Stories
Slash Boxes
Comments

News for nerds, stuff that matters

Month of Apple Bugs - First Bug Unveiled

Posted by Zonk on Tue Jan 02, 2007 08:45 AM
from the apple-must-be-so-proud dept.
ens0niq writes "The first bug (a Quicktime rtsp URL Handler Stack-based Buffer Overflow) of the Month of Apple Bugs has been unveiled — as previously promised — by LMH and Kevin Finisterre. From the FAQ: 'This initiative aims to serve as an effort to improve Mac OS X, uncovering and finding security flaws in different Apple software and third-party applications designed for this operating system. A positive side-effect, probably, will be a more concerned (security-wise) user-base and better practices from the management side of Apple.'"

Related Stories

[+] IT: Month of Apple Bugs Debuts in January 171 comments
An anonymous reader writes "A pair of security researchers has picked January 2007 as the Month of Apple Bugs, a project in which each passing day will feature a previously undocumented security hole in Apple's OS X operating system or in Apple applications that run on top of it. According to a post over at The Washington Post's Security Fix blog, the project is being put together by researchers Kevin Finisterre and the guy who ran November's Month of Kernel Bugs project." From the post: "It should be interesting to see whether Apple does anything to try and scuttle this pending project. In November, a researcher who focuses most of his attention on bugs in database giant Oracle's software announced his intention to launch a "Week of Oracle Database Bugs" project during the first week of December. The researcher abruptly canceled the project shortly after the initial announcement, without offering any explanation."
[+] Month of Apple Fixes 177 comments
das writes "On the same day as the launch of the Month of Apple Bugs (MOAB) (blog), Landon Fuller, a programmer, Darwin developer, and former engineer in Apple's BSD Technology Group, has launched an effort to provide runtime fixes for each MOAB issue as they are released. A fix has already been posted for the first MOAB issue."
[+] Flaw Found in Apple Bug-Fix Tool 168 comments
eldavojohn writes "The Month of Apple Bugs (MOAB) is well under way with a startling bug released Monday. From the description: 'Application Enhancer (APE) is affected by a local privilege escalation vulnerability which allows local users to gain root privileges.' APE is the same software used to deploy fixes during 'The Month of Apple Fixes' (MOAF). I know it's confusing but MOAB came first and MOAF was a developer's answer to the bugs — after all, the purpose of posting bugs is to have them identified, confirmed and eradicated. The article talks about potential remote root access by an intruder. Note that this is third party software that all of the bugs seem to be stemming from. I guess Apple has made a fairly secure system but they can't expect all third party developers to follow the same rigorous standards."
This discussion has been archived. No new comments can be posted.
Display Options Threshold:
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • removed, but... (Score:3, Informative)

    by ens0niq (883308) on Tuesday January 02 2007, @08:59AM (#17431036)
    Credit line removed by the editor, but i found this report on HUP [hup.hu].
  • No problem! (Score:4, Funny)

    by fo0bar (261207) on Tuesday January 02 2007, @09:02AM (#17431054)
    This isn't a problem because it has been proven that only Windows can get viruses. Therefore, because it's not possible for viruses to spread with MacOS, security threats are irrelevant.

    Please, try the veal.
    • Re:No problem! by elrous0 (Score:2) Tuesday January 02 2007, @09:13AM
    • Re:No problem! by jellomizer (Score:1) Tuesday January 02 2007, @09:16AM
      • Re:No problem! (Score:4, Informative)

        by Jeff DeMaagd (2015) on Tuesday January 02 2007, @09:36AM (#17431314)
        (http://www.demaagd.com/ | Last Journal: Sunday October 27 2002, @06:53PM)
        I've seen several instances where Apple was aware of a bug but waited months to fix it. Heck, the Quicktime bug that permitted the MySpace virus still runs free according to the last security thread at AppleInsider.
        [ Parent ]
      • Re:No problem! by Ash-Fox (Score:2) Tuesday January 02 2007, @11:47AM
        • Re:No problem! (Score:5, Insightful)

          by SuperKendall (25149) on Tuesday January 02 2007, @04:11PM (#17435674)
          Yes it has. The first one written specifically for OS X came in the form of a trojan. I've also seen Mac classic viruses work fine on PPC OS X systems.

          That was not a virus - that was a trojan (pretty huge difference if you know what the differences are!) And read through the final analysis of the work [ambrosiasw.com] the user actually had to do to contract it.

          Also, we are talking about OS X viruses not "legacy" viruses that in practice no-one will be catching since almost no-one uses Classic anymore. It's been years since OS X even shipped with OS 9.

          Not really. Have you forgotten things like auto-installing widgets?

          Which they fixed pretty quickly, as noted....


          Apple being behind other BSD systems in patching old exploits?
          Apple being behind in patching SSH, Apache?


          Which don't matter as much since they come turned off by default (and still didn't see any exploits for OS X in the wild)...

          Uh... You need to know stuff to write a windows virus too.

          Not really, there is a lot more template material online on how to do so, and a number of Windows viruses in the past have been simple variants of existing worms and viruses.

          Not according to Norton, F-secure and McAfee.

          You're wrong. Care to provide any links as to why you think you're right?

          Uh, again no. Give me some decent examples at least.

          IE. Forgot about the elephant in the room again?

          I don't know... Most of the security techniques Apple uses were developed back in the early 90s...

          Oh, they were developed way before that - which is why it is so tragic Microsoft could not even be bothered to do that much until now.

          However, the OS in my opinion is far from being a 21st century mind set in general. I mean, look at some of the stupid stuff we have todo.
          Where we have to open a console and type
          defaults write com.apple.finder AppleShowAllFiles TRUE


          True there is no UI to modify some defaults like that. But anyone who wants to see ALL files in Finder is probably also going to be pretty familiar with the shell and not really mind editing XML files. Frankly I have never enabled Finder in that manner as if I want to be messing with files Finder cannot see by default, I greatly prefer to be using Terminal anyway.

          What makes it an advanced OS is that you have a layer that is easily configurable by most users, and then a more advanced layer that is easily adjustable through a few means. The situation is still better than what Windows offered, where you had to basically write TweakUI to get at some settings that could not simply be activated in a text file at least OS X comes with means to modify every setting in the system, even if some are not behind GUI's.

          Heh, or we could the simple things that have always worked well... Exploits against the user. Just send them a e-mail with a .pkg file that contains a rootkit (there are feasible methods to-do this on OS X), said hidden process scans the address books of users on Mac (Useful, since many Mac users actually do use the mail client on the system), then starts sending copies of that .pkg to those people....My point is, coming up with methods to make virii on Mac isn't that hard.

          Yes that would work - but Mail would warn the user about running it, and the default security level most people run at would prevent it from getting as far into the system as most rootkits are. That is the reason OS X is more security, because of the very old concept of defense in depth applied across the OS, not because any one layer is invulnerable to attack!

          Writing viri for any platform is dead simple if you are going to rely on the user to propagate it. But Windows has a million examples of stuff that needs no user even clicking on OK to run off and do its thing. That is another difference. That and of course, the fact that today
          [ Parent ]
          • Re:No problem! by Ash-Fox (Score:2) Tuesday January 02 2007, @06:26PM
          • Re:No problem! by Ash-Fox (Score:2) Wednesday January 03 2007, @11:34AM
            • Re:No problem! by SuperKendall (Score:2) Wednesday January 03 2007, @03:01PM
              • Re:No problem! by Ash-Fox (Score:2) Wednesday January 03 2007, @04:07PM
      • Re:No problem! by jb.hl.com (Score:2) Tuesday January 02 2007, @12:35PM
      • Re:No problem! by drinkypoo (Score:2) Tuesday January 02 2007, @02:16PM
        • Re:No problem! by dangitman (Score:3) Tuesday January 02 2007, @04:00PM
      • 1 reply beneath your current threshold.
    • Re:No problem! by daveschroeder (Score:2) Tuesday January 02 2007, @11:20AM
  • Is this true? (Score:4, Insightful)

    by bogie (31020) on Tuesday January 02 2007, @09:11AM (#17431112)
    (Last Journal: Tuesday October 29 2002, @10:47AM)
    "The problem with so-called 'responsible disclosure' is that for some people, it means keeping others on hold for insane amounts of time, even when the fix should be trivial."

    Is Apple as bad as MS when it comes to fixing security flaws? Is there really a need to show how "insecure" OS X is? Or is this more a "your going to start listening to security experts when they have something to say or else..." type situation. I did read the FAQ but they really don't show any evidence to prove why this is a good thing, how this will improve OS X security, or how Apple has been unwilling to fix flaws in the past.

    They could be 1000% right, but on the surface I just don't see anything which either confirms or denies their theory. It would be nice to at least read some sort of history of how Apple has interacted with Security researchers in the past.
    • Apple Vs. Security Researchers by porkchop_d_clown (Score:1) Tuesday January 02 2007, @09:26AM
      • Re:Apple Vs. Security Researchers (Score:5, Insightful)

        by 99BottlesOfBeerInMyF (813746) on Tuesday January 02 2007, @09:47AM (#17431430)

        Apple has had poor relations with security researchers for years.

        Actually, Apple has had pretty good interactions with security researchers in general, in my experience. Being a huge PR magnet, however, they also manage to attract showboaters trying to capitalize on the popularity they can get by behaving in a less than reasonable manner. The wireless exploit you cite, for example, turned out to be hype about a problem that affected no mac in its default state, but Apple responded to it even though they were never contacted with the details of the supposed exploit and did fix several issues they found during a review of the wireless drivers they ship. Apple has done a pretty reasonable job of patching easily exploitable/wormable problems very quickly and they don't seem to be ignoring problems reported to them. One of my coworkers found a local exploit (low risk) and reported it through Apple's Website. The fix was in the next security update and even credited him. It seems like pretty good relations with the security researcher community to me.

        As for the month of Apple bugs. It is more of the same. Sure these guys could report Apple bugs to the normal channels and they'd be fixed fairly quickly and overall security would benefit. That, however, won't make the news. So instead of reporting bugs when found, these guys are intentionally delaying releasing that info to both Apple and the public. Apple isn't pressured to quickly fix bugs if they don't even now what those bugs are. The public isn't served by bugs being fixed more quickly. Users aren't served by bugs being released to the public for possible mass exploitation without Apple ever being given a chance to patch their machines. The end result is decreasing the overall security or computing. It serves no one except the researchers who are showboating and being irresponsible.

        [ Parent ]
        • I'm afraid you are incorrect, sir. by porkchop_d_clown (Score:2) Tuesday January 02 2007, @10:19AM
          • Re:I'm afraid you are incorrect, sir. (Score:5, Informative)

            by 99BottlesOfBeerInMyF (813746) on Tuesday January 02 2007, @10:44AM (#17431850)

            The wireless exploit did apply to Airport cards;

            It is my understanding that the vulnerability you reference as well as the other two they fixed were both the result of an internal audit of their wireless drivers and not the result of the exploit that was publicized. The issue is more than a little muddy, however, and I'd be grateful if you could provide a reference to show either way.

            [ Parent ]
          • by Nelson (1275) on Tuesday January 02 2007, @10:49AM (#17431910)
            Yeah but you see, that's against entirely different software and hardware than what secureworks supposedly demonstrated.


            I really don't see how you can paint apple in to a bad place with this, secureworks created a lot of hype while disclosing nothing to anyone, Apple took the initiative and at their own expense researched the issue and fixed potential problems they found, none of which has a known exploit. None of this validates what secureworks did, it is possible it's the bug they supposedly found but it's also possible they faked the whole thing.

            [ Parent ]
            • Sigh. Where did I paint apple badly? by porkchop_d_clown (Score:2) Tuesday January 02 2007, @12:51PM
              • Re:Sigh. Where did I paint apple badly? by Nelson (Score:2) Tuesday January 02 2007, @02:48PM
              • Do you feel better now? by porkchop_d_clown (Score:2) Tuesday January 02 2007, @03:11PM
              • Re:Do you feel better now? (Score:4, Insightful)

                by Nelson (1275) on Tuesday January 02 2007, @03:54PM (#17435494)
                I'm not an Apple user. And I'm not attacking you. I am, however, affiliated with the security business and it's bad for everybody when half truths and lies are propagated. If you have an example of Apple being difficult to work with then please bring it up. The example you did bring up shows security folks being difficult work work with not just apple but everybody. I really don't see what you were trying to demonstrate or show with that CERT bug link, that Apple found and fixed a bug in their software and then reported it like a responsible company? Or were you trying to suggest that they stole credit from "security researchers" that still haven't disclosed anything, including any documentation of a threat from Apple?


                And I think you're mistaken if you believe that marketshare directly reflects the security of a platform. The number of users has little to do with the number of exploitable bugs in it or architectural flaws. More existing bugs might be found in more popular platforms but that doesn't prove that more exist that just aren't found in other platforms. Windows is less secure because it simply wasn't a design factor when most of it was built, that and MS went out of their way to do things differently than how existing systems like UNIX did.

                [ Parent ]
              • I'm not trying to *prove* anything by porkchop_d_clown (Score:2) Tuesday January 02 2007, @04:12PM
              • I Don't! You Still Haven't Explained... by GaryPatterson (Score:2) Tuesday January 02 2007, @07:22PM
              • Why does this confuse you? by porkchop_d_clown (Score:2) Tuesday January 02 2007, @09:56PM
              • Re:Why does this confuse you? by GaryPatterson (Score:2) Wednesday January 03 2007, @03:52AM
          • Re:I'm afraid you are incorrect, sir. by AchiIIe (Score:1) Tuesday January 02 2007, @10:32PM
        • Re:Apple Vs. Security Researchers by noidentity (Score:1) Tuesday January 02 2007, @10:20AM
        • and now Apple by Shivetya (Score:2) Tuesday January 02 2007, @10:45AM
          • Re:and now Apple (Score:5, Insightful)

            by 99BottlesOfBeerInMyF (813746) on Tuesday January 02 2007, @11:19AM (#17432198)

            ...when Microsoft gets treated to the same very few care, in fact some seem to relish in it.

            Microsoft is not performing due diligence and is quite frankly not giving customers what they want. They routinely sit on publicly announced bugs for long periods of time and according to people I know who have worked there less than half of the security holes they find internally are prioritized high enough to be fixed. No one is happy worms are destroying computers, but some people are happy to see MS getting bad publicity because of their actions.

            Now comes the fun, if a bug is reported to Apple how long do they get to fix it? Who will determine when enough time has passed?

            Well, I believe the last serious security hole reported to them was fixed in 10 days, which is pretty good turn around for development and QA. OS's can be evaluated based upon the nature of the vulnerability, risk, and duration of exposure. For something like this, if it is easily reproducible, under normal circumstances, a couple of weeks seems reasonable. If they are constantly getting new vulnerabilities once a day, it may be longer since they might need to prioritize based upon those. Think of this from the developer's standpoint. If these guys are trying to make OS X less secure, they picked a good way. Thanks jackasses.

            They haven't a big enough installed base to get the "Average user" which Microsoft has to both sell to and suffer with.

            What do you mean? Apple has lots of novice users including the very young and very old attracted by their reputation for ease of use. How many people on this forum do you suppose convinced their grandparents or parents to get a mac?

            When they do penetrate the "Average user" market and get into double digits of popularity then they attract attention they don't want.

            There is plenty of motivation for hackers to attack OS X right now. The reason it does not happen is not the lack of motivation, but the difficulty/convenience of so doing. Smaller market share makes propagation more complex. Increased scrutiny makes exposures shorter. Many worm authors have a very windows-centric knowledge base. All of these factors may mean as OS X's market share goes up, worms become more common, but to attribute this to motivation is a mistake.

            Do not under estimate the creativity and capability of the hackers out there.

            I know people on both ends of the security spectrum. I'm not too worried about OS X becoming bug ridden as market share increases. In fact, I think both Windows and OS X security will increase as OS X's market share increases. The problem of security is one of motivation, but not of the motivation of malware authors, but of OS vendors. Apple needs to keep customers happy to maintain market share. Thus, if malware becomes a problem for their users they will fix it or lose money. Right now Microsoft has no such motivation, so their attention to security has been spotty at best. They don't significantly lose money when users suffer from security problems. Increasing OS X's market share might motivate them to improve security. Anyone who argues that MS or Apple is doing all they can has not been paying attention.

            [ Parent ]
          • Re:and now Apple by GaryPatterson (Score:2) Tuesday January 02 2007, @04:22PM
      • Explain the logic... (Score:4, Interesting)

        by jpellino (202698) on Tuesday January 02 2007, @10:41AM (#17431820)
        "Apple has had poor relations with security researchers for years. Partly it's because of the smug attitude of many Apple users - who assume that because they don't get attacked their OS is more secure"

        Huh? Apple's users are to blame for Apple's work with security researchers?

        Imagine that meeting - "Steve, I'd love to make sure we use every avenue available to us to secure the platform, but heck, our users are just thumbing their noses at the rest of the OS world, and gosh, but it's fun to see - I say let's just live with the holes." "Sounds good to me, Phil - thanks for the insight. Now, about that MacBoy Advance SP that Scooter's been working on..."

        [ Parent ]
      • Occam's Razor by SuperKendall (Score:3) Tuesday January 02 2007, @11:43AM
        • Re:Occam's Razor by 99BottlesOfBeerInMyF (Score:2) Tuesday January 02 2007, @01:09PM
          • Hrm... by porkchop_d_clown (Score:2) Tuesday January 02 2007, @01:26PM
            • Re:Hrm... by 99BottlesOfBeerInMyF (Score:2) Tuesday January 02 2007, @01:37PM
              • Jesus dude. by porkchop_d_clown (Score:2) Tuesday January 02 2007, @01:42PM
                • Re:Jesus dude. by 99BottlesOfBeerInMyF (Score:3) Tuesday January 02 2007, @02:00PM
                  • What?!? by porkchop_d_clown (Score:2) Tuesday January 02 2007, @02:12PM
                    • Re:What?!? by 99BottlesOfBeerInMyF (Score:2) Tuesday January 02 2007, @02:33PM
                      • How does that work? by porkchop_d_clown (Score:2) Tuesday January 02 2007, @03:21PM
                      • Re:How does that work? by 99BottlesOfBeerInMyF (Score:2) Tuesday January 02 2007, @05:46PM
                      • Time out ! by Macka (Score:2) Wednesday January 03 2007, @03:40AM
                      • Oh, by porkchop_d_clown (Score:2) Thursday January 04 2007, @08:26AM
                    • Re:What?!? by mstone (Score:2) Wednesday January 03 2007, @11:54PM
                  • Re:Jesus dude. by squiggleslash (Score:2) Tuesday January 02 2007, @03:09PM
                • 1 reply beneath your current threshold.
        • Re:Occam's Razor by SuperKendall (Score:2) Tuesday January 02 2007, @05:30PM
        • 1 reply beneath your current threshold.
      • Re:Apple Vs. Security Researchers by Anonymous Coward (Score:2) Tuesday January 02 2007, @11:46AM
      • Re:Apple Vs. Security Researchers by CODiNE (Score:2) Tuesday January 02 2007, @01:54PM
      • 2 replies beneath your current threshold.
    • Re:Is this true? by bill_mcgonigle (Score:2) Tuesday January 02 2007, @10:08AM
    • Re:Is this true? by OriginalArlen (Score:2) Tuesday January 02 2007, @02:52PM
    • 2 replies beneath your current threshold.
  • Doesn't work for me (Score:5, Interesting)

    by Anonymous Coward on Tuesday January 02 2007, @09:12AM (#17431120)
    I just tried this on my MacBook Pro using the provided QTL files and ruby scripts, but none of them seem to have the claimed effect. Anybody else already tried this?
  • Plain wrong! (Score:1, Insightful)

    by Anonymous Coward on Tuesday January 02 2007, @09:21AM (#17431186)
    This is just the wrong way to do this folks. They should be finding and notifying Apple.
  • by Junks Jerzey (54586) on Tuesday January 02 2007, @09:25AM (#17431210)
    OS X is unimaginably complex. Even the 1500+ page "OS X internals" tome just scratches the surface of most things.

    (Note that I own and enjoy using a MacBook, so I'm not blindly Apple-bashing.)

    The complexity is the first problem. The second is that almost all of the code was written in an insecure manner. No one was doing code-level security reviews on QuickTime and Quartz and all the other bits of OS X. And even if you did, squashing all potential overflow/overwrite bugs in a language like C is essentially impossible. We'll keep living with endless exploits until more secure techniques are used for writing software.
  • Logo (Score:1)

    by Freon115 (672518) on Tuesday January 02 2007, @09:29AM (#17431248)
    (Last Journal: Wednesday July 23 2003, @08:51AM)
    The logo on their blog is very distrurbing
    • 1 reply beneath your current threshold.
  • If they were truly interested in "improving MacOS X" or "improving practices on the management side of Apple" then they would release these bugs to Apple first. Don't wait an insane amount of time, but give them a nice reasonable amount of time to fix the bugs. Heck, even tell them you plan on releasing them on thus and so date and start the month *then*, giving props to Apple for those they have fixed.
  • Doesn't work (Score:3, Informative)

    by matth (22742) on Tuesday January 02 2007, @09:46AM (#17431428)
    (http://www.matthoppes.org/)
    I tried the exploit.. doesn't work on my macbook.
  • Timing (Score:3, Interesting)

    by lord_iain (1045936) on Tuesday January 02 2007, @10:05AM (#17431568)
    Is it just me, or is this event well timed? A month of Apple bugs/exploits on the lead up to Windows Vista's commercial release on January 30th (the most "secure" version of Windows). Sounds sinister to me.
    • Re:Timing by Numberboy (Score:1) Tuesday January 02 2007, @04:35PM
      • 1 reply beneath your current threshold.
    • Re:Timing by macs4all (Score:1) Tuesday January 02 2007, @05:22PM
    • 1 reply beneath your current threshold.
  • OK (Score:2, Funny)

    by WiseMuse (1039922) on Tuesday January 02 2007, @10:06AM (#17431570)
    (http://www.wisemuse.com/)
    Q: What's worse than finding a worm in your apple? A: Finding a bug in your MAC.
  • Sour Grapes? (Score:2)

    by Enrique1218 (603187) on Tuesday January 02 2007, @11:29AM (#17432274)
    (Last Journal: Tuesday August 08 2006, @03:45PM)

    I can help but feel that this whole thing is just sour grapes. I certainly don't feel that improving OSX is the sole motivation behind this. The blog reeks of immaturity and lacks any form of professionalism. The language is smug and juvenile? pwnage? (Wow, high school all over again). They go into great deatil on how execute the exploit but dedicate one sentence on how to avoid it. Then, where is the discrete vendor warning that traditional researchers give before going public? They are not doing it! Are they trying to provoke an attack? I don't see the service that they are doing for me as OSX user. In fact, I look upon this whole stunt with nothing but contempt. I see this as a snipe at mac users because it hasn't been attacked. I think this line says it all!

    You're the PC now, Mac (YTPNM).

  • by 4iedBandit (133211) on Tuesday January 02 2007, @12:08PM (#17432748)
    (http://www.4ied.net/)

    While I've played with ruby, perl, C and work almost daily in a variety of shells I honestly don't have the background to fully understand what they've offered up here.

    From the article (and based on my limited understanding) it relies on the shell and curl being resident in a known memory location? Can someone with deeper OS X internals knowledge explain why the system would always put the shell and curl into the same memory space? This seems to go contrary to what I would expect; that the system allocates memory when a program is executed and that memory can be any from the available pool.

    If OS X is indeed always putting certain programs into specific memory addresses, then yes this is definitely a problem that Apple needs to fix now. Otherwise, an attack using this approach is more like firing a gun in a pitch black room and hoping you hit a target that may (or may not) be somewhere in the room. While there is a chance it will work, I would rather spend time picking numbers for the lottery (the potential payoff would be much better).

    Their link to the Phrack article http://felinemenace.org/papers/p63-0x05_OSX_Heap_E xploitation_Technqiues.txt [felinemenace.org] is a more interesting read. I can't make any claims that I understand that better but after reading through it, it makes more sense. Exploiting programs that use Apple's Webkit. Whether or not those exploits still exist, I don't know.

  • My father. (Score:2)

    by GodInHell (258915) * on Tuesday January 02 2007, @01:22PM (#17433630)
    (http://slashdot.org/~GodInHell/journal/)

    A positive side-effect, probably, will be a more concerned (security-wise) user-base and better practices from the management side of Apple.'"
    Yehp, incluiding folks like my Dad, who will avoid apples since they have known security issues anyway, and MS is the standard. So.. he'll make sure the fortune 500 company he acts as CTO for remains on Microsoft.

    We just had this argument last night.. great to see so much "support" from the alternative OS community.

    -GiH
    • Wait. by porkchop_d_clown (Score:3) Tuesday January 02 2007, @01:35PM
    • Re:My father. by Slashcrap (Score:1) Wednesday January 03 2007, @04:20AM
      • Re:My father. by GodInHell (Score:2) Wednesday January 03 2007, @08:52AM
  • Sorta works on a macbook pro (Score:4, Interesting)

    by Paradox (13555) on Tuesday January 02 2007, @01:26PM (#17433670)
    (http://kirindave.tumblr.com/ | Last Journal: Friday December 19 2003, @01:35PM)
    The assumed known address is wrong, but it does crash quicktime on my machine.

    Snips from my crash log:

    OS Version: 10.4.8 (Build 8N1051)
    Report Version: 4

    Command: QuickTime Player
    Path: /Applications/QuickTime Player.app/Contents/MacOS/QuickTime Player
    Parent: WindowServer [57]

    Version: 7.1.3 (7.1.3)
    Build Version: 65
    Project Name: QuickTime
    Source Version: 4650000

    PID: 9548
    Thread: Unknown

    Exception: EXC_BAD_INSTRUCTION (0x0002)
    Code[0]: 0x00000001
    Code[1]: 0x00000000 ...

    Unknown thread crashed with X86 Thread State (32-bit):
        eax: 0xffffffff ebx: 0x41414141 ecx: 0x900012f8 edx: 0xffffffff
        edi: 0x41414141 esi: 0x41414141 ebp: 0xdeadbabe esp: 0xbfffd628 (hello deadbabe!)
          ss: 0x0000001f efl: 0x00010286 eip: 0x918bef3a cs: 0x00000017
          ds: 0x0000001f es: 0x0000001f fs: 0x00000000 gs: 0x00000037

    Not so good. :)
  • Apple routinely patches much more serious bugs at the OS level so I don't understand what all the fuss is about. The fact remains that the security situation in Windows was so ludicrous that an unpatched Windows machine would be compromised within minutes of being connected to the internet. It forced Microsoft to drop everything and perform a security sweep of all their existing software, causing the highly visible delays in products such as Vista and Visual Studio 2005. And the security procedures in place now at Microsoft ensures that future software development will continue to proceed at a snail's pace.

    It's simply about market share and nothing else. At the end of the month Windows' security problems will still exist while Mac users will continue to not have to worry about spyware and viruses, all of which really negates the stated intent of the Month of Apple Bugs exercise.
  • As long as their choice of third-party apps includes only fairly widespread apps, I wont' complain. But if they start to find problems in some random odd shareware app that the vast majority of even technically-inclined Mac users don't use, then they'll be pushing it. (MS Office for Mac, fine. Photoshop, fine. FireFox, fine. Delicious Library, borderline. Missing Link, borderline. BonEcho, sorry, no.)
  • by IrrepressibleMonkey (1045046) on Tuesday January 02 2007, @02:33PM (#17434564)
    Does the exploit actually work as stated? Forget the politics and point scoring - has anybody actually made this exploit work? That's important, right?
    • 1 reply beneath your current threshold.
  • I've implemented a fix for this issue (Score:2, Interesting)

    by landonf (905751) <landonf@macports.org> on Tuesday January 02 2007, @03:05PM (#17434934)
    (http://landonf.bikemonkey.org/)

    I tracked down the issue and created a runtime fix using Unsanity's Application Enhancer. The overflow is in the QuickTime Streaming component's INet_ParseURLServer() function -- the fix patches that function and pre-validates the URL before passing it off to the real function implementation. If the URL is too long, the patch replaces the Evil URL with a benign, but invalid one, and then calls the original function.

    It's worth noting that disabling RTSP, as noted elsewhere, is not sufficient -- there are other vulnerable entry-points to INet_ParseURLServer(), as it is used for generic URL parsing.

    More information is available here:

    http://www.unsanity.org/archives/mac_os_x/the_mont h_of_trolly_trolls_and.php [unsanity.org]

    and the patch (with source!) can be downloaded here:

    http://landonf.bikemonkey.org/code/macosx [bikemonkey.org]

    You can test the fix (make sure to log out and log back in after installing APE!) in Safari (or Firefox) by visiting this URL:

    http://landonf.bikemonkey.org/static/rtsp_crash.ht ml [bikemonkey.org]

    If you're using Safari, QuickTime should display a "bad address" error once the patch is installed. If the patch isn't installed, Safari will crash.

    • Elegant. by porkchop_d_clown (Score:2) Tuesday January 02 2007, @10:57PM
    • 1 reply beneath your current threshold.
  • by frdmfghtr (603968) on Wednesday January 03 2007, @03:34AM (#17441452)
    From what I've read, nobody knows who LMH is. Now, how much weight do you really want to put behind an initiative being run by somebody who won't reveal his/her name? If you are making security issues public and want anybody to take them seriously, tell us who you are and what credentials you have that call for the tech community to take you seriously. Until then, to me you are a bozo out for attention.

  • Re:QuickTime runs on Windows too... (Score:5, Informative)

    by antime (739998) on Tuesday January 02 2007, @08:56AM (#17431014)
    RTFA:
    Affected versions

    This issue has been successfully exploited in QuickTime(TM) Version 7.1.3, Player Version 7.1.3. Previous versions should be vulnerable as well. Both Microsoft Windows and Mac OS X versions are affected.

    [ Parent ]
  • by ClaraBow (212734) on Tuesday January 02 2007, @08:57AM (#17431028)
    Okay, since I jumped the gun, I will answer my own questions: RTFA, yes it does!
    [ Parent ]
  • Re:And a negative side effect? (Score:4, Interesting)

    by Anonymous Coward on Tuesday January 02 2007, @09:01AM (#17431044)
    Could you give some examples of Apple suing people to cover up security holes then?
    [ Parent ]
  • Re:good thought but I wonder (Score:5, Informative)

    by jellomizer (103300) * on Tuesday January 02 2007, @09:02AM (#17431052)
    (http://tsfraser.googlepages.com/index.html)
    These people are doing Gray Hat hacking. Where like the White Hats their goal is not to do damage to others people computers, but like the black hats feel that people need to feel a little pain before anything can get done and just reporting the problems to the company is not effective enough to get it done. It falls in the range of legal hacking, But it may not be the most moral way of doing it though. It is like finding a car door open and yelling out "Hey This Car Door is Open and all the valuables are inside someone should lock it!" vs. Finding the person who owns the car and descretly telling him to that is is unlocked. Or just locking the door yourself.
    [ Parent ]
    • Re:good thought but I wonder (Score:5, Insightful)

      by aj50 (789101) on Tuesday January 02 2007, @09:28AM (#17431232)
      It is like finding a car door open and yelling out "Hey This Car Door is Open and all the valuables are inside someone should lock it!" vs. Finding the person who owns the car and descretly telling him to that is is unlocked. Or just locking the door yourself.
      Not really.

      It's more like finding a bank vault open and shouting out, "Hey, everyone, this bank has left its vault open with your money in it."

      [ Parent ]
    • Re:good thought but I wonder (Score:5, Insightful)

      by elrous0 (869638) * on Tuesday January 02 2007, @09:29AM (#17431242)
      A poor analogy, methinks. It's more like discovering that an apartment building master key has gotten into criminal hands. First you go to the building manager and ask him to change the locks. If he refuses to do so promptly, you go to the residents and inform them. The problem comes when the master key gets out a lot and the building manager consistently drags his heals on changing the locks each time it does. At a certain point, you realize that the only way to really get his attention is to go directly to the residents.

      -Eric

      [ Parent ]
      • Re:good thought but I wonder (Score:5, Insightful)

        by jellomizer (103300) * on Tuesday January 02 2007, @09:38AM (#17431336)
        (http://tsfraser.googlepages.com/index.html)
        Not exactly first in this case they are not going to the manager first they are going to the public about it first.

        Next a Bad guy may not have the key, but once he knows the key is missing he will start looking around for the guy who found the key and take it away from him. It is more like the key is hidden under the welcome mat. And the guy found it one day then blabbed about it to everyone even outside the apartment.

        As a land lord myself I know, some jobs can't be done right away. Some things espectially changing all the locks takes time including finding the residence and giving them the new key before they leave. so you can change their locks. Also the time to fix all the locks, dealing with people who think there lock should be replaced first, others who love their lock so much they don't want to change it. Some people creek in fear when the land lord knocks figuring they will evict them with a blink of an eye. (even though it is expensive to leave a room vacent)

        [ Parent ]
    • Re:good thought but I wonder by Secrity (Score:3) Tuesday January 02 2007, @09:35AM
    • Re:good thought but I wonder by Giloo (Score:1) Tuesday January 02 2007, @09:36AM
    • Re:good thought but I wonder by sacrilicious (Score:2) Tuesday January 02 2007, @09:43AM
    • A Fine Plan by PopeRatzo (Score:2) Tuesday January 02 2007, @10:21AM
      • Re:A Fine Plan by 99BottlesOfBeerInMyF (Score:2) Tuesday January 02 2007, @01:17PM
    • Re:good thought but I wonder by dogfriend (Score:1) Tuesday January 02 2007, @03:03PM
    • Re:good thought but I wonder (Score:4, Interesting)

      by 99BottlesOfBeerInMyF (813746) on Tuesday January 02 2007, @09:57AM (#17431508)

      Black hats are interested in profiting from their knowledge of vulnerabilities. These guys aren't.

      I disagree. Black hats are interested in illegally profiting from vulnerabilities. White hats are interested in legally and ethically benefiting from vulnerabilities. Grey hats are interested in benefitting from security exploits in ways that are unethical and questionably legal.

      They want them to be fixed and know that even the deified Apple won't allocate resources to fixing problems that have a low profile.

      No, these guys want publicity for themselves. Apple has been quite responsive to security researchers and most that I know think Apple has been doing a pretty reasonable job. If you're going to argue that bugs need to be publicly released because Apple won't fix them otherwise, you need to support that assertion. Even then, what is your justification for not releasing it immediately, but doling them out more slowly? That doesn't benefit anyone but these researchers for whom it provides prolonged media exposure they hope to gain from financially.

      So they're out to raise the profile of each problem.

      Raising the profile of a problem makes sense, if it is being exploited in the wild or if you've contacted the vendor and they're dragging their heels while people are at risk. Otherwise, it is simply harmful to everyone involved.

      Much better than using the vulnerabilities to build Mac-based botnets...

      Ahh, the classic "we're not as bad as China" argument. Doing something unethical isn't made any less unethical by the fact that someone else is doing something even more unethical. These guys obviously are interested in one thing, getting themselves in the news to make themselves money.

      [ Parent ]
    • Re:good thought but I wonder by Warlock7 (Score:2) Tuesday January 02 2007, @04:22PM
    • 1 reply beneath your current threshold.
  • Re:At this rate (Score:5, Insightful)

    by Rob T Firefly (844560) on Tuesday January 02 2007, @09:04AM (#17431070)
    (http://robvincent.net/ | Last Journal: Tuesday October 09, @01:55PM)
    Or I could use the Linux Cop Out... Explaining that Quicktime is actually a third party application that is bundled with the OS not the OS itself.
    Actually, since Apple makes both Quicktime and MacOS, it's more like the MSIE/Office copout.
    [ Parent ]
    • Re:At this rate by OriginalArlen (Score:2) Tuesday January 02 2007, @02:43PM
  • Re:At this rate (Score:1)

    by SNR monkey (1021747) on Tuesday January 02 2007, @09:05AM (#17431078)
    I don't know what you mean by the "Linux Cop Out" because it seems like you're confusing Apple and Mac OS X. Remember, this is the month of Apple bugs, not necessarily the month of OS X bugs. Also, how is quicktime a third party application if it is developed by Apple?
    [ Parent ]
    • Re:At this rate by jellomizer (Score:2) Tuesday January 02 2007, @09:20AM
      • 1 reply beneath your current threshold.
  • Re:At this rate (Score:2, Redundant)

    by jokell82 (536447) on Tuesday January 02 2007, @09:13AM (#17431126)
    (http://www.thejokell.com/)
    Explaining that Quicktime is actually a third party application that is bundled with the OS not the OS itself.
    Actually that's (partially) true. It's not third party since it's developed by Apple, but the fact that it also affects Windows shows that it's not an OS X bug, but a Quicktime bug.

    But as another comment has pointed out, this is a month of Apple bugs, not OS X bugs.
    [ Parent ]
  • Re:At this rate (Score:1, Funny)

    by Anonymous Coward on Tuesday January 02 2007, @09:28AM (#17431238)

    If intel only could the hole be in quicktime for windows too, and a possible Duel OS Virus


    Sun to the rescue...to make it cross platform just write the virus in Java!
    [ Parent ]
  • by Henriok (6762) on Tuesday January 02 2007, @09:35AM (#17431298)
    (http://www.macnytt.com/)
    Have Apple sued a whistleblower or someone who have reported a security issue. EVER?

    Or is the parent just full of lies, FUD and other unpleasant and damaging stuff?
    [ Parent ]
  • Re:I have a dumb question..... (Score:4, Insightful)

    by 99BottlesOfBeerInMyF (813746) on Tuesday January 02 2007, @10:14AM (#17431618)

    ..... Given Apple's tendency to sue just about anything that moves so that the can preserve the "reality distortion field," are these researchers not afraid of being sued out of existence?

    The reality distortion field you cite is warping your perspective. Apple is actually not particularly litigious compared to most companies their size. To my knowledge they've never sued anyone for publicizing bugs. They don't even normally go after publications that intentionally publicize their trade secrets unless they admit having obtained those secrets from an insider Apple does not know the identity of, and in the one case of that, they sued only for the name of the informant, not for any damages against the publication. The thing is, the litigation they do enegage in, is often highly publicized, making it seem as though they are very litigious.

    So to answer your question, if they have a reasonable grasp on reality, no they aren't worried about being sued.

    [ Parent ]
  • by klubar (591384) <ken@lubar.net> on Tuesday January 02 2007, @11:35AM (#17432324)
    (http://emiboston.com/)
    The same argument could be made about many of the Microsoft bugs... IE is a third party application taht is bundled with the OS and not the OS itself. Same argument... on the otherhand QT is an Apple product so if there are security risks associated with it, the company should patch it--and not just for the most recent version of the OS.
    [ Parent ]
  • by SuperKendall (25149) on Tuesday January 02 2007, @11:48AM (#17432528)
    Your opinion might have meant something if you hadn't posted AC. As it is, it's hard to believe you've actually done any OS X programming - or at least any recent programming. Tiger cleaned up the kernel API's quite a bit.
    [ Parent ]
  • by 99BottlesOfBeerInMyF (813746) on Tuesday January 02 2007, @12:19PM (#17432910)

    MacOSX is still turning up significant flaws that were fixed in other flavours of UNIX many years ago.

    True, Apple is running into some of the same old problems as they try to build new things to interact with old things. I wish they had stricter security reviews processes.

    Apple has probably the worst attitude to quality control I have ever come across in the PC industry (ie. they don't appear to have any). You might think that Windows has many problems with security holes, but looking at the automated code review tools and approach to security within Microsoft, and comparing this to Apple's approach, it is safe to say that the inferior end product will most definitely be Apple's.

    I don't know Apple's policies on code review. I know they do some audits and that is it. It looks like they could really use some improvement. That said, I do know people from MS and their security reviews are a joke. From anecdotes, less than half of all security holes reported internally are given high enough priority to ever be fixed and they don't have a thousand monkeys pounding on open code. And in the end, it is results that matter. Apple does not have a malware problem, and is mildly resistant to amateur directed attacks. Windows has a huge malware problem and can often be hacked with freely available script kiddy tools.

    I also find Microsoft staff much more helpful and knowledgeable than the moron 'experts' that apple usually fields.

    I've submitted bugs to both Apple and MS. Some of the Apple ones were fixes (all the security ones). None of the MS bugs have ever been fixed.

    It is just to buggy, lacks scalability (try using heavily threaded programs, or I/O / network intensive apps), and the kernel seems to have some fairly significant and obscure bugs that can waste significant time.

    Are you talking about server roles or desktops? Both OS X and Windows are less than optimal servers. Windows can't multitask its way out of a wet paper bag and has always had stability and security issues that result in unavailable services. I'd not build a server on either OS X or Windows though. If you're looking at the desktop, however, there is no comparison.

    I am sticking to platforms I trust:- AIX, Linux, and Solaris. They have their own lesser problems, but at least quality and scalability are not a serious concern.

    Quality and scalability aren't concerns on Linux? Where can I get this mythical version of Linux?

    [ Parent ]
  • It's because they are full of shit.

    The second "bug" is a remote execution flaw in VLC, without privilege escalation. It's platform independent, for that matter. VLC is buggy; and the only "neat" thing about a VLC flaw on OS X would be if it gave you root, but it doesn't.

    It's a publicity stunt, and if the remaining bugs are as pointless as this VLC one.... well, it's idiotic.
    [ Parent ]
  • 11 replies beneath your current threshold.