Slashdot Mirror
Apple Closes iSight Security Hole
Gruber Duckie writes "Apple's security update 2006-008, posted yesterday, is a little more interesting than it sounds. According to information (and a demo!) posted at Macslash the "information leak" mentioned in Apple's advisory actually makes it possible for a web site to send whatever your (isight) web cam sees up to the server. I'm glad they fixed this quickly."
Or cleverly disguised attempt to monitor people by the Department of Homeland Security? You be the judge!
GetOuttaMySpace - The Anti-Social Network
A fat sweaty bearded geek sitting in his parents basement scoffing pizza and jolt while on a raid with his guild is a security issue how exactly?
Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
What truth?
There is no dupe
It's not a pretty sight, folks.
-Eric
SJW: Someone who has run out of real oppression, and has to fake it.
..... Able to see cute college co-eds prancing around in their dorms half (of if we're lucky, totally) naked.
This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
The internet is full of ladies and they all surf practically naked, I know this because this is what they tell me in chatrooms and other socialising sites.
I personally am disappointed. Imagine the YouTube videos that would have been possible with just a month's worth of such video. I mean, yes, 90% of it would be unshowered nerds with bad posture, but that 10% would have been gold!
It breaks my pluginses, my precious!
Now the all the exhibitionists start using macs..
it didn't take till Tuesday of the second week, 2 months after the hole was found either.
And Mac users are lithe, sexy art types, too. I know, because the ads tell me so.
Laws do not persuade just because they threaten. --Seneca
I refuse to believe this, it has to be a hoax. Everyone round here keeps saying that only 'Windoze' has security problems, and that Macs are immune. Besides, Mac users don't run with admin rights, so this can't be possible, right?
Wrong demographic for Mac...if you wanted to see male liberal arts majors with rectangular-lensed glasses watch Futurama reruns on bean-bag chairs I think you'd be happier.
There are a few websites out there that will tell you your IP address, browser type, OS type and even guess at your general geographic location based on things your browser tells it. Some of these sites do it to "shock" people into realizing they are NOT anonymous on the net.
What a great enhancement it would be for such websites to display a picture of the user at his computer! "We know you use a Mac, Live in California and Look like THIS!" Just one visit such a site would go a LONG way to instilling a useful level of caution.
When information is power, privacy is freedom.
[Stops dancing wildly in front of computer]
Nobody saw that, right?
Well, there's spam egg sausage and spam, that's not got much spam in it.
Am I the only one who wishes that the laptops with the built-in iSight had a way to manually close the shutter, like the standalone iSight? I always keep mine closed when I'm not using it, but the lack of such a shutter on the laptops makes me profoundly uncomfortable at the thought of owning one. Maybe this sort of thing will serve as a wakeup call?
Good thing I'm running Linux...
...move along. ;)
-- Rastignac was here.
Of course, an application running on your local machine can do anything it wants. So it's not surprising that a malicious Java applet/application could, well, do malicious things.
/System/Library/Extensions/Apple_iSight.kext /System/Library/QuickTime/QuickTimeUSBVDCDigitizer .component
For those who don't know, a Quartz Composer composition saved as a QuickTime movie can display the iSight image locally. Since QuickTime movies can be embedded in web pages, you can create a movie that displays the *local* iSight image back to the person, locally. Nifty, right?
But is interesting is that via Java hooks in QuickTime for Java, a Java applet could be used in conjunction with this Quartz Composer movie to do anything that a Java applet could instruct QuickTime to do - including take a shot of whatever is being displayed in the QuickTime movie - and then do anything else a Java applet could be designed to do - in this case, potentially send that image somewhere.
So, this could be done on any platform with a camera, since all it is is malware running to perform a specific task.
But what's more interesting is:
- All Mac OS X systems will always have QuickTime, and thus always have the capability to run such a composition
- All Apple laptops have cameras that cannot be easily disabled (of course (unless the LED is burnt out) due to the way the iSight is set up electrically, the green light will always be on when in use)
The ubiquitousness of iSight camera is what makes this little trick interesting. It also raises issues such as: why didn't Apple offer an option to delete the camera (especially for government/military customers, as other vendors, like Palm, do), and why didn't Apple offer a mechanical shutter for the iSight on all models?
In any case, it's fixed with Security Update 2006-008, but a legitimate Java application, i.e., one you trust, could still do just that. Which stands to reason, of course, since code running on your machine - even if instantiated by a web page - can really do anything that you have permission to do, including delete files. That's the nature of applications.
One other note: you can indeed disable the iSight by (re)moving:
In sum, the reason why this is interesting is because of the ubiquitousness of the Apple iSight on Apple laptops and the fact that it's ready for use. But, someone still has to visit a malicious site and run a malicious Java applet - user interaction: the hallmark of Mac OS X vulnerabilities!
Got to love the idea of using an OS whose scope of security vulnerability need to be 'leaked' to be known.
Fsck that..
If Cmdr Taco had actually read the friggin' MacSlash article he links to, and scrolled down to the comments, he'd see that the 'exploit' is not fixed by this patch and what's more, doesn't send info to the server. Fer feck's sake.
I'm not wrong. You haven't thought about it hard enough.
Doesn't flash do this already? As a "feature"?
I guess this kind of thing is why Sun put a mechanical lens cover on their webcams.
Good thing I'm using IE7 + Windows XP on my Mac Book. Oh wait...
In Soviet Russia, websites look at you!
Just makes me think:
It is pitch black. You are likely to be eaten by a grue.
Which is kind of fitting with the Buckaroo article on the front page yesterday!
Transporter_ii
Doctors destroy health, lawyers destroy justice, universities destroy knowledge, religion destroys spirituality
The "feature" of sending video to random strangers on the Internet is disabled by default for Flash, and was enabled by default for QuickTime/Java beore this patch was issued.
"Pizza, bah!"
"Your pizza is insignificant compared to the power of the Force!"
"Dude, pizza is, like, so last week, dude..."
ITYM scarfing pizza...
Just junk food for thought...
does this mean that next months "Month of OSX bugs" is now one day (bug) short?
You guys have it all wrong. It's not a security hole, it's feature!
They wanted to save you the time it takes to post to YouTube.
In the year 2005, Apple Computers released the new iMac, a device with a display screen and integrated camera which allowed a remote viewer to monitor whatever was going on in front of it.
Your Orwellian society is defeated by a piece of tape.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
One day I wandered into the closest Apple store and was playing with the latest version of OS X to see if I wanted to upgrade. They all had internet connections and isight cameras and I thought it would be fun to play with them. So I made up a new ichat account and added a few people I knew at the time with a camera on their system to the buddy list to see if they were online. The person available just happened to be a cute college co-ed dating one of my buddies. She's one of those skinny little redheads guys always seem to fall for. Anyway, after I got to try out the video chat feature I took off and thought no more about it.
The next time I talked to her she told me I had brought her a lot of entertainment and some embarrassment. It seems people in the store also wanted to try out the video chat, and since there was an account set up with her on the list, they kept sending her chat requests. This was the entertaining part. The embarrassing part was the first time someone did that, she assumed it was me again, and was not quite fully dressed at the time. She said the guy seemed pretty shocked, but nice enough after she jumped out of the camera's line of sight and pulled on a robe.
Back in the late 1980s and early 1990s, Compuserve's "CB simulator," Delphi, and other services provided text-based multiway services of the kind now known as "chat."
/view mode on
/view mode would actually be implemented within my lifetime.
It was fairly common for someone to make a joking about how they were or were not dressed. A common reply was for someone else to type something like
and tell the group that he or she could now verify whether or not first speaker had been telling the truth. Occasionally the first speaker would be naive and gullible enough to believe it.
Little did I know that
"How to Do Nothing," kids activities, back in print!
Haha, a security hole in a Mac! Look everyone, they suck like M$!
Let's make a big deal about it and pretend like whatever operating system we happen to enjoy is perfect.
There's nothing wrong with anything - Phillip J. Fry
Interesting that it got fixed before it was all over the net that it even existed... who knew about this before the security update was posted (yesterday on my mac)?
Some versions of SunOS had /dev/audio set with permissions that anyone could access it. So someone would just have to telnet into the computer with a non-root account and dd if=/dev/audio of=/export/home/joeschmoe/capture and get a dump of anything being said in that room.
Even more scary. No LED. Can hear far away.
Apple could improve security in two ways:
1. Make the built-in camera rotate to several positions: 1. Forward to the user for iChat sessions, 2. To the side to look inside the case and thus at nothing no matter what a virus does (mechanical security), and 3. Backward so users can video tape a class or speech without a $20 mirror gadget.
2. Put a Security option in the Apple menu that'd include the ability, hardwired into the kernel, to shut down: 1. Camera, 2. Mike, 3. WiFi, 4. Bluetooth, 5. Remote Ethernet addresses, 6. All Ethernet addresses, and 7. All outgoing Ethernet traffic. In hostile situations, this would make our Macs deaf, blind and mute to all external attacks.
So all the high rated posts I see talk about how terrible Apple's security was, 1984 comes true, blah blah blah.
Did any of you bother to try out the exploit? I just did... know what it does? It turns on that bright green LED right next to the camera, the one that tells you when it's on. It's pretty bright and when it turns on all of the sudden, you NOTICE. It then proceeded to crash my browser. Well it may be possible that Apple carefully designed their hardware in such a way that the LED is software controlled and the camera is capable of invisibly monitoring people, there is no evidence to back those claims.
True with proprietary software one just never knows for sure, but honestly let's see someone figure out how to take a picture or make a movie without the light coming on, THEN we can start calling Apple Big Brother. Honestly if that were possible then I'd dump this laptop in a heartbeat since it would require purposely designing it with that in mind.
Cwm, fjord-bank glyphs vext quiz
If you check out the iSight section of Apple's online store, the iSight itself is nowhere to be found. I noticed this a few days ago, thinking it may just indicate an update was coming at the next MacWorld event a couple weeks from now. However, I'm starting to think this issue may well be a factor toward its seemingly sudden disappearance from Apple's website.
8==8 Bones 8==8
Seriously, how can anybody be sure that everything you have ever done on your computer, since the advent of the internet, hasn't been recorded and cached somewhere, for later analysis...
My old iSight camera (which is rumored to be discontinued soon) has a handy dandy shutter built in! And a way better microphone than the internal POS in my 15inch PPC/PB.
I somehow broke the display on my girlfriends 12inch iBook last year, er, well it just got kinda knocked of the desk (not much room in a typical studio apartment in Tokyo). I wanted to buy her a new Apple laptop, but they all have a camera that you can't physically turn off. The last thing in the world I want is for someone to see my future wife running around in her un-mentionables. Knowing her technical ability to shut off the camera, or simply remember to cover it up I opted to replace the lcd, and send an external iSight.
Funny thing, it was cheaper to put it in a box, send it home to the states, fix and ship back to her. Labor rates over there are silly stupid, but parts are really easy to find. I love otaku-land (akihabara) for parts.
A simple shutter would be really welcome, and would likely be a simple replacement bezel swap.
-YMMV
Apple's solution is the same as Microsoft's. Only "signed" applets can access this control now. The fundamental problem though, is that unsigned applets shouldn't be able to access anything outside of the standard Java classes. They need to stop making blacklists and whitelists of what controls are safe, and instead, make it so that no controls are safe.
welcome our new webcam-snooping overlords!
The built-in iSight I have has an attached LED that is on when the camera is on; it appears to be wired into the camera. I don't think they'd be able to turn it on without me noticing.
The firewire iSight has no indicator.
Flash 6-9 has had web cam and audio support for MAC and WINDOWS, a hack to flash to bypass the security warning (which if you recall was a problem back in 6, the feature was undocumented I believe.) So anybody with flash could potentially be listening or watching you. On new iSights, there is a light--- but for AUDIO there is NO indication on any computer.
Democracy Now! - uncensored, anti-establishment news
the problem is bigger than that. I have a macbook wich has an integrated camera on it, and the exploit works with it. This cam has no lead light indicating use and no lens cap, so as long as it stays on my desk my privacy can be violated. My browser did crash when I hit the back button but that could be anything, most people wouden't be alarmed by it and even if they wer, well it would be to late. Interesting points: Well take a look at this slashdot story from yesterday about a face recognition and search engine software http://yro.slashdot.org/article.pl?sid=06/12/19/19 23259. This exploit could prove pretty usefull to people using the new product. I pitty all those girls in porn picts that will be exposed to all their friends and familly members when they use this new service.
It's a java and quicktime exploit so it's not eclusive to the mac platform.
Next time you hear an Apple salesman say that, ask if he minds being quoted, and get his name and note the time and location. Then submit it here, or to a Mac site, and see what happens.
:)
Steve's the only one allowed to serve kool-aid.
I do enjoy lounging in the nude while on my computer... so I am glad this was fixed
Help Me! I'm trapped in the tubes! Oh noes! Here comes a internet!
Saw this on digg a few minutes ago. 0-Day Apple iSight Hack - Fix it for $0.01 http://digg.com/apple/0_Day_Apple_iSight_Hack_Fix_ it_for_0_01 Tired of hackers looking at you in your underwear with Apples built in iSight? This can fix it for good.
Golly! I have an audience to play to?
Do not mock my vision of impractical footwear
... something? Is the marketing department sleeping?
Pizza! What a pathetic excuse for a food!
The US free market: two halves of a government-granted duopoly are free to set the market price.
When the iSight camera is on, a little green light shines next to it.
When the light is on, don't do rude shameful things that your mother wouldn't like in front of the computer.
This is just like the classic Microsoft/ActiveX type of problems.
Except that it *is* possible to fix it without breaking half the software in the system, and it *is* possible to fix it without being the vendor. The Jackson trial made it abundantly clear what happens if you disable the HTML control... disabling Quicktime for Java, or using Gecko without invoking XUL, these are actually possible.
Oh, and you're making the same mistake as Microsoft and Apple:
The fundamental problem though, is that unsigned applets shouldn't be able to access anything outside of the standard Java classes.
A more fundamental problem is that whether an applet is signed or not shouldn't matter. The application should be making the determination as to what rights the applet has, and if it's an application intended to display untrusted content it shouldn't be granting ANY rights to ANY applet.
As I recall, with Back Orifice, this could be done on MS windows years ago. ;-)
McFly777
- - -
"What do people mean when they say the computer went down on them?" -Marilyn Pittman
Apple's delay in fixing the security bug is proof that closed source is evil. If OS X was open source, we'd be able to download a fix within hours of its discovery.
(This is intended to be a joke)
No, I will not work for your startup
Oh, you mean Artie McStrawman? Yeah! Let's laugh at that sucker! HAHA!