickTime, select Edit|Preferences|QuickTime Preferences, click the File Types tab, expand Streaming, and clear the box marked "RTSP stream descriptor." In Mac OS X, select System Preferences|QuickTime|Advanced|MIME Settings|Streaming|Streaming Movies and clear the "RTSP stream descriptor" box.
Apple's QuickTime was last in the news during December, when a bug in the player was exploited by fraudsters on MySpace. That vulnerability remains unpatched.
LMH expects to see more QuickTime attacks now that his newest flaw has gone public. He said, "It's a matter of time to see this getting abused in the wild."
When are facts a defense? I guess they can be considered that when used to counter lies. First you called them criminal, with absolutely no proof of it. Second, not all countries allow the anti-consumer clauses in licenses. You buy it, you can run it on whatever you want. They did not distribute OS X, just found a way to put it on a non-Mac PC -- legal in countries with strong consumer laws. In fact, that clause hasn't even been tested in the US yet, so we don't know if it's enforceable here.
defense of Green Party leftist Richard Stalllman
Again, I didn't defend him, I don't even like him. However, when you start spouting lies about his positions on subjects, they need to be corrected.
More obvious lies, you rush to defend that crackpot leftist constantly, just like the Russian hackers you're still trying to make excuses for. You're no more credible than the scumbags you so diligently defend, as the record clearly shows.
We do have a view in common, in that software patents (as opposed to all patents as you falsely claim) are bad. You also have a common view with him, in that software choice should be on a philosophical basis. This view is the main reason I like neither of you.
My philosophy for software is the same as for everything else - I don't support radical leftists, or foreign criminals who steal from the U.S. The opposite end of the spectrum are people like you, who defend them endlessly with lies. And with no God to hold yourself accountable to, it's probably not about to change. I'm just here to make sure everyone knows the truth, since they sure won't be getting it from you.
Exactly, you have a philosophical approach to software, just like Stallman. The rest of just just want what works best for a specific scenario at the best price. That's called a reasoned, informed decision, rather than an emotional one. It's a good thing in business, you should try it some day.
And with no God to hold yourself accountable to, it's probably not about to change. I'm just here to make sure everyone knows the truth
Love your ad hominem. Resorting to that is a sure sign of a losing position.
Remember that FReeper who's on my side, who you falsely accused* of sending you to a "hacker site" to download system updates, when it was just a flash animation of an update from an official site? He's an evangelical Christian. Are you going to find a way to use that against him?
* Hey, that's prohibited in the Ten Commandments, isn't it? I believe it's called "false witness." Even this atheist seems to know more about Christianity than you apparently do, and actually seems to be following its tenets better than you.
No one else is here to defend your lies tonight, not even FLAMING DEATH. Not than many other than him even do anymore.
I've already listed a few of your factual, provable lies. Name one from me, except for where I was leading you on to show you don't know as much about security as you say you do.
Another lie, all you've done is defend leftists and foreign hackers, just like always.
Accusing FReeper of sending you to hacker site for updates -- check.
Stating Stallman wants all patent laws overturned -- check.
Claiming you discovered my test of you on your own -- check.
Care to attempt to refute with facts?
Come one...it's obvious you were caught in a lie so you changed it to you were only joking. Did you also say..."Yeah, that's the ticket I was joking" in Jon Lovits voice?
Read threads before commenting.
Wow, you really convinced me--NOT. If anything you pretty much proved you were caught in a lie and can't weasel your way out of it. I remember you trying something similar in a debate you and I had many moons ago. You just never can admit that you're wrong...even when proven wrong you either try to change the topic or deny the evidence.
Does what GE claim fit in past Anti-R's posts/behaviors?...CHECK
Has Anti-R ever behaved this way toward me?...CHECK
Is it obvious to all that he's obfuscating again?...CHECK
Wrong. I was testing him for a while on what a security expert such as him should know (what is nmap and who is the author), and he failed. I myself revealed the truth, was not caught on it by him (although another FReeper, admittedly not an expert in security, guessed correctly in private). Otherwise, point out something non-factual that I said -- differences of opinion and interpretation don't count, factual errors don't count when retracted.
Has Anti-R ever behaved this way toward me?...CHECK
Name a lie.
Is it obvious to all that he's obfuscating again?...CHECK
Examples, please.
I hope you don't pull a GE and resort to ad hominem, distractions, and rants. Links, hard facts only.
->Accusing FReeper of sending you to hacker site for updates
The FReeper you are referring to doesn't mind being referred to as a hacker, in fact his screen name is based on hacker symbology. Any links from him are obviously suspect, just because you worship foreign hackers doesn't mean the rest of us should ever trust links from them.
->Stating Stallman wants all patent laws overturned
You've never disproven this that I recall with anything other than hot air, yes we know you'll defend that radical leftists and others like him till your dying breath but show me a link to your posts where you've actually ever proven anything.
->Claiming you discovered my test of you on your own
This has been pointed out to you several times before, yet you continue to lie about it. Here's a link from October 2006 where I give links to both where you started your lie, and to the thread months later where you were still lying and I busted you on it.
http://www.freerepublic.com/focus/f-chat/1724347/posts?page=148#148
Here's a repost of that October 2006 post, where I showed where the antiRepublican started his lies defending Russian hackers, and continued them for months until I finally got bored of his BS and actually looked it up:
http://www.freerepublic.com/focus/f-chat/1724347/posts?page=148#148
Another lie, of course. Here is antiRepublicans original lie, on March 25 which he went on to perpetuate for months, which is obviously a statement and not a question:
"Our military is using open source software written by a Russian hacker to secure its networks" - http://www.freerepublic.com/focus/f-news/1602741/posts?page=71#71
Here he is several months later (Oct 5,) still perpetuating the lie he purposefully created months ago as part of his endless effort to defend criminal Russian hackers:
"Nmap is included in the distro, and we all know that was written by a Russian hacker." - http://www.freerepublic.com/focus/f-chat/1710675/posts?page=229#229
He has since outright admitted to these lies, despite his attempt to now deny them, and deny the fact he admitted to them, but as you can read on this very thread he admitted "Yes, I lied" on post #87. Obviously, his lies are out of control, and anything he says must be considered untrustworthy. Something I knew all along, but now the record clearly shows, despite his new efforts to lie his way out of it.
http://www.freerepublic.com/focus/f-chat/1724347/posts?page=148#148
Wow...that reveals a lot (not that I didn't already know it about him). I can't believe even he would keep a lie going for months. Even if he did this to try and trap you...it took him several months to either admit his lie or to catch you on one thing (if he ever did). To lie for months to try and trick someone into saying something isn't an honest way to do business and personally I think you should be banned from FR for such shananigans. It's one thing to say something wrong...to lay the bait but if it's not taking up shortly you must correct the record.
Also Anti-R's refusal to admit he's wrong is proven in his post about when another Freeper corrects him...he's admits the other freeper is right, but he is too. Or he just downplays the signficance of his error.
I think I'm done wasting time with him. I'll just bookmark this http://www.freerepublic.com/focus/f-chat/1724347/posts?page=148#148 and refer to it whenever he posts to me and say I don't deal with confirmed liars.
->I was testing him for a while
No, you were lying in defense of Russian hackers, trying to claim an American was a Russian hacker in the hope it might justify the other, actual Russian hackers you were trying to defend. You even went to so far to claim this Russian hacker you made up was being used extensively by the US DoD, more lies which have all since been proven to be a lie. You yourself have even since admitted, quote, "Yes, I lied". Here is that admission since you're certain to try to deny it with more new lies as well.
http://www.freerepublic.com/focus/f-chat/1724347/posts?page=88#88
So the question is was he lying then or lying now? I guess he admitted to lying then...so is he still lying? He says he was trying to trap you (evidently over several month period). You say he was lying to defend Russian hackers.
Based on the fact that I've seen GE admit when he was mistaken in the past he has more credibility then Anti-R a confirmed LIAR by his own admission.
Then I remember previous anti-R's posts and decide he was lying in defense of Russian hackers. When caught he admits to the lie but claims it was to trick you.
He truly is despicable.
You really don't know the traditional meaning of the word "hacker," do you? UNIX (the traditional UNIX you like) was built by hackers. In any case you also accused him of supporting downloading updates from unofficial sites, when his animation showed an official update -- you actually thought an update was provided at his site! Incredible.
you'll defend that radical leftists
In your link below, I actually call Stallman a bastard for wanting to control hardware with his software license, and agree that he has a "cracked" agenda. Yep, that sounds like an unequivocal defense of him.
You've never disproven this that I recall with anything other than hot air
You have to prove the claim. All you could come up with was Stallman's statements that he is against software patents. After I nailed you on this, you quietly started writing "software patents" instead of just "patents" with no retraction of your false claim.
If you think that I have to prove that he doesn't hate all patents, then your logic is flawed. The one making the claim must provide proof. Otherwise, we all need proof that you don't raid the nearby goat farm for your own sexual pleasures, or you are considered to be doing it every day.
show me a link to your posts where you've actually ever proven anything.
Check out 119 in your Linux thread. I strung you along on your "criminal" claim, and then slammed it by citing applicable federal law. You only ranted in response, providing no contrary cites or precedent. I won, and was even complimented for the elegance with which I fed you your rope.
Here's a link from October 2006 where I give links to both where you started your lie, and to the thread months later where you were still lying and I busted you on it. http://www.freerepublic.com/focus/f-chat/1724347/posts?page=148#148
You didn't guess it on that thread, much less bust me on anything. It was just too good to be true, with a name like Fyodor.
And looking back on that thread, you might want to stop using the term "cracker," to refer to black-hats, as it was coined by Stallman himself.
There was no lying. Pay closer attention to the whole thread, and the punctuation being used. It really is possible to determine one's frame of mind when reading the post correctly. I knew he was stringing GE along. Of course, I also knew about Fyodor, and I knew that GE didn't, given his obviously exaggerated claims of security knowledge.
However, since GE was caught in this, he's been claiming "LIE!" instead of admitting he was caught in a sting that was obvious from the very beginning.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.