Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Closes iSight Security Hole

Posted by CmdrTaco on from the nobody-wants-to-see-me-naked dept.

Gruber Duckie writes "Apple's security update 2006-008, posted yesterday, is a little more interesting than it sounds. According to information (and a demo!) posted at Macslash the "information leak" mentioned in Apple's advisory actually makes it possible for a web site to send whatever your (isight) web cam sees up to the server. I'm glad they fixed this quickly."

19 of 213 comments (clear)

  1. Security Hole? by Billosaur · · Score: 4, Funny

    Or cleverly disguised attempt to monitor people by the Department of Homeland Security? You be the judge!

    --
    GetOuttaMySpace - The Anti-Social Network
    1. Re:Security Hole? by D-Cypell · · Score: 4, Funny

      You be the judge!

      Can I be the clandestine military tribunal?

    2. Re:Security Hole? by TheRaven64 · · Score: 5, Interesting

      In his book, 1984, George Orwell proposed the idea of television screens that also acted as camera and allowed a remote viewer to monitor whatever was going on in front of them.

      In the year 1984, Apple Computers released an advert for the first Mac with the slogan 'Why 1984 won't be like 1984.'

      In the year 2005, Apple Computers released the new iMac, a device with a display screen and integrated camera which allowed a remote viewer to monitor whatever was going on in front of it.

      --
      I am TheRaven on Soylent News
    3. Re:Security Hole? by Moofie · · Score: 4, Insightful

      And you should always take every word that comes out of a salesperson's mouth as the gospel truth, and not apply common sense ever.

      --
      Why yes, I AM a rocket scientist!
  2. And images of by Timesprout · · Score: 4, Funny

    A fat sweaty bearded geek sitting in his parents basement scoffing pizza and jolt while on a raid with his guild is a security issue how exactly?

    --
    Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
    What truth?
    There is no dupe
    1. Re:And images of by Rakshasa+Taisab · · Score: 5, Funny

      Uhm, the article said Apple, not Windows.

      As is well known, we users of MacOSX are all tall with athletic bodies.

      --
      - These characters were randomly selected.
    2. Re:And images of by un1xl0ser · · Score: 4, Funny

      Dude, this was on a Mac... no games. duh

      --
      v4sw6PU$hw6ln6pr4F$ck 4/6$ma3+6u7LNS$w2m4l7U$i2e4+7en6a2X h
    3. Re:And images of by operagost · · Score: 5, Funny

      Liar. There's Breakout, Super Breakout, and Photoshop!

      --

      Gamingmuseum.com: Give your 3D accelerator a rest.
  3. Nonsense by CmdrGravy · · Score: 5, Funny

    The internet is full of ladies and they all surf practically naked, I know this because this is what they tell me in chatrooms and other socialising sites.

  4. Darn. by Grendel+Drago · · Score: 4, Funny

    And Mac users are lithe, sexy art types, too. I know, because the ads tell me so.

    --
    Laws do not persuade just because they threaten. --Seneca
  5. Would make for a GREAT security wake-up website by Jah-Wren+Ryel · · Score: 4, Interesting

    There are a few websites out there that will tell you your IP address, browser type, OS type and even guess at your general geographic location based on things your browser tells it. Some of these sites do it to "shock" people into realizing they are NOT anonymous on the net.

    What a great enhancement it would be for such websites to display a picture of the user at his computer! "We know you use a Mac, Live in California and Look like THIS!" Just one visit such a site would go a LONG way to instilling a useful level of caution.

    --
    When information is power, privacy is freedom.
  6. Why didn't anybody tell me? by UnknowingFool · · Score: 4, Funny

    [Stops dancing wildly in front of computer]
    Nobody saw that, right?

    --
    Well, there's spam egg sausage and spam, that's not got much spam in it.
  7. Am I the only one by LittleBunny · · Score: 5, Interesting

    Am I the only one who wishes that the laptops with the built-in iSight had a way to manually close the shutter, like the standalone iSight? I always keep mine closed when I'm not using it, but the lack of such a shutter on the laptops makes me profoundly uncomfortable at the thought of owning one. Maybe this sort of thing will serve as a wakeup call?

    1. Re:Am I the only one by geobeck · · Score: 5, Funny

      ...I have this nice little stuffed penguin, see...and when I place him atop my iMac...

      So you're using a Linux patch for your Mac vulnerability?

      --
      Find environmentally and socially responsible products on http://buy-right.net
  8. Why this is interesting by daveschroeder · · Score: 4, Informative

    Of course, an application running on your local machine can do anything it wants. So it's not surprising that a malicious Java applet/application could, well, do malicious things.

    For those who don't know, a Quartz Composer composition saved as a QuickTime movie can display the iSight image locally. Since QuickTime movies can be embedded in web pages, you can create a movie that displays the *local* iSight image back to the person, locally. Nifty, right?

    But is interesting is that via Java hooks in QuickTime for Java, a Java applet could be used in conjunction with this Quartz Composer movie to do anything that a Java applet could instruct QuickTime to do - including take a shot of whatever is being displayed in the QuickTime movie - and then do anything else a Java applet could be designed to do - in this case, potentially send that image somewhere.

    So, this could be done on any platform with a camera, since all it is is malware running to perform a specific task.

    But what's more interesting is:

    - All Mac OS X systems will always have QuickTime, and thus always have the capability to run such a composition
    - All Apple laptops have cameras that cannot be easily disabled (of course (unless the LED is burnt out) due to the way the iSight is set up electrically, the green light will always be on when in use)

    The ubiquitousness of iSight camera is what makes this little trick interesting. It also raises issues such as: why didn't Apple offer an option to delete the camera (especially for government/military customers, as other vendors, like Palm, do), and why didn't Apple offer a mechanical shutter for the iSight on all models?

    In any case, it's fixed with Security Update 2006-008, but a legitimate Java application, i.e., one you trust, could still do just that. Which stands to reason, of course, since code running on your machine - even if instantiated by a web page - can really do anything that you have permission to do, including delete files. That's the nature of applications.

    One other note: you can indeed disable the iSight by (re)moving: /System/Library/Extensions/Apple_iSight.kext /System/Library/QuickTime/QuickTimeUSBVDCDigitizer .component

    In sum, the reason why this is interesting is because of the ubiquitousness of the Apple iSight on Apple laptops and the fact that it's ready for use. But, someone still has to visit a malicious site and run a malicious Java applet - user interaction: the hallmark of Mac OS X vulnerabilities!

    1. Re:Why this is interesting by daveschroeder · · Score: 5, Informative

      I should also note that, for government/military customers, Apple does have a contractor that can physically disconnect the iSight and internal microphone as part of the procurement process, and meets GSA schedules and requirements for "no-camera" or "no-microphone" environments; additionally, infrared, Bluetooth, and AirPort can also be disabled. This does not void any waranties. That contractor is:

      Holmans
      6201 N. Jefferson Ave
      Albuquerque, NM 887109
      Tony Greiner
      505 343 3529
      tgreiner@holmans.com

      GSA schedule GS-35F-0341N
      DOE authorized (LLNL and LANL)
      DOE "L" clearance personnel

      For individual customers, any Apple Authorized Service Provider can disconnect any or all of the above components, and are happy to accommodate such requests. Such requests also do not void warranties.

      Again, these components can all be disabled by software means in managed environments where physical disconnection/removal of the device(s) is not a requirement.

      I should note that this trick could technically be done any any platform with a camera: run malicious software designed to send imagery from an attached camera somewhere. But in the case of Mac OS X on Apple hardware, it becomes interesting because Apple has already done all the work to drive the camera and display within QuickTime (via Quartz Composer, the integrated camera and drivers, and so on), and then QuickTime for Java can be used via a malicious Java application or applet (which still has to be run, of course) to send images remotely. After Security Update 2006-008, a Java applet (unless it is a signed applet that is specifically allowed by the user) can no longer make such such calls to QuickTime for Java.

  9. Shameful this hasn't shown up yet. by 0100010001010011 · · Score: 5, Funny

    In Soviet Russia, websites look at you!

  10. Tape War by bill_mcgonigle · · Score: 5, Funny

    In the year 2005, Apple Computers released the new iMac, a device with a display screen and integrated camera which allowed a remote viewer to monitor whatever was going on in front of it.

    Your Orwellian society is defeated by a piece of tape.

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  11. Amusing Anecdote by 99BottlesOfBeerInMyF · · Score: 4, Funny

    One day I wandered into the closest Apple store and was playing with the latest version of OS X to see if I wanted to upgrade. They all had internet connections and isight cameras and I thought it would be fun to play with them. So I made up a new ichat account and added a few people I knew at the time with a camera on their system to the buddy list to see if they were online. The person available just happened to be a cute college co-ed dating one of my buddies. She's one of those skinny little redheads guys always seem to fall for. Anyway, after I got to try out the video chat feature I took off and thought no more about it.

    The next time I talked to her she told me I had brought her a lot of entertainment and some embarrassment. It seems people in the store also wanted to try out the video chat, and since there was an account set up with her on the list, they kept sending her chat requests. This was the entertaining part. The embarrassing part was the first time someone did that, she assumed it was me again, and was not quite fully dressed at the time. She said the guy seemed pretty shocked, but nice enough after she jumped out of the camera's line of sight and pulled on a robe.