Remote iChat Exploit Patched

← Back to Stories (view on slashdot.org)

Posted by pudge on Friday September 17, 2004 @05:25AM from the gotta-restart-now-brb dept.

99BottlesOfBeerInMyF writes "Apple has released a security update to patch a hole in iChat. Apparently, correctly crafted links sent via iChat can execute programs if the path is known. If this allows for command line attributes to be included, it could be a pretty big hole; although it would still require some social engineering. The Apple description is here."

55 comments

All I want to know is... by Enucite · 2004-09-17 05:35 · Score: 4, Interesting

Why did I have to reboot after patching iChat?
1. Re:All I want to know is... by danigiri · 2004-09-17 05:39 · Score: 4, Informative
  
  Usually because it's better to tell most people 'Reboot' than 'just issue a $ ps xa|grep foo|grep -v grep| xargs| kill -HUP 2>&1' or whatever
2. Re:All I want to know is... by timothv · 2004-09-17 05:47 · Score: 4, Interesting
  
  Why can't the installer do that for them?
3. Re:All I want to know is... by 47Ronin · 2004-09-17 05:59 · Score: 5, Insightful
  
  Why can't the installer do that for them?
  #1 It's rude for the OS to just instantly reboot the machine. It just makes a STRONG suggestion to reboot. What if you have unsaved work that you really NEED to finish now? At least the OS is not crippled during the install.
  
  #2 Rather than risking the probability that a process doesn't HUP properly, it's safer for Apple just to reboot the Mac so that simple Mac users will get a proper reset of all processes. Helps avoid customer service issues if a HUP doesn't go correctly. Advanced users can usually avoid a reboot and just restart the process that was affected.
  
  --
  Those who laugh at you for you having a Mac.. are the people who constantly call you to fix their PC.
4. Re:All I want to know is... by 47Ronin · 2004-09-17 06:42 · Score: 5, Insightful
  
  Stop trying to justify extremely poor design choices. It could try to HUP the process, and if it goes wrong, ask the user to do a logout or reboot. There's often no need to reboot at all.
  
  It may be poor design to you, but to the majority of users it is no big deal. In fact, it is safer to reboot than to have to script a process hangup which may involve other running applications, which could get messy. Now, the installer does not force you to reboot, it merely puts up a modal dialog that a reboot is required for changes to take affect, which you can dismiss until you feel like returning to it to click "Reboot" ... I'm pretty damn sure Apple could easily change the installer to kill -HUP a process, but what if you're currently using it? What if the kernel was patched and requires a reboot, but you're downloading a giant tarball? Wouldn't you rather have the option of rebooting later? If you REALLY don't want to reboot, force quit the installer so it doesn't bother you (or update via command line instead). Who knows, maybe Tiger will allow for HUP'd upgrades. Apple plays it safe by suggesting a reboot for core system item upgrades. It DOES NOT ask for a reboot when a sofwareupdate upgrades stuff like iMovie or XCode, which are self-contained apps that do not have shared libraries or hooks into system files.
  
  --
  Those who laugh at you for you having a Mac.. are the people who constantly call you to fix their PC.
5. Re:All I want to know is... by spitzak · 2004-09-17 06:45 · Score: 1
  
  Actually it might annoy users if their running iChat suddenly quits. They probably understand that if it says "hit this button to reboot" that they should finish their iChat conversation and then hit the button.
  
  I would think a "hit this button to quit iChat" may be confusing to beginner users so that solution is out.
  
  Obvoiusly a way to seamlessly quit the current iChat and start a new one would be ideal, but I'm not sure if it is worth the time it would take to develop such a solution.
6. Re:All I want to know is... by 47Ronin · 2004-09-17 07:09 · Score: 1
  
  Actually it might annoy users if their running iChat suddenly quits. They probably understand that if it says "hit this button to reboot" that they should finish their iChat conversation and then hit the button.
  
  I could be wrong but if iChat is currently running it does not shut it down, because it doesn't affect a running app since its instance is already loaded in RAM and stays there until the user quits it. It only affects the binary that is on the hard drive.
  
  This is how Safari (or any other normal app) is not changed when SoftwareUpdate actually patches it until you quit it and relaunch the app.
  
  --
  Those who laugh at you for you having a Mac.. are the people who constantly call you to fix their PC.
7. Re:All I want to know is... by Anonymous Coward · 2004-09-17 07:26 · Score: 5, Funny
  
  Every time you reboot, god kills a kitten.
8. Re:All I want to know is... by Anonymous Coward · 2004-09-17 07:51 · Score: 0
  
  EFFECT. The word you wanted is EFFECT. Jesus Christ.
9. Re:All I want to know is... by pudge · 2004-09-17 08:40 · Score: 4, Informative
  
  It is not as simple as HUPing. If you have active connections, you need to close them all, then restart iChat to be how you normally have it. Many users would not get it and would just get confused as to why things were not as they were left. And you could log out and log back in, but many users never log in. There's no way to do it that would be simple enough for the average user to not get confused over.
10. Re:All I want to know is... by FunkyMarcus · 2004-09-17 11:48 · Score: 4, Informative
  
  Because it replaced a core framework for handling urls.
  
  No, it replaced a private framework.
  
  $ lsbom -f -s /Library/Receipts/SecUpd2004-09-16Pan.pkg/Contents /Archive.bom ./System/Library/PrivateFrameworks/InstantMessage. framework/Versions/A/InstantMessage ./System/Library/PrivateFrameworks/InstantMessage. framework/Versions/A/Resources/Info.plist ./System/Library/PrivateFrameworks/InstantMessage. framework/Versions/A/Resources/version.plist
  
  Lots and lots of other programs could potentially use it.
  
  No, only iChat and Mail use it. Any program that link against it is relying on an unpublished API.
  
  Someone please mod parent DOWN, and also mod down the guy asking to mod the parent UP.
11. Re:All I want to know is... by FredFnord · 2004-09-17 12:10 · Score: 1
  
  Damn, I wouldn't have guessed that Jesus posted anonymously on here.
  
  Nor that he was another grammar nazi. Hail, brother!
  
  -fred
  
  --
  Sign #11 of Slashdot overdose: You see the phrase 'moderate Republican' and you wonder if that would be a +1 or a -1.
12. Re:All I want to know is... by Anonymous Coward · 2004-09-17 17:27 · Score: 0
  
  It may be poor design to you, but...
  translated: If it looks like shit, smells like shit, feels like shit and tastes like shit - then you can woof it down by the bucket load, if you do so with equal quantities of koolaid.
  If you use your mac for more that photoshop and flash then having to reboot at all is a real PITA. Even if you don't, why should you have to stop your creative flow to update an unrelated piece of userland software that you may not even be using?
  The Installer could ask if the user wanted to restart the "service", and if this fails, then ask to reboot. If a script fails/hangs/locks-up (which only HUP's another process) and this event is enough to screw up the system, you may want to re-evaluate what it means to use/be a UNIX. You see, unix only needs to be rebooted to replace the kernel. I'm pretty sure iChat is not "the kernel". The most it could possibly need is
  kill -HUP 1
  Really all these kind of things illustrate to business (read: enterprise) clients, is that apple's marketing dept. (they "lead" development right?) does not understand what it is they dealing with.
  FYI:
  OSX (any ver) allows "for HUP'd upgrades".
  The installer WILL "ask for a reboot when a sofwareupdate upgrades stuff like iMovie or XCode" if they're loaded when you upgrade them.
  Why is it people try to justify/appologise for any thing apple does, whether it is stupid or not? This kind of koolaid guzzling detracts seriously from the platform's credibility on all levels. When something is broken, its broken, it can be fixed. Acknowledging this does not make you any less of an apple evangilist (if indeed that is what you want to be).
13. Re:All I want to know is... by Anonymous Coward · 2004-09-18 12:46 · Score: 0
  
  "Every time you reboot, god kills a kitten."
  
  Don't worry, the Windows users will keep the kitten population under control...
Wow... by PedanticSpellingTrol · 2004-09-17 05:39 · Score: 5, Funny

This sounds exactly like the away:// hole in AIM from a few weeks ago. Has anyone audited the UNIX talk command for similar bugs?
1. Re:Wow... by br0ck · 2004-09-17 06:03 · Score: 5, Informative
  
  How soon we forget.
Re:social engineering by Cecil · 2004-09-17 05:48 · Score: 4, Insightful

Seriously though, I could easily socially engineer anyone. How hard to you have to try to get someone to click on a link? Just tell them it's a really cool site.

Do you click on unsolicited links from strangers? Wow, I guess IM Spam *is* effective after all.

The FA says that it now opens a finder window to where the program is. A user could tell a person to click on a "link" and the click on a "link" in the resulting window.

What? This is not Windows, where Internet Explorer == Windows Explorer. Finder is a completely distinct application from Safari or any other web browser. It does not display links, it displays files. This is extremely clear to even a poor, intellectually challeged 'Mac-user'.

--
Random and weird software I've written.
Re:social engineering by teh*fink · 2004-09-17 06:39 · Score: 5, Funny

How hard is to to socially engineer the average mac user?

you wouldn't believe how easy it is. whenever new users come into the "panther" chatroom using ichat, they are told to hit command-L for a list of other chatrooms. 80% fall for it. some repeatedly; they come back and ask for the key combo again, figuring they entered it wrong the first time.

--
"I DARE you to make less sense!"
Re:social engineering by thirteenVA · 2004-09-17 07:34 · Score: 0, Flamebait

Seriously though, I could easily socially engineer anyone.
OK, try socially engineering the mods on your way to -1 troll...
Not complaining, just wondering by catmistake · 2004-09-17 07:40 · Score: 3, Informative

I sent this story up last night before midnight, because I noticed after several hours no one had mentioned it... Apple hadn't posted their explaination on their site yet, so 99BottlesOfBeerInMyF has a more complete story.

But I brought up the fact that the last Update, "Security Update 2004-09-07" reappears in the Software Update list as a required update, even if you've already installed it (which I did on the 7th), and that this update (the last one) breaks your ftp server if you happened to be running one. The ftp server is fixed by adding a /usr/etc directory and copying /etc/ftpusers into it, but as far as I know, Apple hasn't owned up to this, and there is still no explanation. So what's up? Does anyone know why it has inexplicably re-appeared? (I understand it is rare for Apple to do this... but I will be wary of updates in the future.)

--
The Admin and the Engineer
1. Re:Not complaining, just wondering by 99BottlesOfBeerInMyF · 2004-09-17 08:04 · Score: 5, Informative
  
  I am not certain exactly what is going on with these updates, but I think you are missing two pieces of data. First, there are two versions of "Security Update 2004-09-07" 1.0 and 1.1. Second, although I'm not certain it is relevant, the only demo of this exploit I saw called the ftp: handler and directed it at a local .app bundle in order to launch it. My test of the exploit, however, failed. This might be due to the fact that ftp had been broken by a previous update.
  It would be interesting to hear how this round of updates came about.
2. Re:Not complaining, just wondering by catmistake · 2004-09-17 08:11 · Score: 1
  
  Thanks... I was not all that observant... but the version numbers, of course, speak volumes.
  
  --
  The Admin and the Engineer
3. Re:Not complaining, just wondering by Guy+Harris · 2004-09-18 06:18 · Score: 4, Informative
  
  The ftp server is fixed by adding a /usr/etc directory and copying /etc/ftpusers into it, but as far as I know, Apple hasn't owned up to this
  
  In an Apple page on the 1.1 version of the Security Update, they explicitly note that the 1.1 version "fixes the following issues in Security Update 2004-09-07 v1.0:"
  - lukemftpd: Corrects the path to the configuration directory
  - Safari (10.3.5 only): The Safari version number is changed to provide compatibility with web sites that use an old version-checking mechanism
  
  Does anyone know why it has inexplicably re-appeared?
  
  So that people who installed the 1.0 version get offered the 1.1 version, and can get their FTP server and their ability to go to sites that think that a browser version string containing "Netscape" and "4." means the browser is Netscape 4.
Then let me ask another question... by Enucite · 2004-09-17 09:53 · Score: 1

Because it replaced a core framework for handling urls. Lots and lots of other programs could potentially use it.

Why isn't this in the information about the vulnerability?

If what you've said is true, Apple should mention it so people who don't use iChat know it's an important update for them.

However, I'll assume you're wrong. Apple would at least mention Safari and Mail in the Impact and Availability sections of the Security Update if it was a general problem handling URLs.
Re:social engineering by hunterx11 · 2004-09-17 11:18 · Score: 4, Funny

I wonder how many Mac users get tricked into typing Alt+F4 only to wonder why nothing happens?

--
English is easier said than done.
But ... but ... but... by commodoresloat · 2004-09-17 13:47 · Score: 4, Funny

What about my uptime? What about my precious uptime??!!!
1. Re:But ... but ... but... by MonkeyBoy · 2004-09-19 16:41 · Score: 1
  
  Your uptime is still lightyears better than the average Windows box. Or, at least, the average Windows box that bothers to stay patched.
  
  Though ever since MS started holding back patches as part of their "security initiative" marketing ploy, they have been coming slower... who the hell cares about uptime if your box gets pwned as a result of MS's marketing department?
  
  --
  Moof!
Re:social engineering by spicyjeff · 2004-09-17 14:17 · Score: 0, Offtopic

Actually, Alt is the same as Option on a Mac keyboard and F4 is also the 'lower volume' key. So Option+LowerVolume (Alt+F4) opens the sound control panel. Same for Option+F3 or F5 and then F1 and F2 for brightness opens the display control panel.
Re:social engineering by Big+Chubby+Cat · 2004-09-17 14:22 · Score: 0, Troll

I have a chatroom list...IN MY PANTS!!!...
Doesn't Work... by WiseWeasel · 2004-09-17 19:43 · Score: 1

That doesn't work for me, but maybe that's because I don't have an Apple keyboard, and the F keys (besides F12 for eject, and optionally F9-11 for Expose) are unmapped by default. That would be a convenient tip if you do use an Apple keyboard though.

--
"I like systems, their application excepted", George Sand (French)
1. Re:Doesn't Work... by therevolution · 2004-09-18 08:43 · Score: 3, Informative
  
  He must be using an Apple laptop, which does map 'lower volume' to F4 by default. On regular Apple keyboards, the 'lower volume' button has its own key, right above the numeric keypad. The key combo he describes works on the regular Apple keyboards too, just not with F4.
Mac Users are Gay.... by Anonymous Coward · 2004-09-19 13:46 · Score: 0

but we all knew this anyway...
Re:social engineering by Anonymous Coward · 2004-09-19 15:10 · Score: 0

modded off-topic? stupid mods, read the parent of the comment!
Windows Geeks are Hermaphrodites by Anonymous Coward · 2004-09-19 16:45 · Score: 1, Funny

But I bet you already knew that.

So how long until "Chicks With Dicks 25" comes out anyway? Randall preordered that thing ages ago.