Posted on 01/03/2007 11:04:31 AM PST by newgeezer
The Month of Apple Bugs project kicked off Monday by posting a zero-day vulnerability in Apple's QuickTime media player. It also posted an exploit that could be used by attackers to compromise, hijack, or infect computers running either Windows or Mac OS X.
The Month of Apple Bugs (MoAB), which will announce a new security vulnerability in Apple's operating system or other Mac OS X software each day in January, is a follow-on to November's "Month of Kernel Bugs" campaign, and is co-hosted by that project's poster, a hacker who goes by the initials "LMH," and a partner, Kevin Finisterre, a researcher who has posted numerous Mac vulnerabilities and analyses on his own site.
The debut vulnerability is in QuickTime 7's parsing of RTSP (RealTime Streaming Protocol); the protocol is used to transmit streaming audio, video, and 3-D animation over the Web. Users duped into clicking on an overlong rtsp:// link could find their PCs or Macs compromised. It also may be possible to automatically trigger an attack simply by enticing users to a malicious Web site.
"Exploitation of this issue is trivial," said LMH in the vulnerability's write-up on the MoAB Web site. The associated exploit code has been tested on Mac OS X running on Intel-based systems, and works against QuickTime 7.1.3, the current version of the player, LMH and Finisterre said.
Other security researchers rang alarms Tuesday. Danish vulnerability tracker Secunia, for example, pegged the bug as "highly critical," the second-from-the-top threat in its five-step score, and Symantec alerted customers of its DeepSight threat network of the vulnerability.
An Apple spokesman declined to confirm the vulnerability, or, if it was legitimate, when the flaw might be fixed. In an e-mail, he said that "Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users. We always welcome feedback on how to improve security on the Mac."
LMH, who didn't immediately reply to several questions sent via e-mail, said on the MoAB site that Apple's Mac OS X operating system was chosen as the target for the month of vulnerabilities because "we like to play with OS X, we enjoy hate e-mail, and it's not as crowded as (random software vendor), yet. Thus, it's really comfortable for research and there's so much to be worked out."
He also said that Apple -- and other vendors whose Mac OS X applications might be the focus of a bug posted during the month's run -- would not be notified in most cases before the information went live, and dismissed that practice. "The point is releasing them without vendor notification. The problem with so-called 'responsible disclosure' is that for some people, it means keeping others on hold for insane amounts of time, even when the fix should be trivial. And the reward (automated responses and euphemism-heavy advisories) doesn't pay off in the end."
LMH, Finisterre, and commercial security vendors recommended that users cripple QuickTime's ability to process rtsp:// links. In Windows, launch QuickTime, select Edit|Preferences|QuickTime Preferences, click the File Types tab, expand Streaming, and clear the box marked "RTSP stream descriptor." In Mac OS X, select System Preferences|QuickTime|Advanced|MIME Settings|Streaming|Streaming Movies and clear the "RTSP stream descriptor" box.
Apple's QuickTime was last in the news during December, when a bug in the player was exploited by fraudsters on MySpace. That vulnerability remains unpatched.
LMH expects to see more QuickTime attacks now that his newest flaw has gone public. He said, "It's a matter of time to see this getting abused in the wild."
Not surprisingly, hacker codenamed N3WBI3 comes running to the admitted liar antiRepublican's defense. The same N3WBI3 that called his outright ADMISSION that he had lied for months, on purpose, quote "a thing of beauty".
http://www.freerepublic.com/focus/f-chat/1724347/posts?page=130#130
Wow, everything about that post was incorrect. I was responding to you talking about me, and I never mentioned ar and somehow the fact you are breaking posting guidelines gets replaced with me rushing to AR's defense.
What he did was very funny, but I would not have done it that way because it was deceptive..
dude, enough with the ad hominems. the fact that you've simply resorted to personal attacks in a vain attempt to cover yourself demonstrates that you've lost the argument...
secondly, I highly doubt n3wbi3 is a hacker. in fact, iirc, he's a microsoft and RH certified sysadmin.
i hold a basic job in it and even i can recognize the difference between a sysadmin and a hacker.
Wow, you must be a genius. Explain why he has 3 in his username then.
You better tell him and not me then, because I will obviously keep hanging him higher with all the rope he is willing to take LOL.
have you even considered that maybe that's what he wants his SN to be?
just because n3wbi3 has a pair of threes in it and thus somewhat resembles 1337speak, doesn't automatically make him a hacker.
"1337speak"? Are you a hacker, too?
no, i'm not...
I think this post is probably the worst comeback in an argument I have ever seen. It's scraping the bottom of the barrel here.
Why, because you have no answer? Answer it then. Why does N3WBI3 have 3 in his username.
With logic like that you have probabally worked for the FBI..
Under Clinton
What's the punchline then?
LOL! Hmm. Let me think. Who chose his SN? Was it me? Let me think about that one for a bit.......
No.
Why the heck are you asking ME? What kind of stupid, lame-brain argument is this that you cannot even address issues and are now resorting to ad hominems?
LOL what does that have to do with why there are 3's in your username? Can anybody give me a reason?
NEVER believe the BS in a C&D. They are designed to intimidate, and the lawyers can put whatever BS they want in them. Even though the DMCA specifies a specific format for these takedown notices, including the certification that the writer is the copyright owner or agent of the owner, there is ZERO actual penalty for falsifying any of this ("under penalty of perjury, that I am authorized to act" means crap, as courts have already thrown out countersuits when that was in fact false).
BTW, the referenced Universal City Studios v. Reimerdes was a civil action, and I see no reference to § 1204, Criminal offenses and penalties.
Show me some law!
...because it doesn't freakin' matter. It's a screen name, fer cryin out loud.
Seriesly Iggle. Get a life, will ya?
Because you seem to be claiming that the 3's couldn't be related hacker lingo, even though they appear to be what you refer to as "l33t"?
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.