Slashdot Mirror

← Back to Stories (view on slashdot.org)

Remote iChat Exploit Patched

Posted by pudge on from the gotta-restart-now-brb dept.

99BottlesOfBeerInMyF writes "Apple has released a security update to patch a hole in iChat. Apparently, correctly crafted links sent via iChat can execute programs if the path is known. If this allows for command line attributes to be included, it could be a pretty big hole; although it would still require some social engineering. The Apple description is here."

6 of 55 comments (clear)

  1. Re:All I want to know is... by danigiri · · Score: 4, Informative

    Usually because it's better to tell most people 'Reboot' than 'just issue a $ ps xa|grep foo|grep -v grep| xargs| kill -HUP 2>&1' or whatever

  2. Re:Wow... by br0ck · · Score: 5, Informative

    How soon we forget.

  3. Re:Not complaining, just wondering by 99BottlesOfBeerInMyF · · Score: 5, Informative

    I am not certain exactly what is going on with these updates, but I think you are missing two pieces of data. First, there are two versions of "Security Update 2004-09-07" 1.0 and 1.1. Second, although I'm not certain it is relevant, the only demo of this exploit I saw called the ftp: handler and directed it at a local .app bundle in order to launch it. My test of the exploit, however, failed. This might be due to the fact that ftp had been broken by a previous update.
    It would be interesting to hear how this round of updates came about.

  4. Re:All I want to know is... by pudge · · Score: 4, Informative

    It is not as simple as HUPing. If you have active connections, you need to close them all, then restart iChat to be how you normally have it. Many users would not get it and would just get confused as to why things were not as they were left. And you could log out and log back in, but many users never log in. There's no way to do it that would be simple enough for the average user to not get confused over.

  5. Re:All I want to know is... by FunkyMarcus · · Score: 4, Informative
    Because it replaced a core framework for handling urls.

    No, it replaced a private framework.
    $ lsbom -f -s /Library/Receipts/SecUpd2004-09-16Pan.pkg/Contents /Archive.bom ./System/Library/PrivateFrameworks/InstantMessage. framework/Versions/A/InstantMessage ./System/Library/PrivateFrameworks/InstantMessage. framework/Versions/A/Resources/Info.plist ./System/Library/PrivateFrameworks/InstantMessage. framework/Versions/A/Resources/version.plist

    Lots and lots of other programs could potentially use it.

    No, only iChat and Mail use it. Any program that link against it is relying on an unpublished API.

    Someone please mod parent DOWN, and also mod down the guy asking to mod the parent UP.
  6. Re:Not complaining, just wondering by Guy+Harris · · Score: 4, Informative
    The ftp server is fixed by adding a /usr/etc directory and copying /etc/ftpusers into it, but as far as I know, Apple hasn't owned up to this

    In an Apple page on the 1.1 version of the Security Update, they explicitly note that the 1.1 version "fixes the following issues in Security Update 2004-09-07 v1.0:"

    - lukemftpd: Corrects the path to the configuration directory
    - Safari (10.3.5 only): The Safari version number is changed to provide compatibility with web sites that use an old version-checking mechanism
    Does anyone know why it has inexplicably re-appeared?

    So that people who installed the 1.0 version get offered the 1.1 version, and can get their FTP server and their ability to go to sites that think that a browser version string containing "Netscape" and "4." means the browser is Netscape 4.