Free Republic
Browse · Search
Smoky Backroom
Topics · Post Article

Skip to comments.

Mac, Windows QuickTime Flaw Opens 'Month Of Apple Bugs'
Information Week ^ | Jan 2, 2007 03:04 PM | Gregg Keizer

Posted on 01/03/2007 11:04:31 AM PST by newgeezer

The exploit could be used by attackers to compromise, hijack, or infect computers running either Windows or Mac OS X.

The Month of Apple Bugs project kicked off Monday by posting a zero-day vulnerability in Apple's QuickTime media player. It also posted an exploit that could be used by attackers to compromise, hijack, or infect computers running either Windows or Mac OS X.

The Month of Apple Bugs (MoAB), which will announce a new security vulnerability in Apple's operating system or other Mac OS X software each day in January, is a follow-on to November's "Month of Kernel Bugs" campaign, and is co-hosted by that project's poster, a hacker who goes by the initials "LMH," and a partner, Kevin Finisterre, a researcher who has posted numerous Mac vulnerabilities and analyses on his own site.

The debut vulnerability is in QuickTime 7's parsing of RTSP (RealTime Streaming Protocol); the protocol is used to transmit streaming audio, video, and 3-D animation over the Web. Users duped into clicking on an overlong rtsp:// link could find their PCs or Macs compromised. It also may be possible to automatically trigger an attack simply by enticing users to a malicious Web site.

"Exploitation of this issue is trivial," said LMH in the vulnerability's write-up on the MoAB Web site. The associated exploit code has been tested on Mac OS X running on Intel-based systems, and works against QuickTime 7.1.3, the current version of the player, LMH and Finisterre said.

Other security researchers rang alarms Tuesday. Danish vulnerability tracker Secunia, for example, pegged the bug as "highly critical," the second-from-the-top threat in its five-step score, and Symantec alerted customers of its DeepSight threat network of the vulnerability.

An Apple spokesman declined to confirm the vulnerability, or, if it was legitimate, when the flaw might be fixed. In an e-mail, he said that "Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users. We always welcome feedback on how to improve security on the Mac."

LMH, who didn't immediately reply to several questions sent via e-mail, said on the MoAB site that Apple's Mac OS X operating system was chosen as the target for the month of vulnerabilities because "we like to play with OS X, we enjoy hate e-mail, and it's not as crowded as (random software vendor), yet. Thus, it's really comfortable for research and there's so much to be worked out."

He also said that Apple -- and other vendors whose Mac OS X applications might be the focus of a bug posted during the month's run -- would not be notified in most cases before the information went live, and dismissed that practice. "The point is releasing them without vendor notification. The problem with so-called 'responsible disclosure' is that for some people, it means keeping others on hold for insane amounts of time, even when the fix should be trivial. And the reward (automated responses and euphemism-heavy advisories) doesn't pay off in the end."

LMH, Finisterre, and commercial security vendors recommended that users cripple QuickTime's ability to process rtsp:// links. In Windows, launch QuickTime, select Edit|Preferences|QuickTime Preferences, click the File Types tab, expand Streaming, and clear the box marked "RTSP stream descriptor." In Mac OS X, select System Preferences|QuickTime|Advanced|MIME Settings|Streaming|Streaming Movies and clear the "RTSP stream descriptor" box.

Apple's QuickTime was last in the news during December, when a bug in the player was exploited by fraudsters on MySpace. That vulnerability remains unpatched.

LMH expects to see more QuickTime attacks now that his newest flaw has gone public. He said, "It's a matter of time to see this getting abused in the wild."


TOPICS:
KEYWORDS: apple; bugs; moab; security; threadjester
Navigation: use the links below to view more comments.
first 1-2021-4041-6061-80 ... 541-557 next last
But, but, but, -- This can't be true! Everyone knows Mac users needn't be concerned about security flaws!! /s
1 posted on 01/03/2007 11:04:35 AM PST by newgeezer
[ Post Reply | Private Reply | View Replies]

To: newgeezer

I recall being ripped to shreds here a few weeks ago because I mentioned that QuickTime causes problems. Case closed.


2 posted on 01/03/2007 11:06:42 AM PST by TommyDale (Iran President Ahmadinejad is shorter than Tom Daschle!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: newgeezer
I still don't run any non-standard security software (e.g., I use the built-in firewall) on my Mac and I'm still not concerned.
3 posted on 01/03/2007 11:08:04 AM PST by Question_Assumptions
[ Post Reply | Private Reply | To 1 | View Replies]

To: newgeezer

I wonder what Leo LePort has to say about THIS?


4 posted on 01/03/2007 11:10:59 AM PST by NordP (America Votes: So sad to find out the majority is self-centered, short-sighted, and impatient.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Question_Assumptions

While in Seattle over Christmas, we visited an Apple retail store. # 1 son (Mac fan) pointed to a small white tabletop box little bigger than a box of Kleenex, that he said had more power than my Dell tower. What the heck ?


5 posted on 01/03/2007 11:18:06 AM PST by Eric in the Ozarks (BTUs are my Beat.)
[ Post Reply | Private Reply | To 3 | View Replies]

To: Eric in the Ozarks

Was the box full of Plutonium?


6 posted on 01/03/2007 11:22:27 AM PST by dangerdoc (dangerdoc (not actually dangerous any more))
[ Post Reply | Private Reply | To 5 | View Replies]

To: dangerdoc

Don't know. Cobalt Thorium G, maybe.


7 posted on 01/03/2007 11:26:26 AM PST by Eric in the Ozarks (BTUs are my Beat.)
[ Post Reply | Private Reply | To 6 | View Replies]

To: Eric in the Ozarks
Cobalt Thorium G, well, I'll be a Capitalist Stooge!!!
8 posted on 01/03/2007 11:31:16 AM PST by MrNeutron1962
[ Post Reply | Private Reply | To 7 | View Replies]

To: newgeezer

"But, but, but, -- This can't be true! Everyone knows Mac users needn't be concerned about security flaws!! /s"

I get Apple security updates to download in my iMac G5, regularly. It has the old Motorola chip.


9 posted on 01/03/2007 11:33:38 AM PST by RoadTest (Keep our Marines out of Kangaroo court!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: RoadTest

Have been using Macs since 1984, never had a virus or securiry problem...

What's a virus again?


10 posted on 01/03/2007 11:44:48 AM PST by observer5 (It's not a War on Terror - it's a WAR ON STUPIDITY!)
[ Post Reply | Private Reply | To 9 | View Replies]

To: All

Fix for Windows and Mac, but Mac fix still has problems.

http://isc.sans.org/diary.php?compare=1&storyid=1993


11 posted on 01/03/2007 11:57:39 AM PST by rightgrafix
[ Post Reply | Private Reply | To 10 | View Replies]

To: newgeezer
But, but, but, -- This can't be true! Everyone knows Mac users needn't be concerned about security flaws!! /s

You're indiscriminate. The lack of worry was due to several differences between Windows and MacOS, none of which was this.
12 posted on 01/03/2007 12:26:13 PM PST by aruanan
[ Post Reply | Private Reply | To 1 | View Replies]

To: TommyDale
I recall being ripped to shreds here a few weeks ago because I mentioned that QuickTime causes problems. Case closed.

Link (@ #3 - "Quick Time is full of adware and spyware as well.")

13 posted on 01/03/2007 1:07:19 PM PST by HAL9000 (Get a Mac - The Ultimate FReeping Machine)
[ Post Reply | Private Reply | To 2 | View Replies]

To: Eric in the Ozarks
It basically uses laptop components to keep it small and doesn't have all the air space in the Dell tower for expansion slots (using USB and Firewire connectors for expansion, instead). They are pretty powerful little machines, though not as flexible as your Dell if you want to swap out components.
14 posted on 01/03/2007 1:10:37 PM PST by Question_Assumptions
[ Post Reply | Private Reply | To 5 | View Replies]

To: Question_Assumptions

I was impressed with the Apple 30 " flat screen.


15 posted on 01/03/2007 1:13:18 PM PST by Eric in the Ozarks (BTUs are my Beat.)
[ Post Reply | Private Reply | To 14 | View Replies]

To: N3WBI3; antiRepublicrat; TechJunkYard

I remember a discussion a year or so ago that exploits on MAC/Apple systems were impossible. I wonder if techjunkyard and N3WBI3 will be here to help explain how this can happen.

As I stated then...security by obscurity is not real security.

Apologies to those on the TO: line if you weren't one of the defenders of apples perfection.


16 posted on 01/03/2007 1:57:28 PM PST by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 1 | View Replies]

To: HAL9000

Wow. You found that quickly. My apologies for using the terms adware and spyware. All I know is that it sure as heck caused problems.


17 posted on 01/03/2007 2:01:30 PM PST by TommyDale (Iran President Ahmadinejad is shorter than Tom Daschle!)
[ Post Reply | Private Reply | To 13 | View Replies]

To: for-q-clinton
I remember a discussion a year or so ago that exploits on MAC/Apple systems were impossible.

I certainly hope nobody said it, because exploits already existed back then. However, active exploits in the wild, actually taking over Macs, do not exist yet. Maybe some day...

As I stated then...security by obscurity is not real security.

Then it's good that Macs don't rely on it.

18 posted on 01/03/2007 2:09:23 PM PST by antiRepublicrat
[ Post Reply | Private Reply | To 16 | View Replies]

To: newgeezer

Wow! A month of Apple bugs and roughly 30 years (and counting) of M-Soft bugs. Apple has a long way to go to be as good at security flaws as M-Soft, but give them credit they're trying.


19 posted on 01/03/2007 2:23:40 PM PST by DonGrafico (Gowd demmit bub! You ain't from around heah ah ya?)
[ Post Reply | Private Reply | To 1 | View Replies]

To: antiRepublicrat
Then it's good that Macs don't rely on it.

But their users do... most I know don't even run AV protection.

20 posted on 01/03/2007 2:39:16 PM PST by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 18 | View Replies]


Navigation: use the links below to view more comments.
first 1-2021-4041-6061-80 ... 541-557 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
Smoky Backroom
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson