Posted on 01/03/2007 11:04:31 AM PST by newgeezer
The Month of Apple Bugs project kicked off Monday by posting a zero-day vulnerability in Apple's QuickTime media player. It also posted an exploit that could be used by attackers to compromise, hijack, or infect computers running either Windows or Mac OS X.
The Month of Apple Bugs (MoAB), which will announce a new security vulnerability in Apple's operating system or other Mac OS X software each day in January, is a follow-on to November's "Month of Kernel Bugs" campaign, and is co-hosted by that project's poster, a hacker who goes by the initials "LMH," and a partner, Kevin Finisterre, a researcher who has posted numerous Mac vulnerabilities and analyses on his own site.
The debut vulnerability is in QuickTime 7's parsing of RTSP (RealTime Streaming Protocol); the protocol is used to transmit streaming audio, video, and 3-D animation over the Web. Users duped into clicking on an overlong rtsp:// link could find their PCs or Macs compromised. It also may be possible to automatically trigger an attack simply by enticing users to a malicious Web site.
"Exploitation of this issue is trivial," said LMH in the vulnerability's write-up on the MoAB Web site. The associated exploit code has been tested on Mac OS X running on Intel-based systems, and works against QuickTime 7.1.3, the current version of the player, LMH and Finisterre said.
Other security researchers rang alarms Tuesday. Danish vulnerability tracker Secunia, for example, pegged the bug as "highly critical," the second-from-the-top threat in its five-step score, and Symantec alerted customers of its DeepSight threat network of the vulnerability.
An Apple spokesman declined to confirm the vulnerability, or, if it was legitimate, when the flaw might be fixed. In an e-mail, he said that "Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users. We always welcome feedback on how to improve security on the Mac."
LMH, who didn't immediately reply to several questions sent via e-mail, said on the MoAB site that Apple's Mac OS X operating system was chosen as the target for the month of vulnerabilities because "we like to play with OS X, we enjoy hate e-mail, and it's not as crowded as (random software vendor), yet. Thus, it's really comfortable for research and there's so much to be worked out."
He also said that Apple -- and other vendors whose Mac OS X applications might be the focus of a bug posted during the month's run -- would not be notified in most cases before the information went live, and dismissed that practice. "The point is releasing them without vendor notification. The problem with so-called 'responsible disclosure' is that for some people, it means keeping others on hold for insane amounts of time, even when the fix should be trivial. And the reward (automated responses and euphemism-heavy advisories) doesn't pay off in the end."
LMH, Finisterre, and commercial security vendors recommended that users cripple QuickTime's ability to process rtsp:// links. In Windows, launch QuickTime, select Edit|Preferences|QuickTime Preferences, click the File Types tab, expand Streaming, and clear the box marked "RTSP stream descriptor." In Mac OS X, select System Preferences|QuickTime|Advanced|MIME Settings|Streaming|Streaming Movies and clear the "RTSP stream descriptor" box.
Apple's QuickTime was last in the news during December, when a bug in the player was exploited by fraudsters on MySpace. That vulnerability remains unpatched.
LMH expects to see more QuickTime attacks now that his newest flaw has gone public. He said, "It's a matter of time to see this getting abused in the wild."
Stop there again. The law requires that willfulness be proven by the accuser. Infringement is non-willful until proven otherwise. Given that the person operates under the kind of copyright law in this regard that most of the world operates under, it is reasonable that he may not know of our specific law in that regard.
For example, did you know that in the UK if you are sued for libel it is up to you to prove that you did not commit libel? Didn't think so. It seems strange to us because in the US the plaintiff must prove the various criteria of libel. It would likewise seem strange to someone in most of the rest of the world that you cannot mess around with software you just bought or create tools to install it on your computer.
There was a significant financial benefit for anyone who was illegally using the crack to run OSX on cheap Dells,
You blow it again. The financial benefit must be for the author or distributor. It doesn't matter if a million people save $100 each. The hacker, who was described as a Mac fanatic himself (and likely a Mac developer, since he originally used the developer version of OS X) most likely already had a Mac. In any case, it doesn't work like that. You actually need to receive something of value in exchange for the tool. Any financial gain you may think up is not based on facts, and we have only the facts of the article to deal with.
You need to prove criminality according to the facts on hand and the law which you so carelessly dismissed the first time I brought this up quite a while ago.
You said that I said "copyright cases can't be criminal." I said copyright cases can be civil and/or criminal. I NEVER said copyright cases can't be criminal -- I said THIS copyright case can't be criminal according to the information we have.
That is a lie and libel against me. You bear false witness.
You said that I said "distributing the crack and not the copyrighted material wasn't breaking copyright law." I actually said it didn't qualify for criminal penalties IN THIS CASE. I never said it wasn't breaking copyright law. As you saw me post in #376, it likely breaks Section 1201 of the DMCA, and the author is likely subject to civil liability for it.
That is a another lie and libel against me. You again bear false witness.
Now which commandment was it that you broke several times in this thread, twice in that one post? I believe it was number nine (or eight, depending on your denomination).
Supporting my position your "relatively recent" comment was obviouslyjust another boatload of your endless BS.
the article does not show those criteria
No one needs the article to admit they knew it was illegal to crack OSX, any claims by you that we do are as laughable as those you made that they didn't know in the first place. Not that we are surprised, as the record clearly shows you are an admitted liar who makes up his lies quote "for fun". Any expectation you will stop lying now would be incredibly premature, since lying is admittedly how you get your kicks, especially when you get to defend foreign criminals.
So we disagree on relatively recent, although we're still closer to 1909 than 1909 is to the original copyright law. Without "relatively recent" my point still remains, that it was an addition to copyright law that wasn't always there. Copyright law started out a as a civil issue between the copyright holder and the alleged infringer. This is because copyright is exactly as the name sounds: copy right. Others violate your right by infringing, so you sue them.
So perhaps a better wording would have been "a later addition" rather than "relatively recent."
No one needs the article to admit they knew it was illegal to crack OSX
You need to prove willfulness in in order for it to be criminal. It is not assumed. In fact, look at the Elcomsoft trial and see that the prosecution specifically made sure that the Elcomsoft executives knew about the DMCA. Because without that they would have had no case.
Interesting you start using the word "illegal." We would not even be having this issue if you'd just said "illegal hacking" from the beginning.
Your claim that no Russian hackers benefitted financially from this is equally devious to your other claims. You are an admitted liar, who lies in defense of leftists and foreign criminals, that much was already clear.
the law which you so carelessly dismissed
LOL, I am the obviously the one defending the law, while you endlessly try to use your lies to enable foreign hackers to trample all over it.
More lies, of which there will be no end, since you've already outright admitted in this very thread you lie in defense of foreign criminals quote "for fun".
"LOL yeah I know it bugs you to have to sit here and watch your blasphemous buddy antiRepublican go down in flames..."
Actually, I think he's doing a pretty good job of rattling the cage of a feeble-minded troll...
"...instead of constantly stalking me on this board..."
I was pinged here, dolt. How many times did you mention my name here beforeI showed up? I maintain that you have a crush on me...
" your posting history shows nothing but attacks on me for months..."
And I suppose your posts to me are all rainbows and sunshine...
Quit your whining, missy. If you don't like the treatment you get, then leave. Or, work on improving your personality...
So we now have it on record that when presented with your libel you refuse to confess, admit mistake or accidental misquote.
Thank you.
There is absolutely zero evidence of financial gain in that article. Anything else you are making up. You cannot support your position that they are subject to criminal penalties through law.
I am the obviously the one defending the law
That's a joke. It took forever just to get you to reference the law. You initially just dismissed it, didn't even reference the law in your defense.
LOL at the flaming liar. FYI your posting history is kept here, and a simple glance shows you haven't managed to post a single thing other than attacks on me since September 2006!
http://www.freerepublic.com/focus/user-posts?id=33689
I wonder if FR has a "stalker of the year award"?
You can keep lying trying to defend your criminal Russian hacker heroes, but the record is clear, you've already outright admitted you are willing to lie for months on their behalf, and have zero credibility when it comes to law enforcement.
Again, prove financial gain and willfulness or shut up.
BTW, a later hacker involved in this, and the one currently running the show for "OSX86" is an Apple fanatic who already owns Macs, and isn't even Russian (the original Russians are now mostly out of the picture).
Chew on that for a bit.
What a coincidence! Yours shows the same toward me...
...and rzeznikj at stout, and antiRepublicrat, and N3WBI3, and mike from ohio, and ShadowAce, and Petronski, and...come to think of it, about 90% of the people you post to on here...
Listen carefully. I DON'T FEEL SORRY FOR YOU. Go peddle your "woe is me" persecution drama elsewhere. No one here is interested in granting you victimhood.
As I said before, if you don't want to be a punching bag, then work on your personality or leave!
Either way, quit whining already!
Your link. Your reference. You are responsible for reading the contents of your own references. You tried to claim memory mistake on me for citing your own references, and you still won't get away with it. Got it? Good. A reasonable person would see that most of those posts aren't attacks, but you're not reasonable. You are also a first-class weasel who will say that anything posted to or about you is an attack.
So, even with your weaseling, an attack on you must at least mention you directly or indirectly and/or be directed to you. It would include making fun of you or complaining about you in posts to others. Simply talking on the subject of Linux to another doesn't apply. Got it? Good. Now:
Post to W3BMAST3R101
Post to Paleo Conservative
Post to unspun
Knock it off, stop talking about me without pinging me. I have been a conservative my entire life I have worked and donated to republican candidates from before I could vote or drive. Don't you dare question my pedigree or lifetime commitment to small government and the freedoms that provides without letting me know what sick twisted crap you are up to. Its against the posting guidelines of this forum and is rude to boot you coward.
On my part, sorry for not pinging you in my reply to his post that brought you into it.
*Sigh*. You just can't take a hint, can you? You also conveniently ignored the first half of that post.
What, you trying to cite scripture to me in your apparent defense of an admitted liar and atheist? LOL it was pretty comical.
Thread Jester Ping
A low-volume pinglist dedicated for all the thread jesters out there--you know who you are...8^)
FReepmail rzeznikj at stout or MikefromOhio to be added or struck from the list..
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.