Slashdot Mirror
Month of Apple Bugs - First Bug Unveiled
ens0niq writes "The first bug (a Quicktime rtsp URL Handler Stack-based Buffer Overflow) of the Month of Apple Bugs has been unveiled — as previously promised — by LMH and Kevin Finisterre. From the FAQ: 'This initiative aims to serve as an effort to improve Mac OS X, uncovering and finding security flaws in different Apple software and third-party applications designed for this operating system. A positive side-effect, probably, will be a more concerned (security-wise) user-base and better practices from the management side of Apple.'"
so doesn't this effect it also?
though I applaud efforts to improve apple products in general. Is this communicated to Apple first before posting? If so, what is the level of interaction?
Credit line removed by the editor, but i found this report on HUP.
Could you give some examples of Apple suing people to cover up security holes then?
This isn't a problem because it has been proven that only Windows can get viruses. Therefore, because it's not possible for viruses to spread with MacOS, security threats are irrelevant.
Please, try the veal.
Slashdot Burying Stories About Slashdot Media Owned
Now, which way do you want it? Is it "... actually a third party application" or does it "... load automaticly [sic] on Macs, and it is rather tightly integrated with the OS"? Decide and stop blabbering about "cop outs".
I don't know what you mean by the "Linux Cop Out" because it seems like you're confusing Apple and Mac OS X. Remember, this is the month of Apple bugs, not necessarily the month of OS X bugs. Also, how is quicktime a third party application if it is developed by Apple?
He would, but they were all absorbed by Steve Jobs and his reality distortion field. Sorry.
Do you like German cars?
"The problem with so-called 'responsible disclosure' is that for some people, it means keeping others on hold for insane amounts of time, even when the fix should be trivial."
Is Apple as bad as MS when it comes to fixing security flaws? Is there really a need to show how "insecure" OS X is? Or is this more a "your going to start listening to security experts when they have something to say or else..." type situation. I did read the FAQ but they really don't show any evidence to prove why this is a good thing, how this will improve OS X security, or how Apple has been unwilling to fix flaws in the past.
They could be 1000% right, but on the surface I just don't see anything which either confirms or denies their theory. It would be nice to at least read some sort of history of how Apple has interacted with Security researchers in the past.
If you wanna get rich, you know that payback is a bitch
I just tried this on my MacBook Pro using the provided QTL files and ruby scripts, but none of them seem to have the claimed effect. Anybody else already tried this?
But as another comment has pointed out, this is a month of Apple bugs, not OS X bugs.
I dunno who it is
but it prolly is fhqwhgads.
Well it is a stab at the Linux user comunity on their views about security. If there is a problem it is rairly a Linux (Kernel) problem but with some other application that is running Apache, Sendmail, su, sudo... Stating these are 3rd party tools not part of Linux per say. Yes I mistakes a Month of Apple bugs with a month OS X Bugs my mistake.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
This is just the wrong way to do this folks. They should be finding and notifying Apple.
OS X is unimaginably complex. Even the 1500+ page "OS X internals" tome just scratches the surface of most things.
(Note that I own and enjoy using a MacBook, so I'm not blindly Apple-bashing.)
The complexity is the first problem. The second is that almost all of the code was written in an insecure manner. No one was doing code-level security reviews on QuickTime and Quartz and all the other bits of OS X. And even if you did, squashing all potential overflow/overwrite bugs in a language like C is essentially impossible. We'll keep living with endless exploits until more secure techniques are used for writing software.
Apple has had poor relations with security researchers for years. Partly it's because of the smug attitude of many Apple users - who assume that because they don't get attacked their OS is more secure; but part is also the researchers themselves.
The flame wars over the airport card exploits is a good example - first, the researchers used a 3rd party card which meant it had little to do with OS X problems, which created a number of he-said-she-said arguments. As I understand it, the airport exploit was (is still?) real, but the arguments created a lot of ill-will on both sides.
Clear, Dark Skies
Sun to the rescue...to make it cross platform just write the virus in Java!
The logo on their blog is very distrurbing
If they were truly interested in "improving MacOS X" or "improving practices on the management side of Apple" then they would release these bugs to Apple first. Don't wait an insane amount of time, but give them a nice reasonable amount of time to fix the bugs. Heck, even tell them you plan on releasing them on thus and so date and start the month *then*, giving props to Apple for those they have fixed.
Integrate Keynote and LaTeX
Have Apple sued a whistleblower or someone who have reported a security issue. EVER?
Or is the parent just full of lies, FUD and other unpleasant and damaging stuff?
- Henrik
- when the Shadows descend -
I tried the exploit.. doesn't work on my macbook.
..... Given Apple's tendency to sue just about anything that moves so that the can preserve the "reality distortion field," are these researchers not afraid of being sued out of existence?
This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
Is it just me, or is this event well timed? A month of Apple bugs/exploits on the lead up to Windows Vista's commercial release on January 30th (the most "secure" version of Windows). Sounds sinister to me.
Q: What's worse than finding a worm in your apple? A: Finding a bug in your MAC.
The wireless exploit you cite, for example, turned out to be hype about a problem that affected no mac in its default state...
The wireless exploit did apply to Airport cards; but you are correct that researchers mishandled the disclosure - which, as I said, resulted in a lot of hard feelings on both sides.
Clear, Dark Skies
Lame people shouldn't even try stabbing, they'll usually just end up hurting themselves. You sir, are a moron. Willfully ignoring facts and posting flame bait doesn't change anything. And guess what, the girls will still laugh at that small squishy thing you've got.
All in all, this "Month of Bugs" thing is good approach to proactive OS support behavior by a user community. The only problem is, that such an approach requires a fair amount of Good Will towards the product from those users. This effectively rules out similar plans working for Microsoft Windows.
There really is a long-term benefit from good behavior on the part of corporations: your customers will actually go out of their way to help you.
Unlike macobserver, who seems to think things like security holes are better left unmentioned, I salute LMH and Kevin Finisterre for doing this.
You are welcome on my lawn.
"Apple has had poor relations with security researchers for years. Partly it's because of the smug attitude of many Apple users - who assume that because they don't get attacked their OS is more secure"
Huh? Apple's users are to blame for Apple's work with security researchers?
Imagine that meeting - "Steve, I'd love to make sure we use every avenue available to us to secure the platform, but heck, our users are just thumbing their noses at the rest of the OS world, and gosh, but it's fun to see - I say let's just live with the holes." "Sounds good to me, Phil - thanks for the insight. Now, about that MacBoy Advance SP that Scooter's been working on..."
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
Not to minimise the problems of writing large complex software systems, but complexity is the second problem... insecure design is the first.
I'm more concerned with the fact that Safari uses the same URI handler and helper database as Finder (LaunchServices) and that Apple is more interested in giving people a false sense of security with pop-up dialogs than changing the API slightly to make it inherently secure.
* Split LaunchServices up into "web oriented" applications that are indended for use with untrusted files, and "desktop" applications. This would have the additional advantage of allowing for "viewer" versions of applications that have reduced functionality and simpler design (going back to the original poster's point).
* Disable "Open safe files after downloading" by default, and if it remains an option then include a comment in the preferences pane that enabling it will reduce the security of your system.
* And don't EVER include software installers in the list of "safe" applications! I ca not comprehend the confusion in the mind that would lead Apple to install widgets and packages directly from the browser. Firefox makes the same mistake, by the way... it's like watching gangrene spread.
This is not as bad a design problem as Microsoft's use of the HTML control as a universal gateway for viruses and spyware, but it's bad enough that it should be given priority.
can see what its like to be noticed.
when Microsoft gets treated to the same very few care, in fact some seem to relish in it.
Now comes the fun, if a bug is reported to Apple how long do they get to fix it? Who will determine when enough time has passed?
I look at it this way, Apple still is well off. They haven't a big enough installed base to get the "Average user" which Microsoft has to both sell to and suffer with. When they do penetrate the "Average user" market and get into double digits of popularity then they attract attention they don't want. Do not under estimate the creativity and capability of the hackers out there.
That old adage about a bunch of monkeys is apt
* Winners compare their achievements to their goals, losers compare theirs to that of others.
MacOSX is still turning up significant flaws that were fixed in other flavours of UNIX many years ago. Apple has probably the worst attitude to quality control I have ever come across in the PC industry (ie. they don't appear to have any). You might think that Windows has many problems with security holes, but looking at the automated code review tools and approach to security within Microsoft, and comparing this to Apple's approach, it is safe to say that the inferior end product will most definitely be Apple's. I also find Microsoft staff much more helpful and knowledgeable than the moron 'experts' that apple usually fields.
Having tried to program software for MacOSX, I have realised that as it stands, apple does not have a product that is usable for enterprise level applications. It is just to buggy, lacks scalability (try using heavily threaded programs, or I/O / network intensive apps), and the kernel seems to have some fairly significant and obscure bugs that can waste significant time.
I am sticking to platforms I trust:- AIX, Linux, and Solaris. They have their own lesser problems, but at least quality and scalability are not a serious concern.
I can help but feel that this whole thing is just sour grapes. I certainly don't feel that improving OSX is the sole motivation behind this. The blog reeks of immaturity and lacks any form of professionalism. The language is smug and juvenile? pwnage? (Wow, high school all over again). They go into great deatil on how execute the exploit but dedicate one sentence on how to avoid it. Then, where is the discrete vendor warning that traditional researchers give before going public? They are not doing it! Are they trying to provoke an attack? I don't see the service that they are doing for me as OSX user. In fact, I look upon this whole stunt with nothing but contempt. I see this as a snipe at mac users because it hasn't been attacked. I think this line says it all!
You're the PC now, Mac (YTPNM).
You don't have to be smart to use a Mac, you just have to be smart enough to buy one
The same argument could be made about many of the Microsoft bugs... IE is a third party application taht is bundled with the OS and not the OS itself. Same argument... on the otherhand QT is an Apple product so if there are security risks associated with it, the company should patch it--and not just for the most recent version of the OS.
Partly it's because of the smug attitude of many Apple users - who assume that because they don't get attacked their OS is more secure; but part is also the researchers themselves.
So please explain to all of us why we have no viruses on the Mac yet, even with some tens of millions of fairly homogoneous computers around (same OS, same patches, much of the same hardware) in a world where botnets of even just a hundred thousand nodes bring in real money. There is financial incentive enough for the macs to have viruses and spyware, yet they do not.
Perhaps you should instead apply Occam's Razor, and think that if in fact any given OS sees fewer attacks than another, it is actually more secure.
Of course there are holes in OS X, any reasonable Mac users realizes this. But we also know we have yet to see any real exploits in the wild. So far this effort is not really doing anything about that situation either way, if you'll read below you'll find this first proof of concept exploit does not even work!
"There is more worth loving than we have strength to love." - Brian Jay Stanley
While I've played with ruby, perl, C and work almost daily in a variety of shells I honestly don't have the background to fully understand what they've offered up here.
From the article (and based on my limited understanding) it relies on the shell and curl being resident in a known memory location? Can someone with deeper OS X internals knowledge explain why the system would always put the shell and curl into the same memory space? This seems to go contrary to what I would expect; that the system allocates memory when a program is executed and that memory can be any from the available pool.
If OS X is indeed always putting certain programs into specific memory addresses, then yes this is definitely a problem that Apple needs to fix now. Otherwise, an attack using this approach is more like firing a gun in a pitch black room and hoping you hit a target that may (or may not) be somewhere in the room. While there is a chance it will work, I would rather spend time picking numbers for the lottery (the potential payoff would be much better).
Their link to the Phrack article http://felinemenace.org/papers/p63-0x05_OSX_Heap_E xploitation_Technqiues.txt is a more interesting read. I can't make any claims that I understand that better but after reading through it, it makes more sense. Exploiting programs that use Apple's Webkit. Whether or not those exploits still exist, I don't know.
"The avalanch has already started, it is too late for the pebbles to vote." -Kosh
I guess that depends on your defenition of third party. To me, neither IE nor Quicktime are not third party applications as they are made by the same company. The differentiation that you may be looking for is whether these are core system applications or optional (secondary) applications. While both bundled are with the OS, MS has constantly said that IE is a part of the OS and cannot be removed. Quicktime and Safari can be uninstalled on a Mac. The question whether IE should be tied to the OS is another debate.
Well, there's spam egg sausage and spam, that's not got much spam in it.
No, this is a publicity stunt by vicious little jerks who want to draw attention to themselves and their childish 'anatomically correct' pink pony logo rather than improve security for Mac owners such as myself. Remember, Apple isn't Microsoft. It's doing a marvelous job fixing flaws before they create problems for users. Where the rubber meets the road, they're doing well. If these people were serious about Mac security, they'd have given Apple these flaws in confidence a month or more ago.
I don't care for lawyers, but if one of these bugs gets copied and out in the wild, I'd love to see some nasty lawyers form a class action lawsuit and sue the pants off those involved. Note especially the heading at the top of their web page, "You're the PC now, Mac!" That demonstrates that these people aren't simply stupid and makes it clear that they know what they want to do. They want to make Macs as troubled by bugs and viruses as PCs. That is malice intent and excellent grounds for a huge damage settlement.
If you're involved is this miserable bit of jealous venom, I suggest seeing a lawyer and coming up with a way to sue-proof your major assets. Put your home, your car, your bank account, and your stock portfolio in someone else's name. And even that may not be enough.
And yes, there is a place for publicly exposing flaws that Microsoft, Apple, Linux or any other OS developer refuses to fix. But these jerks, with their all too obvious vicious intent ("You're the PC now, Mac!") and their irresponsible 'bug a day' behavior, are going to make life hard for all the responsible people who mean well and act like adults. They're smearing the name of all those who do help root out vunerabilities.
I said that the incident contributed to bad feelings between Apple and security researchers. You contrived that to mean that I blame Apple for the problem.
I'm beginning to understand why so many researchers find Apple users annoying.
Clear, Dark Skies
Perhaps you could try reading my post again, look at your own reply and consider how Apple fanboys have a reputation for pissing off people who have to work with Apple.
For the win: Please point out where I said it was Apple's fault they had a poor relationship with security researchers.
Clear, Dark Skies
Avoid Missing Ball for High Score
We just had this argument last night.. great to see so much "support" from the alternative OS community.
-GiH
The assumed known address is wrong, but it does crash quicktime on my machine.
/Applications/QuickTime Player.app/Contents/MacOS/QuickTime Player
...
:)
Snips from my crash log:
OS Version: 10.4.8 (Build 8N1051)
Report Version: 4
Command: QuickTime Player
Path:
Parent: WindowServer [57]
Version: 7.1.3 (7.1.3)
Build Version: 65
Project Name: QuickTime
Source Version: 4650000
PID: 9548
Thread: Unknown
Exception: EXC_BAD_INSTRUCTION (0x0002)
Code[0]: 0x00000001
Code[1]: 0x00000000
Unknown thread crashed with X86 Thread State (32-bit):
eax: 0xffffffff ebx: 0x41414141 ecx: 0x900012f8 edx: 0xffffffff
edi: 0x41414141 esi: 0x41414141 ebp: 0xdeadbabe esp: 0xbfffd628 (hello deadbabe!)
ss: 0x0000001f efl: 0x00010286 eip: 0x918bef3a cs: 0x00000017
ds: 0x0000001f es: 0x0000001f fs: 0x00000000 gs: 0x00000037
Not so good.
Slashdot. It's Not For Common Sense
Apple does respond to security concerns on their platform, while MS has little motivation to do so.
I'm afraid you're showing some ignorance - MS releases security patches and updates even more frequently than Apple. On the other hand, neither patches holes as aggressively as most Linux distributions or even the programmers of the open source CMS system I use.
Clear, Dark Skies
Apple routinely patches much more serious bugs at the OS level so I don't understand what all the fuss is about. The fact remains that the security situation in Windows was so ludicrous that an unpatched Windows machine would be compromised within minutes of being connected to the internet. It forced Microsoft to drop everything and perform a security sweep of all their existing software, causing the highly visible delays in products such as Vista and Visual Studio 2005. And the security procedures in place now at Microsoft ensures that future software development will continue to proceed at a snail's pace.
It's simply about market share and nothing else. At the end of the month Windows' security problems will still exist while Mac users will continue to not have to worry about spyware and viruses, all of which really negates the stated intent of the Month of Apple Bugs exercise.
ENDUT! HOCH HECH!
11 months out of the year are the "Month of Windows Bugs" but your dad thinks OS X is less secure because of this?
Clear, Dark Skies
I just recently learned more about this;
Yes, you can assume that when a given application loads into memory the various components will end up in the same addresses every time.
Think about it - in a virtual memory system, memory addresses are rewritten so that the application thinks it has all of memory to itself, even though it doesn't. So, even if the physical location the application gets loaded to is probably different every time, the virtual addresses are almost always going to be the same.
So, how do you defend against this? Apparently, newer operating systems, including Vista and XP (I think?) have a randomizing function that changes the virtual addresses around so that they are different every time the program is loaded. This helps make this kind of exploit harder - although I suspect there are still ways to do it.
Clear, Dark Skies
How does this indicate that Windows is "more secure" despite the fact that it is compromised so often by comparison?
Where the hell did I say Windows is more secure than OS X? When did I say that frequent updates are a measure of security?
Work on that reading comprehension, would you?
Clear, Dark Skies
This isn't a pissing contest; pointing to the insecurity of Windows doesn't make OS X secure - the point is that Apple can and should do more to secure OS X.
This is actually an opportunity for Apple to win some hearts and minds - both from the security community and from users at large. If they go after these holes and patch them aggressively then their reputation can only be improved. If, instead, this month simply becomes "the month of fanboys attacking security researchers" you can expect Apple to lose some of its polish.
Clear, Dark Skies
The problem is from what happened last year during the "month of kernel bugs" - that website was dedicated to exposing problems in all popular operating systems - which was all well and good and interesting and useful - but when they published Apple bugs they apparently collected a lot of hate from Apple users.
Apparently they collected enough hate from various Apple blogs and users that it motivated them to create this second site.
Clear, Dark Skies
As long as their choice of third-party apps includes only fairly widespread apps, I wont' complain. But if they start to find problems in some random odd shareware app that the vast majority of even technically-inclined Mac users don't use, then they'll be pushing it. (MS Office for Mac, fine. Photoshop, fine. FireFox, fine. Delicious Library, borderline. Missing Link, borderline. BonEcho, sorry, no.)
Another non-functioning site was "uncertainty.microsoft.com."
The purpose of that site was not known.
You were responding in a thread discussing the relative security of Windows and OS X
Ummm... No. I started this thread by describing Apple's relationship with security researchers as troubled. Any attempt to drag Windows into it was done by you.
You know, it says something about your own biases that I can say "Linux and OS X" and you read "Windows".
Then I argued that, "Apple does respond to security concerns on their platform, while MS has little motivation to do so" to which you responded with, "MS releases security patches and updates even more frequently than Apple." If you weren't addressing my point, what were you trying to say?
I, in fact, exactly responded to your point - you made a ridiculous claim, that MS does not respond to security issues. First, this has nothing to do with whether or not Windows is more secure than OS X. Second, your statement is quite obviously false, because MS has spend a vast amount of energy trying to fix the security issues in their operating system.
So, seeing how you can't correctly parse other people's statements, and you apparently don't even understand the illogic of your own statements, I can't see the point in continuing this discussion.
Clear, Dark Skies
"We were originally going to do a "time of the Windows Flaws" but we estimated it'd take 3,027 years to get through all them all." -LMH and Kevin Finisterre
(Not Really)
Does the exploit actually work as stated? Forget the politics and point scoring - has anybody actually made this exploit work? That's important, right?
Although I've never seen any hard numbers on how much pre-binding improves things; as a developer it has given my serious problems because it complicates how shared libraries are built.
Clear, Dark Skies
The *demo* crashes by simply trying to jump to the address "0xbabeface". The point is that if they wanted to, they could have used a more dangerous payload, like a virus.
Heh. If they had released a demo that actually did something nasty, now *that* would have been irresponsible.
Clear, Dark Skies
Yeah, but throwing chairs has never been Steve Jobs' style.
Everything I needed to know about life, I learnt from Blake's Seven
childishness to the whole MOAB thing. But not just on LHM's side (note - I'm not accusing you of this).
I'm a semi-active follower of security websites and podcasts, and it's pretty evident: somebody does the "Month of Browser Bugs" and everyone claps, they do the "Month of Kernel Bugs" and everyone claps - except Apple users. When MOKB published Apple problems, the backlash was nasty, with lots of the old "you're destroying my security by telling people about these security holes" nonsense. That nasty reaction is exactly what led to the current Month of Apple Bugs.
And, like it or not, Apple has to deal with the PR problems created by random bloggers spewing garbage - whether they are fanboys or hackers.
Clear, Dark Skies
I tracked down the issue and created a runtime fix using Unsanity's Application Enhancer. The overflow is in the QuickTime Streaming component's INet_ParseURLServer() function -- the fix patches that function and pre-validates the URL before passing it off to the real function implementation. If the URL is too long, the patch replaces the Evil URL with a benign, but invalid one, and then calls the original function.
It's worth noting that disabling RTSP, as noted elsewhere, is not sufficient -- there are other vulnerable entry-points to INet_ParseURLServer(), as it is used for generic URL parsing.
More information is available here:
http://www.unsanity.org/archives/mac_os_x/the_mont h_of_trolly_trolls_and.php
and the patch (with source!) can be downloaded here:
http://landonf.bikemonkey.org/code/macosx
You can test the fix (make sure to log out and log back in after installing APE!) in Safari (or Firefox) by visiting this URL:
http://landonf.bikemonkey.org/static/rtsp_crash.ht ml
If you're using Safari, QuickTime should display a "bad address" error once the patch is installed. If the patch isn't installed, Safari will crash.
http://plausible.coop
I'm really enjoying being attacked by multiple people for pointing out that the security researchers and Apple don't get along - and that Apple's users are part of the reason. You're really going out of your way to prove me right, aren't you? The insinuation that I think this somehow makes OS X less secure is pure gravy.
And, no, you're wrong - Apple's market share has a direct affect on the security of the OS, because it reduces the likelihood they will be targeted; which is why I gave Macs to my kids, wife and mom.
Clear, Dark Skies
After having used Macs since (literally) Finder 1.0 it's a little bewildering to be attacked as pro-microsoft.
Clear, Dark Skies
Yeah, people who can't support their arguments often retreat.
Seeing how you want me to support arguments I never made, I don't see how I can.
Do you find spewing hostility on slashdot to be cathartic, or are you like this in real life, too?
Clear, Dark Skies
For my father, it's a question of Insecure and buisiness as usual, or a big risk to go to another insecure OS. If Linux or Mac OS looked solid, secure, fiscally reasonable, and usable, it would be much easier to persuade him. (I talked him into trying out Open Office at least.. progress!)
The problem is that the decision makes are the majors, the real movers and shakers, are not young technologists. They don't have the time or interest that I have to pick up and play with it just for fun. It's not as simple for him to say "hmm, mac is making some nice laptops and dell's laptops have been sucking wind, let me give it a try" when it has to work or cost him real $$$. I know that *I* can make any machine running any OS do what I need to get my work done, he can't make that same assumption, and he can't risk bringing that kind of instability in along with a change - he's not responsible if the status quo sucks - that's to be assumed - but if he says "here try this" and it breaks - it dosen't matter that the old system used to break, the one he gave you broke. It's his fault, he should be fired. And so it goes.
You can attack the message if you want - but I've done that gig for 10 years, trying to persuade purchases to diversify their OS base to avoid vulnerability, only to recieve confused or upsett stares. When all the person you provide your service to can think of is "change is bad" the message can't be mixed - the new must be better than the old on as many fronts as possible.
-GiH
There's so much blather on the security sites about it, it's hard to even get a clear time line let alone a canonical recitation of the facts. As I mentioned elsewhere, the guys who originally published this exploit clearly mangled the disclosure; and now there's so much pointless hostility around the whole process that the entire subject has become poisoned.
That's why I mentioned in another post that it's possible for Apple to spin this whole process their way - if they make nice and aggressively pursue these bugs, they have a chance to pull a PR win out of this. If they allow the poison pen atmosphere to continue, I think they're looking at more trouble down the road.
I'd really prefer Apple got into the habit of treating security issues as aggressively as the Linux distros do than end up being treated with the same contempt have for Windows.
Clear, Dark Skies
Have you considered exposing him to Security Now? Not to get him to convert to Mac, but simply to help him get informed about how bad computer security is these days.
I'd suggest PaulDotCom but he'd probably have a heart attack if he found out the kind of stuff IT guys get up to when looking for security problems in their networks.
Clear, Dark Skies
There are many ways to crash applications, but not as many ways to actually take advantage of the crash to execute arbitrary code - I have yet to see a post from any Mac users who in fact were able to make this exploit work.
Until we see confirmation that people get anything but this crash, there is no exploit demonstrated, just a way to crash Quicktime.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
I just tried this on my MacBook Pro using the provided QTL files and ruby scripts, but none of them seem to have the claimed effect. Anybody else already tried this?
I could not. And only one person I know could. Other people had to heavily modify the script and run QT Player in gdb along with some other voodoo to get it to exploit properly. Doesn't seem like this will cause much harm.
Either way, a third party developer already fixed this crasher.
Certainly not that Apple is hard to work with. If you actually read what I said, I said that Apple has a troubled relationship security researchers and that part of it was due to Apple's users and part of it was due to the researchers themselves. At which point did I blame Apple for anything?
Going back to market share - we're talking about two different things, I think. Yes, the number of holes is unrelated to market share - but the ability of an exploit to propagate in the field is directly affected by it.
Consider two diseases that are passed by physical contact. The first disease affects 90% of the population, but 10% are immune. Such a disease will spread quickly, simply because of the likely hood of physical contact between people who are vulnerable.
By contrast, the second disease only affects 10% of the population, and 90% are immune. This disease will spread very, very slowly because it is much less likely for vulnerable people to make contact. While this isn't the same as true immunity, it has a similar practical affect.
Clear, Dark Skies
these so-called security researchers, who pay more attention to bloggers and posters than to the real issue.
They need to do the right thing, not the cute thing, and not do what is simply a glib response to their offended sensibilities.
This is not about just MOAB, it easily applies to these guys behavoir in the whole series.
That any platform's fanboys make LHM pout is no excuse to act like a punk, poke the OS with a stick, and show the public how to take down said OS.
What made MOAB happen is LHM's decision to execute it in exactly this fashion.
I can't fault bloggers or posters for simply spewing their opinion. Everyone does. That's what blogs and forums are about, some happen to be polished enough to withstand the light of day, but most aren't. That's not what security research is about, so it's imcubment upon these alleged security professionals to act as such and do this through regular, responsible channels if they expect anyone, Apple included - to take them seriously.
Apple's not basing their security actions on the demeanor of whiney mac fanboys - neither should these researchers.
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
That's not exactly evidence, is it? It's not even hearsay (which is a kind of evidence, according to Lionel Hutz).
I don't normally respond to my own posts, but two people modded this as "troll?" I'd love to hear an explanation of the logic behind that moderation.
They claim their goal is to 'improve Mac OS X' (with the side effect of raising awareness). If so, why did they wait until January, and then report them out one a day? If they were truly trying to meet the goals they've listed, they'd either submit them as bugs as soon as they were found and either be silent about them (the "no public disclosure" school) or talk about them when they were discovered or N days afterwards ("disclosure after notice").
Instead, they went with a PR stunt to get page hits every day. They even gave advance notice advertising that they'd do this - so obviously they've been collecting the bugs and holding onto them to trying to maximize their page hits.
How can Apple's *users* be affecting the relationship between Apple and security researchers?
I could understand if you claimed Apple's management affected that relationship, or that Apple's history affected the relationship, but I can't see how an unconnected third party can change the way two other parties relate. The users make a lot of noise, but I don't see how that affects security researchers or Apple, if either of them are professional.
I'm happy to be wrong on this, but you need to show something more substantive that a bald statement.
You can see it happening in this very article.
1. Security researcher publishes Mac OS X vulnerability. Just has (s)he would a Linux or Windows bug.
2. Researcher is immediately attacked by hundreds of rabid Apple fanboys, who act as if Researcher tried to nail them to a cross.
3. Researcher gets pissed off. Every Linux user and other computer professional who understands the state of computer security gets pissed off.
4. Apple now has a public relations problem as multiple individuals decide they need to poke smug Apple users with a sharp stick to show them they aren't as smart as they think they are.
How hard is this to understand?
Try listening to various security podcasts; especially pauldotcom - they don't mind OS X because they know it's just another flavor of Unix and just as secure (and insecure) as any other flavor of Unix. But they all absolutely hate people who *use* OS X and consider us all to be smug pricks who wouldn't know a security hole from their bung hole.
Clear, Dark Skies
Nothing like being mature about it...
So, basically, your point is that they are bad because they weren't superior to all the people who attacked them?
I'm sorry, I still don't understand what the fuss is about. I'm a member of news feeds and podcasts that publish vulnerabilities every day for Linux, Windows, Apache, Drupal, MySQL, and so on. But for some reason many Apple users think they should be exempt from this process and behave badly when no one else agrees with them.
Clear, Dark Skies
Oh, I get it now. You're saying that security researchers are unprofessional... Funny, I'd have thought the real security researchers would go through the normal channels
Dear Lord. Pompous *and* ignorant.
I'm sorry; but as I've mentioned elsewhere, publishing vulnerabilities on a website or a newsfeed is "normal channels". Often, when you're talking about people who are used to the FOSS scene, they are the only channels.
I regularly get warnings about unpatched security holes in Ubuntu, Drupal, and more. I've never seen Ubuntu users get pissed because someone warned them about a security hole. Usually we just gratefully check to see if we're exposed and do whatever we have to do to protect against the problem until a patch is found.
Clear, Dark Skies
But the coward is right, using APE to patch function entry points really isn't the way to go; Apple needs to fix it themselves.
:-P
I have to say, though, I am impressed that you apparently saw more into this problem that the MOAB guys did - the way the bug report is written they didn't realize it was a general exploit against all quicktime URLs.
On the other hand, maybe they *did* realize it was a general URL validation bug and they were hoping to get several days of "Apple Bugs" out of it.
Clear, Dark Skies
In the instant after reading this sentence, your next action will be: intentionally and willfully refraining from gifting me one million dollars, by the specific process of contacting me at synaptik_slashdot@yahoo.com so that I can reply to your email with a paypal account by which you can tender your payment of the one million dollars, payable to the name that I will also disclose therein.
Hmm. Since you've now read the above, but I haven't received the one million dollars from you, I can only assume that my prediction of your subsequent action ("intentionally and willfully refraining from gifting me one million dollars") came true, and thus I have met the requirements of your offer.
Therefore, please contact me at synaptik_slashdot@yahoo.com so that I can reply to your email with a paypal account by which you can tender your payment of the one million dollars, payable to the name that I will also disclose therein.
HSJ$$*&#^!#+++ATH0
NO CARRIER
From what I've read, nobody knows who LMH is. Now, how much weight do you really want to put behind an initiative being run by somebody who won't reveal his/her name? If you are making security issues public and want anybody to take them seriously, tell us who you are and what credentials you have that call for the tech community to take you seriously. Until then, to me you are a bozo out for attention.
Government's idea of a balanced budget: take money from the right pocket to balance...oh who am I kidding?
Guys
A security researcher has to be professional about how they release their information.
1) Who died and left you to decide what "professional" means?
2) How, exactly, do you know that they haven't tried informing Apple first? If you were actually familiar with the issue you would know that they have been complaining about Apple being unresponsive since last year.
So, again, I stand by my insults. You pompously assert that you are the arbiter of "professional" behavior and you ignorantly claim that they never tried to go through "normal" channels without bothering to find out if they have or not.
Clear, Dark Skies
MOBB - Established and run mainly by HD Moore (who most people seem to accept does things relatively well). Moore also withholds the nastiest of exploit code (despite giving sufficient detail on how to go further), makes an effort to pre-notify the vendors, and generally does enough to be seen as one of the 'Good Guys'.
MOKB - The spate of wireless driver vulnerabilities and associated linked exploit code at first glance seems to be a follow on from the Secureworks debacle at the Black Hat Briefings (and so probably draws more of the vicious responses). There are decreasing levels of vendor notification and more cases of complete exploit code readily available. At least one of the vulnerabilities and associated exploit code is publicly torn apart by another researcher (who also suggests that the original researchers need more time learning to interpret the debugger output).
WOOB - Relatively unknown researcher tries to spend the first week of December releasing Oracle bugs and previously-unknown Oracle 0-day code. It is assumed by many that Oracle applied legal pressure to stop the process (numerology fans might want to check out the binary code behind the message cancelling the project, and compare it to the text of the message).
MOAB - LMH (capabilities now established due to participation in MOKB) and KF set out to release exploit code and vulnerability details for issues that have not been previously notified to the vendor (as the FAQ clearly states). Most observers are quite willing to wait and see something come out that targets OS X specifically (despite being called MOAB). With the first vulnerability being a problem with protocol handling in a media codec (installed by default), and the second a protocol handling problem in cross-platform software that is not even shipped with OS X, many observers are starting to question the capability of the researchers (and that is coming from people within the industry, not necessarily OS X fanatics).
When you are going to target something that is protected / supported by fanatical and vocal supporters, you really need to make sure that what you provide is bullet-proof and can stand up to criticism, else it will end up in a quagmire of flaming. Guess what hasn't happened so far?
InfoSec that matters, when it counts.
An example QTL file exploiting this issue (pwnage.qtl) is available (it will say 'happy new year' via /usr/bin/say, and expects the command string to be located at 0x17a053c, tested on Mac OS X 10.4.8 8L2127, x86 architecture). If it doesn't work on your system, use the exploit to generate another QTL with your own options or the shell spawn variant (pwnage-shell.qtl, 100% reliable for a current up-to-date x86-based OS X system).
Clear, Dark Skies
It's on the front page of the main site which, for some reason, isn't the web site the code is on:
http://applefun.blogspot.com/
Clear, Dark Skies
Microsoft is not performing due diligence and is quite frankly not giving customers what they want.
Microsoft's attitude to security is criminal. They have refused to even consider fixing the underlying problems that are celebrated many times a year with new "cross zone" attacks... even maintaining the broken design responsible in the face of having the company broken up by the justice department.
That's a security hole that's getting its 10th birthday this year.
"Now comes the fun, if a bug is reported to Apple how long do they get to fix it? Who will determine when enough time has passed?"
Well, I believe the last serious security hole reported to them was fixed in 10 days, which is pretty good turn around for development and QA.
Apple: 10 days.
Microsoft: 10 years.
That's fair.
There is a buffer overflow.
Yes, but not all buffer overflows can lead to code exploits. This particular expolit relies on the buffer overflow exactly hitting a specific memory address, that does not appear to always be where they were thinking it was - rendering the attack as is useless (as noted it does not work on my maacbook).
You can be forgiven for not understanding the full implications of a buffer overflow from the sensationalistic approach the media has taken, where every buffer overflow is a gauranteed entry into the darkest heart of your system. Next time don't be so afraid of what you don't know or udnerstand.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
I want to point one thing out, though. The rtsp hole *does* exist on all Macs, MOAB just screwed up their demo of it. If you look at the fix that was posted here, the author of the fix identified the function affected.
In my mind, that's the worst thing about all this because the MOAB people have effectively damaged their reputation and confused the issue about a serious security hole.
Clear, Dark Skies
Well, aren't you just a wet blanket, ruining all our fun! :-D
(porkchop goes to sit in the corner, facing the wall)
Clear, Dark Skies
I actually wish they had reported this a year or two ago - if you dig into the bug, they link to an in-depth analysis of the malloc system works and I could have really used that when I was porting some software from Linux to OS X; I spent weeks working out how to trick the Mac libc into letting me pin user memory for DMA operations.
Clear, Dark Skies