Remote iChat Exploit Patched

← Back to Stories (view on slashdot.org)

Posted by pudge on Friday September 17, 2004 @05:25AM from the gotta-restart-now-brb dept.

99BottlesOfBeerInMyF writes "Apple has released a security update to patch a hole in iChat. Apparently, correctly crafted links sent via iChat can execute programs if the path is known. If this allows for command line attributes to be included, it could be a pretty big hole; although it would still require some social engineering. The Apple description is here."

18 of 55 comments (clear)

All I want to know is... by Enucite · 2004-09-17 05:35 · Score: 4, Interesting

Why did I have to reboot after patching iChat?
1. Re:All I want to know is... by danigiri · 2004-09-17 05:39 · Score: 4, Informative
  
  Usually because it's better to tell most people 'Reboot' than 'just issue a $ ps xa|grep foo|grep -v grep| xargs| kill -HUP 2>&1' or whatever
2. Re:All I want to know is... by timothv · 2004-09-17 05:47 · Score: 4, Interesting
  
  Why can't the installer do that for them?
3. Re:All I want to know is... by 47Ronin · 2004-09-17 05:59 · Score: 5, Insightful
  
  Why can't the installer do that for them?
  #1 It's rude for the OS to just instantly reboot the machine. It just makes a STRONG suggestion to reboot. What if you have unsaved work that you really NEED to finish now? At least the OS is not crippled during the install.
  
  #2 Rather than risking the probability that a process doesn't HUP properly, it's safer for Apple just to reboot the Mac so that simple Mac users will get a proper reset of all processes. Helps avoid customer service issues if a HUP doesn't go correctly. Advanced users can usually avoid a reboot and just restart the process that was affected.
  
  --
  Those who laugh at you for you having a Mac.. are the people who constantly call you to fix their PC.
4. Re:All I want to know is... by 47Ronin · 2004-09-17 06:42 · Score: 5, Insightful
  
  Stop trying to justify extremely poor design choices. It could try to HUP the process, and if it goes wrong, ask the user to do a logout or reboot. There's often no need to reboot at all.
  
  It may be poor design to you, but to the majority of users it is no big deal. In fact, it is safer to reboot than to have to script a process hangup which may involve other running applications, which could get messy. Now, the installer does not force you to reboot, it merely puts up a modal dialog that a reboot is required for changes to take affect, which you can dismiss until you feel like returning to it to click "Reboot" ... I'm pretty damn sure Apple could easily change the installer to kill -HUP a process, but what if you're currently using it? What if the kernel was patched and requires a reboot, but you're downloading a giant tarball? Wouldn't you rather have the option of rebooting later? If you REALLY don't want to reboot, force quit the installer so it doesn't bother you (or update via command line instead). Who knows, maybe Tiger will allow for HUP'd upgrades. Apple plays it safe by suggesting a reboot for core system item upgrades. It DOES NOT ask for a reboot when a sofwareupdate upgrades stuff like iMovie or XCode, which are self-contained apps that do not have shared libraries or hooks into system files.
  
  --
  Those who laugh at you for you having a Mac.. are the people who constantly call you to fix their PC.
5. Re:All I want to know is... by Anonymous Coward · 2004-09-17 07:26 · Score: 5, Funny
  
  Every time you reboot, god kills a kitten.
6. Re:All I want to know is... by pudge · 2004-09-17 08:40 · Score: 4, Informative
  
  It is not as simple as HUPing. If you have active connections, you need to close them all, then restart iChat to be how you normally have it. Many users would not get it and would just get confused as to why things were not as they were left. And you could log out and log back in, but many users never log in. There's no way to do it that would be simple enough for the average user to not get confused over.
7. Re:All I want to know is... by FunkyMarcus · 2004-09-17 11:48 · Score: 4, Informative
  
  Because it replaced a core framework for handling urls.
  
  No, it replaced a private framework.
  
  $ lsbom -f -s /Library/Receipts/SecUpd2004-09-16Pan.pkg/Contents /Archive.bom ./System/Library/PrivateFrameworks/InstantMessage. framework/Versions/A/InstantMessage ./System/Library/PrivateFrameworks/InstantMessage. framework/Versions/A/Resources/Info.plist ./System/Library/PrivateFrameworks/InstantMessage. framework/Versions/A/Resources/version.plist
  
  Lots and lots of other programs could potentially use it.
  
  No, only iChat and Mail use it. Any program that link against it is relying on an unpublished API.
  
  Someone please mod parent DOWN, and also mod down the guy asking to mod the parent UP.
Wow... by PedanticSpellingTrol · 2004-09-17 05:39 · Score: 5, Funny

This sounds exactly like the away:// hole in AIM from a few weeks ago. Has anyone audited the UNIX talk command for similar bugs?
1. Re:Wow... by br0ck · 2004-09-17 06:03 · Score: 5, Informative
  
  How soon we forget.
Re:social engineering by Cecil · 2004-09-17 05:48 · Score: 4, Insightful

Seriously though, I could easily socially engineer anyone. How hard to you have to try to get someone to click on a link? Just tell them it's a really cool site.

Do you click on unsolicited links from strangers? Wow, I guess IM Spam *is* effective after all.

The FA says that it now opens a finder window to where the program is. A user could tell a person to click on a "link" and the click on a "link" in the resulting window.

What? This is not Windows, where Internet Explorer == Windows Explorer. Finder is a completely distinct application from Safari or any other web browser. It does not display links, it displays files. This is extremely clear to even a poor, intellectually challeged 'Mac-user'.

--
Random and weird software I've written.
Re:social engineering by teh*fink · 2004-09-17 06:39 · Score: 5, Funny

How hard is to to socially engineer the average mac user?

you wouldn't believe how easy it is. whenever new users come into the "panther" chatroom using ichat, they are told to hit command-L for a list of other chatrooms. 80% fall for it. some repeatedly; they come back and ask for the key combo again, figuring they entered it wrong the first time.

--
"I DARE you to make less sense!"
Not complaining, just wondering by catmistake · 2004-09-17 07:40 · Score: 3, Informative

I sent this story up last night before midnight, because I noticed after several hours no one had mentioned it... Apple hadn't posted their explaination on their site yet, so 99BottlesOfBeerInMyF has a more complete story.

But I brought up the fact that the last Update, "Security Update 2004-09-07" reappears in the Software Update list as a required update, even if you've already installed it (which I did on the 7th), and that this update (the last one) breaks your ftp server if you happened to be running one. The ftp server is fixed by adding a /usr/etc directory and copying /etc/ftpusers into it, but as far as I know, Apple hasn't owned up to this, and there is still no explanation. So what's up? Does anyone know why it has inexplicably re-appeared? (I understand it is rare for Apple to do this... but I will be wary of updates in the future.)

--
The Admin and the Engineer
1. Re:Not complaining, just wondering by 99BottlesOfBeerInMyF · 2004-09-17 08:04 · Score: 5, Informative
  
  I am not certain exactly what is going on with these updates, but I think you are missing two pieces of data. First, there are two versions of "Security Update 2004-09-07" 1.0 and 1.1. Second, although I'm not certain it is relevant, the only demo of this exploit I saw called the ftp: handler and directed it at a local .app bundle in order to launch it. My test of the exploit, however, failed. This might be due to the fact that ftp had been broken by a previous update.
  It would be interesting to hear how this round of updates came about.
2. Re:Not complaining, just wondering by Guy+Harris · 2004-09-18 06:18 · Score: 4, Informative
  
  The ftp server is fixed by adding a /usr/etc directory and copying /etc/ftpusers into it, but as far as I know, Apple hasn't owned up to this
  
  In an Apple page on the 1.1 version of the Security Update, they explicitly note that the 1.1 version "fixes the following issues in Security Update 2004-09-07 v1.0:"
  - lukemftpd: Corrects the path to the configuration directory
  - Safari (10.3.5 only): The Safari version number is changed to provide compatibility with web sites that use an old version-checking mechanism
  
  Does anyone know why it has inexplicably re-appeared?
  
  So that people who installed the 1.0 version get offered the 1.1 version, and can get their FTP server and their ability to go to sites that think that a browser version string containing "Netscape" and "4." means the browser is Netscape 4.
Re:social engineering by hunterx11 · 2004-09-17 11:18 · Score: 4, Funny

I wonder how many Mac users get tricked into typing Alt+F4 only to wonder why nothing happens?

--
English is easier said than done.
But ... but ... but... by commodoresloat · 2004-09-17 13:47 · Score: 4, Funny

What about my uptime? What about my precious uptime??!!!
Re:Doesn't Work... by therevolution · 2004-09-18 08:43 · Score: 3, Informative

He must be using an Apple laptop, which does map 'lower volume' to F4 by default. On regular Apple keyboards, the 'lower volume' button has its own key, right above the numeric keypad. The key combo he describes works on the regular Apple keyboards too, just not with F4.