Free Republic
Browse · Search
Smoky Backroom
Topics · Post Article

Skip to comments.

Mac, Windows QuickTime Flaw Opens 'Month Of Apple Bugs'
Information Week ^ | Jan 2, 2007 03:04 PM | Gregg Keizer

Posted on 01/03/2007 11:04:31 AM PST by newgeezer

The exploit could be used by attackers to compromise, hijack, or infect computers running either Windows or Mac OS X.

The Month of Apple Bugs project kicked off Monday by posting a zero-day vulnerability in Apple's QuickTime media player. It also posted an exploit that could be used by attackers to compromise, hijack, or infect computers running either Windows or Mac OS X.

The Month of Apple Bugs (MoAB), which will announce a new security vulnerability in Apple's operating system or other Mac OS X software each day in January, is a follow-on to November's "Month of Kernel Bugs" campaign, and is co-hosted by that project's poster, a hacker who goes by the initials "LMH," and a partner, Kevin Finisterre, a researcher who has posted numerous Mac vulnerabilities and analyses on his own site.

The debut vulnerability is in QuickTime 7's parsing of RTSP (RealTime Streaming Protocol); the protocol is used to transmit streaming audio, video, and 3-D animation over the Web. Users duped into clicking on an overlong rtsp:// link could find their PCs or Macs compromised. It also may be possible to automatically trigger an attack simply by enticing users to a malicious Web site.

"Exploitation of this issue is trivial," said LMH in the vulnerability's write-up on the MoAB Web site. The associated exploit code has been tested on Mac OS X running on Intel-based systems, and works against QuickTime 7.1.3, the current version of the player, LMH and Finisterre said.

Other security researchers rang alarms Tuesday. Danish vulnerability tracker Secunia, for example, pegged the bug as "highly critical," the second-from-the-top threat in its five-step score, and Symantec alerted customers of its DeepSight threat network of the vulnerability.

An Apple spokesman declined to confirm the vulnerability, or, if it was legitimate, when the flaw might be fixed. In an e-mail, he said that "Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users. We always welcome feedback on how to improve security on the Mac."

LMH, who didn't immediately reply to several questions sent via e-mail, said on the MoAB site that Apple's Mac OS X operating system was chosen as the target for the month of vulnerabilities because "we like to play with OS X, we enjoy hate e-mail, and it's not as crowded as (random software vendor), yet. Thus, it's really comfortable for research and there's so much to be worked out."

He also said that Apple -- and other vendors whose Mac OS X applications might be the focus of a bug posted during the month's run -- would not be notified in most cases before the information went live, and dismissed that practice. "The point is releasing them without vendor notification. The problem with so-called 'responsible disclosure' is that for some people, it means keeping others on hold for insane amounts of time, even when the fix should be trivial. And the reward (automated responses and euphemism-heavy advisories) doesn't pay off in the end."

LMH, Finisterre, and commercial security vendors recommended that users cripple QuickTime's ability to process rtsp:// links. In Windows, launch QuickTime, select Edit|Preferences|QuickTime Preferences, click the File Types tab, expand Streaming, and clear the box marked "RTSP stream descriptor." In Mac OS X, select System Preferences|QuickTime|Advanced|MIME Settings|Streaming|Streaming Movies and clear the "RTSP stream descriptor" box.

Apple's QuickTime was last in the news during December, when a bug in the player was exploited by fraudsters on MySpace. That vulnerability remains unpatched.

LMH expects to see more QuickTime attacks now that his newest flaw has gone public. He said, "It's a matter of time to see this getting abused in the wild."


TOPICS:
KEYWORDS: apple; bugs; moab; security; threadjester
Navigation: use the links below to view more comments.
first previous 1-20 ... 281-300301-320321-340 ... 541-557 next last
To: antiRepublicrat
Simply put, if GE had been telling the truth about his qualifications, my little test would have fallen flat on its face in the beginning.

More obsurdity to the point of being considered further lies. Even your hacker buddy codenamed N3WBI3 admitted he wouldn't have even known what you were supposedly talking about. You can keep trying to blame others but you've already admitted you lied, for months, and equally disturbing it's all in the defense of criminal Russian hackers. You're an admitted liar, and nothing is going to change that, especially more lies. Learn to live with it, or take your lies somewhere else.

301 posted on 01/09/2007 12:16:30 PM PST by Golden Eagle
[ Post Reply | Private Reply | To 297 | View Replies]

To: antiRepublicrat; Golden Eagle

So why the need to lie about the author of the tool?

To me it looks like this might be a possible scenario (assuming you're correct about GE not knowing the tool at all, but of course I don't concede that as that would require proof since you're a confirmed liar).

Scenario: You were mistaken about the tool's author. You discovered your mistake via freepmail so instead of admitting you were wrong you instead say you're trying to trap GE. That makes the most sense since as you say...GE didn't even know what the tool was, so why the need to lie about the author?

Which this backs GEs assertion that you were defending Russian Hackers...why else would you claim it was a Russian hacker that wrote it? According to you...you had GE on not knowing the tool so it makes no sense to also lie about the tools author since it's pretty much just a trivia question anyway.

It appears you're trying to change the issue of your lying about a Russian Hacker creating a tool. You lied to make them look good (as GE claims) because there was no need to trap him as he didn't know what the tool was (as you claim). Which one is more believable:

A) You had GE trapped on not knowing what the tool was and decided to arbitrarily extend the lie to include the author's origin...even though you already had GE nailed on not knowing what the tool was (which would be the most important issue).

B) You thought it was written by Russian Hackers (based on the guy's name) and you put it out as such in defense of russian hackers. You learned that you were wrong via freepmail and said you were laying a trap on GE to keep from admitting you were wrong.


302 posted on 01/09/2007 12:18:33 PM PST by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 300 | View Replies]

To: for-q-clinton
So why the need to lie about the author of the tool?

To play on GE's paranoia of Russians. It was perfect given that the author had taken a Russian pseudonym.

Scenario: You were mistaken about the tool's author. You discovered your mistake via freepmail so instead of admitting you were wrong you instead say you're trying to trap GE.

Interesting, but I'll give you a bit of history. I heard of nmap long ago, and used it sometimes. I was never interested in the author. But I have been very closely following the SCO vs. IBM case for a long time (my history shows I posted in my first SCO thread here a week after I joined in 2003). In early 2004 the author pulled SCO's license to nmap due to SCO rejecting the GPL under which nmap is licensed (and which GE seems to think is inherently evil). After that I took interest in the author and have thought he's American since I first read a page at insecure.org. I have never seen writing from a Russian programmer that is so consistently, fluidly American. It would be hard to read everything there and even think he's a Russian programmer, it's just not plausible.

However, admitting to this scenario would have been tempting, as I could have just admitted a mistake instead of wading through all of these "lie" claims. Too bad I'm too honest to do that. I won't take your easy out.

Which this backs GEs assertion that you were defending Russian Hackers...why else would you claim it was a Russian hacker that wrote it?

Because GE is paranoid of Russians, and I was playing to his paranoia. Notice that the final revealing thread isn't even about Russian hackers, so there's no context there in which to defend Russians hackers.

since it's pretty much just a trivia question anyway.

A question that one with GE's claimed monumental amount of knowledge in the appropriate areas would get.

303 posted on 01/09/2007 1:05:12 PM PST by antiRepublicrat
[ Post Reply | Private Reply | To 302 | View Replies]

To: Golden Eagle
Even your hacker buddy codenamed N3WBI3 admitted he wouldn't have even known what you were supposedly talking about.

N3WBI3 admits as his name implies -- he's new to this subject.

all in the defense of criminal Russian hackers

Again, I challenge you to prove they are criminal as you claim. You can't, because I already cited applicable federal law, and you went on personal attacks instead of trying to back up your claim.

304 posted on 01/09/2007 1:09:27 PM PST by antiRepublicrat
[ Post Reply | Private Reply | To 301 | View Replies]

To: antiRepublicrat
N3WBI3 admits as his name implies -- he's new to this subject.

He's new to conservatism, obviously, at least he's making progress and not a flaming liberal like you.

I challenge you to prove they are criminal as you claim. You can't, because I already cited applicable federal law

LOL, more of your endless defense of the Russian hackers. You can quit lying in other posts claiming you're still not defending them, because it's quite obvious you're not only continuing to lie in their defense, it's obviously never going to stop.

305 posted on 01/09/2007 1:35:02 PM PST by Golden Eagle
[ Post Reply | Private Reply | To 304 | View Replies]

To: antiRepublicrat
GE's paranoia of Russians

You mean my rightful concern of hackers from Russia who are pirating Apple's software. As oposed to your support and defense of their criminal behavior, of course.

306 posted on 01/09/2007 1:37:12 PM PST by Golden Eagle
[ Post Reply | Private Reply | To 303 | View Replies]

To: Golden Eagle
He's new to conservatism, obviously, at least he's making progress and not a flaming liberal like you.

You sidestepped the point. He's new to hacking, and therefore likely wouldn't know that much on the subject.

LOL, more of your endless defense of the Russian hackers.

You yet again sidestepped the point. You cannot defend your claim that they are criminal. I have shown how they could be held liable under civil law for their actions, but you have not shown how it could possibly be criminal.

Lie, libel, sidestep. The story of your posting history.

307 posted on 01/09/2007 1:40:13 PM PST by antiRepublicrat
[ Post Reply | Private Reply | To 305 | View Replies]

To: Golden Eagle
You mean my rightful concern of hackers from Russia who are pirating Apple's software.

For this reply, I will consider that we are using the commonly held definition of "pirating" in this context, which is unauthorized distribution of a copyrighted work.

The story did not even accuse them of unauthorized distribution of OS X. The story stated they did find a way to make OS X run on a regular PC. Thus, you fail to substantiate your claim that they are "pirating Apple's software." Another lie in a long, factually proven, series of them.

308 posted on 01/09/2007 1:44:17 PM PST by antiRepublicrat
[ Post Reply | Private Reply | To 306 | View Replies]

To: antiRepublicrat
The story did not even accuse them of unauthorized distribution of OS X. The story stated they did find a way to make OS X run on a regular PC.

More defense of the Russian hacker pirates LOL. Which is obviously never going to stop, since you were already willing to lie for months in their defense. Try selling it to someone else, cause no one here is buying.

309 posted on 01/09/2007 1:52:04 PM PST by Golden Eagle
[ Post Reply | Private Reply | To 308 | View Replies]

To: Golden Eagle
More defense of the Russian hacker pirates LOL.

Sidestepping again, not even paying attention to the facts of the case. Your claim of pirating remains unsubstantiated.

310 posted on 01/09/2007 1:59:45 PM PST by antiRepublicrat
[ Post Reply | Private Reply | To 309 | View Replies]

To: for-q-clinton; Golden Eagle
I have decided that, contrary to your insinuation, you are not neutral and basing your opinions on facts.

In post 298 I refuted GE's lie that he exposed me in this issue and in the processes exposed his libel (calling me a liar for claiming I gave up the answer myself)

In post 298 I uncovered two of GE's lies in this very thread about that Clinton thread.

In post 298 I exposed GE for taking things out of context in order to paint a false picture of my comments.

I did this in post 298 with direct links to all of the involved posts proving my point, and even posted my entire earlier post in context to show how GE distorts things. This is all absolutely irrefutable with logical argument.

However, I notice that while both of you have found time to comment multiple times since then, over five hours ago, neither of you have dared to reply to that post.

GE, you didn't reply because it puts your lies, libel and distortions right up there for everyone to see. You have no logical counter to that post.

for-q, I believe you didn't reply because it destroys your ostensible argument for believing GE and not me. How can you continue the charade of being disinterested when you support one who runs from his proven lies over one who admitted and explained? You can't. You are not disinterested. You are biased.

311 posted on 01/09/2007 2:04:00 PM PST by antiRepublicrat
[ Post Reply | Private Reply | To 302 | View Replies]

To: antiRepublicrat
However, admitting to this scenario would have been tempting, as I could have just admitted a mistake instead of wading through all of these "lie" claims. Too bad I'm too honest to do that. I won't take your easy out.

WTF!!!??? You're too honest so you had to lie? Whatever...

312 posted on 01/09/2007 2:09:39 PM PST by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 303 | View Replies]

To: Golden Eagle; antiRepublicrat

wrong.

his real name is Gordon Lyon. And he's a native Californian. Unless California joined the Russian Federation or was part of the Soviet Union, they wer

The name Fyodor comes from the famous author Fyodor Dostoevsky

The smoking gun...

http://insecure.org/fyodor/

pwn3d, again.


313 posted on 01/09/2007 5:35:16 PM PST by rzeznikj at stout (Boldly Going Nowhere...)
[ Post Reply | Private Reply | To 283 | View Replies]

To: rzeznikj at stout

add

"they never had Russian citizenship."


314 posted on 01/09/2007 5:36:06 PM PST by rzeznikj at stout (Boldly Going Nowhere...)
[ Post Reply | Private Reply | To 313 | View Replies]

To: antiRepublicrat; MikefromOhio; N3WBI3; ShadowAce; FLAMING DEATH

...and we were all there


315 posted on 01/09/2007 5:38:08 PM PST by rzeznikj at stout (Boldly Going Nowhere...)
[ Post Reply | Private Reply | To 311 | View Replies]

To: N3WBI3
Very second grade behavior.

It's not elegant, but sometimes you just have to go down to the level of your opponent, at least just a little (I really wouldn't want to go all the way and be constantly ranting, falsely accusing and lying).

316 posted on 01/09/2007 7:20:21 PM PST by antiRepublicrat
[ Post Reply | Private Reply | To 279 | View Replies]

To: for-q-clinton
WTF!!!??? You're too honest so you had to lie? Whatever.

I'm too honest to get out of the issue so easily. Nice to see you're still here, reading and posting. Something you forgot along the way maybe?

317 posted on 01/09/2007 7:21:56 PM PST by antiRepublicrat
[ Post Reply | Private Reply | To 312 | View Replies]

To: antiRepublicrat
Something you forgot along the way maybe?

No haven't forgot that you still admitted to lying, but now are trying to obfuscate to cloud the fact that you admitted to lying for months.

318 posted on 01/09/2007 7:56:19 PM PST by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 317 | View Replies]

To: for-q-clinton
No haven't forgot that you still admitted to lying, but now are trying to obfuscate to cloud the fact that you admitted to lying for months.

Are you sure you aren't related to GE? Because in his style (as shown in his last few posts) you refuse to address the points.

319 posted on 01/09/2007 8:44:38 PM PST by antiRepublicrat
[ Post Reply | Private Reply | To 318 | View Replies]

To: antiRepublicrat

LOL there are no more points. You've already admitted you lied, knowingly on purpose, for months. Just as bad, the reason you lied was to defend Russian hackers. No one really cares about anything else you have to say now, you're a liar and for evil purposes, game over. You can go back to babbling that you won the discussion now, LMAO, but no one really cares. The only good it serves is to bump this thread so even more folks will see what a twisted fool you are. Good night!


320 posted on 01/09/2007 8:57:06 PM PST by Golden Eagle
[ Post Reply | Private Reply | To 319 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-20 ... 281-300301-320321-340 ... 541-557 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
Smoky Backroom
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson