Remote iChat Exploit Patched

← Back to Stories (view on slashdot.org)

Posted by pudge on Friday September 17, 2004 @05:25AM from the gotta-restart-now-brb dept.

99BottlesOfBeerInMyF writes "Apple has released a security update to patch a hole in iChat. Apparently, correctly crafted links sent via iChat can execute programs if the path is known. If this allows for command line attributes to be included, it could be a pretty big hole; although it would still require some social engineering. The Apple description is here."

8 of 55 comments (clear)

Min score:

Reason:

Sort:

Re:All I want to know is... by danigiri · 2004-09-17 05:39 · Score: 4, Informative

Usually because it's better to tell most people 'Reboot' than 'just issue a $ ps xa|grep foo|grep -v grep| xargs| kill -HUP 2>&1' or whatever
Re:Wow... by br0ck · 2004-09-17 06:03 · Score: 5, Informative

How soon we forget.
Not complaining, just wondering by catmistake · 2004-09-17 07:40 · Score: 3, Informative

I sent this story up last night before midnight, because I noticed after several hours no one had mentioned it... Apple hadn't posted their explaination on their site yet, so 99BottlesOfBeerInMyF has a more complete story.

But I brought up the fact that the last Update, "Security Update 2004-09-07" reappears in the Software Update list as a required update, even if you've already installed it (which I did on the 7th), and that this update (the last one) breaks your ftp server if you happened to be running one. The ftp server is fixed by adding a /usr/etc directory and copying /etc/ftpusers into it, but as far as I know, Apple hasn't owned up to this, and there is still no explanation. So what's up? Does anyone know why it has inexplicably re-appeared? (I understand it is rare for Apple to do this... but I will be wary of updates in the future.)

--
The Admin and the Engineer
1. Re:Not complaining, just wondering by 99BottlesOfBeerInMyF · 2004-09-17 08:04 · Score: 5, Informative
  
  I am not certain exactly what is going on with these updates, but I think you are missing two pieces of data. First, there are two versions of "Security Update 2004-09-07" 1.0 and 1.1. Second, although I'm not certain it is relevant, the only demo of this exploit I saw called the ftp: handler and directed it at a local .app bundle in order to launch it. My test of the exploit, however, failed. This might be due to the fact that ftp had been broken by a previous update.
  It would be interesting to hear how this round of updates came about.
2. Re:Not complaining, just wondering by Guy+Harris · 2004-09-18 06:18 · Score: 4, Informative
  
  The ftp server is fixed by adding a /usr/etc directory and copying /etc/ftpusers into it, but as far as I know, Apple hasn't owned up to this
  
  In an Apple page on the 1.1 version of the Security Update, they explicitly note that the 1.1 version "fixes the following issues in Security Update 2004-09-07 v1.0:"
  - lukemftpd: Corrects the path to the configuration directory
  - Safari (10.3.5 only): The Safari version number is changed to provide compatibility with web sites that use an old version-checking mechanism
  
  Does anyone know why it has inexplicably re-appeared?
  
  So that people who installed the 1.0 version get offered the 1.1 version, and can get their FTP server and their ability to go to sites that think that a browser version string containing "Netscape" and "4." means the browser is Netscape 4.
Re:All I want to know is... by pudge · 2004-09-17 08:40 · Score: 4, Informative

It is not as simple as HUPing. If you have active connections, you need to close them all, then restart iChat to be how you normally have it. Many users would not get it and would just get confused as to why things were not as they were left. And you could log out and log back in, but many users never log in. There's no way to do it that would be simple enough for the average user to not get confused over.
Re:All I want to know is... by FunkyMarcus · 2004-09-17 11:48 · Score: 4, Informative

Because it replaced a core framework for handling urls.

No, it replaced a private framework.

$ lsbom -f -s /Library/Receipts/SecUpd2004-09-16Pan.pkg/Contents /Archive.bom ./System/Library/PrivateFrameworks/InstantMessage. framework/Versions/A/InstantMessage ./System/Library/PrivateFrameworks/InstantMessage. framework/Versions/A/Resources/Info.plist ./System/Library/PrivateFrameworks/InstantMessage. framework/Versions/A/Resources/version.plist

Lots and lots of other programs could potentially use it.

No, only iChat and Mail use it. Any program that link against it is relying on an unpublished API.

Someone please mod parent DOWN, and also mod down the guy asking to mod the parent UP.
Re:Doesn't Work... by therevolution · 2004-09-18 08:43 · Score: 3, Informative

He must be using an Apple laptop, which does map 'lower volume' to F4 by default. On regular Apple keyboards, the 'lower volume' button has its own key, right above the numeric keypad. The key combo he describes works on the regular Apple keyboards too, just not with F4.