Slashdot Mirror

← Back to Stories (view on slashdot.org)

Month of Apple Bugs - First Bug Unveiled

Posted by Zonk on from the apple-must-be-so-proud dept.

ens0niq writes "The first bug (a Quicktime rtsp URL Handler Stack-based Buffer Overflow) of the Month of Apple Bugs has been unveiled — as previously promised — by LMH and Kevin Finisterre. From the FAQ: 'This initiative aims to serve as an effort to improve Mac OS X, uncovering and finding security flaws in different Apple software and third-party applications designed for this operating system. A positive side-effect, probably, will be a more concerned (security-wise) user-base and better practices from the management side of Apple.'"

10 of 240 comments (clear)

  1. Re:QuickTime runs on Windows too... by antime · · Score: 4, Informative
    RTFA:
    Affected versions

    This issue has been successfully exploited in QuickTime(TM) Version 7.1.3, Player Version 7.1.3. Previous versions should be vulnerable as well. Both Microsoft Windows and Mac OS X versions are affected.

  2. removed, but... by ens0niq · · Score: 3, Informative

    Credit line removed by the editor, but i found this report on HUP.

  3. Re:good thought but I wonder by jellomizer · · Score: 5, Informative

    These people are doing Gray Hat hacking. Where like the White Hats their goal is not to do damage to others people computers, but like the black hats feel that people need to feel a little pain before anything can get done and just reporting the problems to the company is not effective enough to get it done. It falls in the range of legal hacking, But it may not be the most moral way of doing it though. It is like finding a car door open and yelling out "Hey This Car Door is Open and all the valuables are inside someone should lock it!" vs. Finding the person who owns the car and descretly telling him to that is is unlocked. Or just locking the door yourself.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  4. Re:QuickTime runs on Windows too... by elrous0 · · Score: 4, Informative
    You'll note that it's the "Month of *APPLE* Bugs," not the month of OS X bugs.

    -Eric

    --
    SJW: Someone who has run out of real oppression, and has to fake it.
  5. Re:No problem! by Jeff+DeMaagd · · Score: 3, Informative

    I've seen several instances where Apple was aware of a bug but waited months to fix it. Heck, the Quicktime bug that permitted the MySpace virus still runs free according to the last security thread at AppleInsider.

  6. Doesn't work by matth · · Score: 2, Informative

    I tried the exploit.. doesn't work on my macbook.

  7. I'm afraid you are incorrect, sir. by porkchop_d_clown · · Score: 2, Informative

    The wireless exploit you cite, for example, turned out to be hype about a problem that affected no mac in its default state...

    The wireless exploit did apply to Airport cards; but you are correct that researchers mishandled the disclosure - which, as I said, resulted in a lot of hard feelings on both sides.

    --
    Clear, Dark Skies
    1. Re:I'm afraid you are incorrect, sir. by 99BottlesOfBeerInMyF · · Score: 4, Informative

      The wireless exploit did apply to Airport cards;

      It is my understanding that the vulnerability you reference as well as the other two they fixed were both the result of an internal audit of their wireless drivers and not the result of the exploit that was publicized. The issue is more than a little muddy, however, and I'd be grateful if you could provide a reference to show either way.

  8. Re:No problem! by Ash-Fox · · Score: 2, Informative
    Macs had viruses in the past. OS X hasn't had any yet.
    Yes it has. The first one written specifically for OS X came in the form of a trojan. I've also seen Mac classic viruses work fine on PPC OS X systems.

    OS X has had security holes, which could have allowed viruses threw it but Apple patches them rather quickly before any can actually spread.
    Not really. Have you forgotten things like auto-installing widgets?
    Apple being behind other BSD systems in patching old exploits?
    Apple being behind in patching SSH, Apache?
    Plus unlike Windows virus it actually takes a person who actually knows stuff to make an OS X virus.
    Uh... You need to know stuff to write a windows virus too.
    Most Windows virus take advantage of easy to make Active X controls
    Not according to Norton, F-secure and McAfee.
    VB Scripts in applications
    Not according to Norton, F-secure and McAfee.
    and a bunch of other crap that Microsoft put in their OS During the 90's because they wanted to make sure their products could do more then their competitors and because no one cared about security
    Uh, again no. Give me some decent examples at least.

    All I can think of from the 90s in particular that's causing vulnerability issues, is how current Microsoft office documents are still mostly just memory dumps of the programs themselves.
    Now Apple OS X was redesigned with a 21 centrery mindset on security.
    I don't know... Most of the security techniques Apple uses were developed back in the early 90s...

    However, the OS in my opinion is far from being a 21st century mind set in general. I mean, look at some of the stupid stuff we have todo.
    Where we have to open a console and type
    defaults write com.apple.finder AppleShowAllFiles TRUE
    Or where we have to open XML files and change a bunch of values to enable/disable various GUI settings that should be in the GUI preferences pane?
    Or where the OS is purposely locked into using hardware from a specific vendor? (We've had this long ago, then we kind of evolved with x86, to no longer get locked in... But here comes Apple)

    But as times goes on Apple is putting more and more features to the OS many of them are scary in security terms such as integration of iChat and and the other iApps the Automater and other things which could lead to security problems in the future.
    Heh, or we could the simple things that have always worked well... Exploits against the user. Just send them a e-mail with a .pkg file that contains a rootkit (there are feasible methods to-do this on OS X), said hidden process scans the address books of users on Mac (Useful, since many Mac users actually do use the mail client on the system), then starts sending copies of that .pkg to those people.

    We can even expand it further get it to 'infect' any .dmg files downloaded with it's own files, (hidden files are wonderful for this), so on the off chance a infected machine sends said dmg somewhere, it will infect the other user, who thinks he's only installing (either by .pkg or drag dropping the 'application directory' file) the program he thinks.

    Hell, we can even make blah.jpg.app files, which appear to most users as 'blah.jpg', hasn't Apple learned anything from Microsoft?

    My point is, coming up with methods to make virii on Mac isn't that hard.
    --
    Change is certain; progress is not obligatory.
  9. Re:Looking for help understanding this. by iluvcapra · · Score: 2, Informative

    It's not calling curl or the shell from memory, it appears (from the description) to be a return-to-libc-attack. I am not an expert on this particular thing, but a return-to-libc attack is where you use a buffer overflow to overwrite the return address of the stack frame. Under normal circumstances, the rtsp URL parser would return to his calling function, but if an overflow overwrites the return address, you can basically rewrite the stack's memory of who called the URL parser in the first place. So, instead of returning to where Quicktime called it, your computer can be tricked into returning to a different place in memory, like somewhere in libc. Libc has all kinds of dangerous functions, namely system(3), which accepts a string as an argument (which you have also put on the stack with your buffer overflow) and will run an arbitrary program on your computer (like curl, but bash and perl and ruby can do all kinds of damage).

    Of note is the fact that this exploit gets around NX, because your payload need not be executable, it merely is a return address and a string to pass into libc. Also of note is that this exploit does not cause privilege escalation; any processes started by the exploit will run under the privileges of the user who clicks on the file, and you will still get a sudo-dialog if the sploit tries to do things as wheel.

    If I am misreading this exploit, please correct me. They say "arbitrary code execution" in the summary.

    --
    Don't blame me, I voted for Baltar.