Slashdot Mirror
Month of Apple Bugs - First Bug Unveiled
ens0niq writes "The first bug (a Quicktime rtsp URL Handler Stack-based Buffer Overflow) of the Month of Apple Bugs has been unveiled — as previously promised — by LMH and Kevin Finisterre. From the FAQ: 'This initiative aims to serve as an effort to improve Mac OS X, uncovering and finding security flaws in different Apple software and third-party applications designed for this operating system. A positive side-effect, probably, will be a more concerned (security-wise) user-base and better practices from the management side of Apple.'"
Okay, since I jumped the gun, I will answer my own questions: RTFA, yes it does!
Credit line removed by the editor, but i found this report on HUP.
Could you give some examples of Apple suing people to cover up security holes then?
These people are doing Gray Hat hacking. Where like the White Hats their goal is not to do damage to others people computers, but like the black hats feel that people need to feel a little pain before anything can get done and just reporting the problems to the company is not effective enough to get it done. It falls in the range of legal hacking, But it may not be the most moral way of doing it though. It is like finding a car door open and yelling out "Hey This Car Door is Open and all the valuables are inside someone should lock it!" vs. Finding the person who owns the car and descretly telling him to that is is unlocked. Or just locking the door yourself.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
This isn't a problem because it has been proven that only Windows can get viruses. Therefore, because it's not possible for viruses to spread with MacOS, security threats are irrelevant.
Please, try the veal.
Slashdot Burying Stories About Slashdot Media Owned
I don't know what you mean by the "Linux Cop Out" because it seems like you're confusing Apple and Mac OS X. Remember, this is the month of Apple bugs, not necessarily the month of OS X bugs. Also, how is quicktime a third party application if it is developed by Apple?
He would, but they were all absorbed by Steve Jobs and his reality distortion field. Sorry.
Do you like German cars?
"The problem with so-called 'responsible disclosure' is that for some people, it means keeping others on hold for insane amounts of time, even when the fix should be trivial."
Is Apple as bad as MS when it comes to fixing security flaws? Is there really a need to show how "insecure" OS X is? Or is this more a "your going to start listening to security experts when they have something to say or else..." type situation. I did read the FAQ but they really don't show any evidence to prove why this is a good thing, how this will improve OS X security, or how Apple has been unwilling to fix flaws in the past.
They could be 1000% right, but on the surface I just don't see anything which either confirms or denies their theory. It would be nice to at least read some sort of history of how Apple has interacted with Security researchers in the past.
If you wanna get rich, you know that payback is a bitch
I just tried this on my MacBook Pro using the provided QTL files and ruby scripts, but none of them seem to have the claimed effect. Anybody else already tried this?
But as another comment has pointed out, this is a month of Apple bugs, not OS X bugs.
I dunno who it is
but it prolly is fhqwhgads.
-Eric
SJW: Someone who has run out of real oppression, and has to fake it.
Well it is a stab at the Linux user comunity on their views about security. If there is a problem it is rairly a Linux (Kernel) problem but with some other application that is running Apache, Sendmail, su, sudo... Stating these are 3rd party tools not part of Linux per say. Yes I mistakes a Month of Apple bugs with a month OS X Bugs my mistake.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
This is just the wrong way to do this folks. They should be finding and notifying Apple.
OS X is unimaginably complex. Even the 1500+ page "OS X internals" tome just scratches the surface of most things.
(Note that I own and enjoy using a MacBook, so I'm not blindly Apple-bashing.)
The complexity is the first problem. The second is that almost all of the code was written in an insecure manner. No one was doing code-level security reviews on QuickTime and Quartz and all the other bits of OS X. And even if you did, squashing all potential overflow/overwrite bugs in a language like C is essentially impossible. We'll keep living with endless exploits until more secure techniques are used for writing software.
Apple has had poor relations with security researchers for years. Partly it's because of the smug attitude of many Apple users - who assume that because they don't get attacked their OS is more secure; but part is also the researchers themselves.
The flame wars over the airport card exploits is a good example - first, the researchers used a 3rd party card which meant it had little to do with OS X problems, which created a number of he-said-she-said arguments. As I understand it, the airport exploit was (is still?) real, but the arguments created a lot of ill-will on both sides.
Clear, Dark Skies
It's more like finding a bank vault open and shouting out, "Hey, everyone, this bank has left its vault open with your money in it."
I wish to remain anomalous
Sun to the rescue...to make it cross platform just write the virus in Java!
-Eric
SJW: Someone who has run out of real oppression, and has to fake it.
The logo on their blog is very distrurbing
If they were truly interested in "improving MacOS X" or "improving practices on the management side of Apple" then they would release these bugs to Apple first. Don't wait an insane amount of time, but give them a nice reasonable amount of time to fix the bugs. Heck, even tell them you plan on releasing them on thus and so date and start the month *then*, giving props to Apple for those they have fixed.
Integrate Keynote and LaTeX
This analogy sucks because a guy leaving his door unlocked doesn't normally affect others and there is no need to publicize it.
Gray Hat hacking is like discreetly telling the guy that his car door is open, waiting for a while to give him a chance to lock his door, then yelling "Hey This Car Door is Open and all the valuables are inside". The most hotly debated item is how long the waiting part of "waiting for a while to give him a chance" should be because there is no clear consensus on how long it should be. Vendors believe that the waiting time should be until the vendor announces the vulnerability, which may be 'never'. Some Gray Hats believe that a vulnerability should be publicized as soon as it is discovered.
The biggest issue is that vendors rarely say how to report security vulnerabilities in a way that the vendor will acknowledge that it has been made aware of the potential vulnerability. This lack of acknowledgment is the primary reason for Gray Hats having to publicize the vulnerability. Another big issue is that security engineers live and die by being the first to report a vulnerability -- and vendors don't usually give credit to the engineer who reported the vulnerability to them. Even if a patch for a serious vulnerability is released the vendor may not even acknowledge that a serious vulnerability has been patched.
Have Apple sued a whistleblower or someone who have reported a security issue. EVER?
Or is the parent just full of lies, FUD and other unpleasant and damaging stuff?
- Henrik
- when the Shadows descend -
--
I can't search. I uninstalled Google - P. Ducler
Not exactly first in this case they are not going to the manager first they are going to the public about it first.
Next a Bad guy may not have the key, but once he knows the key is missing he will start looking around for the guy who found the key and take it away from him. It is more like the key is hidden under the welcome mat. And the guy found it one day then blabbed about it to everyone even outside the apartment.
As a land lord myself I know, some jobs can't be done right away. Some things espectially changing all the locks takes time including finding the residence and giving them the new key before they leave. so you can change their locks. Also the time to fix all the locks, dealing with people who think there lock should be replaced first, others who love their lock so much they don't want to change it. Some people creek in fear when the land lord knocks figuring they will evict them with a blink of an eye. (even though it is expensive to leave a room vacent)
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
This particular option isn't really available in this case, is it? They don't control the OSX source code, Apple does.
It is like finding a car door open and yelling out "Hey This Car Door is Open and all the valuables are inside someone should lock it!" vs. Finding the person who owns the car and descretly telling him to that is is unlocked.
Bit of a problem with this analogy too. The "door" in question is controlled/lockable only by the person who owns the house (as pointed out above), yet leaving it unlocked affects not the residents of that "controlling" house but instead millions of other residents of other houses. The pivotal question is whether the owner of the controlling house can be sufficiently motivated to act on behalf of these other folks. I couldn't tell from reading the faq whether they've approached apple privately or not. I spose I'd guess they haven't or else they'd probably mention it... but that doesn't necessarily render their current approach less moral.
- First they ignore you, then they laugh at you, then ???, then profit.
I tried the exploit.. doesn't work on my macbook.
Black hats are interested in profiting from their knowledge of vulnerabilities. These guys aren't.
I disagree. Black hats are interested in illegally profiting from vulnerabilities. White hats are interested in legally and ethically benefiting from vulnerabilities. Grey hats are interested in benefitting from security exploits in ways that are unethical and questionably legal.
They want them to be fixed and know that even the deified Apple won't allocate resources to fixing problems that have a low profile.
No, these guys want publicity for themselves. Apple has been quite responsive to security researchers and most that I know think Apple has been doing a pretty reasonable job. If you're going to argue that bugs need to be publicly released because Apple won't fix them otherwise, you need to support that assertion. Even then, what is your justification for not releasing it immediately, but doling them out more slowly? That doesn't benefit anyone but these researchers for whom it provides prolonged media exposure they hope to gain from financially.
So they're out to raise the profile of each problem.
Raising the profile of a problem makes sense, if it is being exploited in the wild or if you've contacted the vendor and they're dragging their heels while people are at risk. Otherwise, it is simply harmful to everyone involved.
Much better than using the vulnerabilities to build Mac-based botnets...
Ahh, the classic "we're not as bad as China" argument. Doing something unethical isn't made any less unethical by the fact that someone else is doing something even more unethical. These guys obviously are interested in one thing, getting themselves in the news to make themselves money.
Is it just me, or is this event well timed? A month of Apple bugs/exploits on the lead up to Windows Vista's commercial release on January 30th (the most "secure" version of Windows). Sounds sinister to me.
Q: What's worse than finding a worm in your apple? A: Finding a bug in your MAC.
The reality distortion field you cite is warping your perspective. Apple is actually not particularly litigious compared to most companies their size. To my knowledge they've never sued anyone for publicizing bugs. They don't even normally go after publications that intentionally publicize their trade secrets unless they admit having obtained those secrets from an insider Apple does not know the identity of, and in the one case of that, they sued only for the name of the informant, not for any damages against the publication. The thing is, the litigation they do enegage in, is often highly publicized, making it seem as though they are very litigious.
So to answer your question, if they have a reasonable grasp on reality, no they aren't worried about being sued.
The wireless exploit you cite, for example, turned out to be hype about a problem that affected no mac in its default state...
The wireless exploit did apply to Airport cards; but you are correct that researchers mishandled the disclosure - which, as I said, resulted in a lot of hard feelings on both sides.
Clear, Dark Skies
I'd be willing to be that a large percentage of these are holes in QuickTime. It's not really a shock to anyone to suggest that it's a buggy, badly coded pile of shit.
I'd be interested to see what they define as "Apple". Do they mean just Apple software, or software that's bundled by Apple? For example, an update last year added in the Macromedia Flash player. I would imagine that that is riddled with security holes.
There's a reason I browse with all plugins disabled, you know...
All in all, this "Month of Bugs" thing is good approach to proactive OS support behavior by a user community. The only problem is, that such an approach requires a fair amount of Good Will towards the product from those users. This effectively rules out similar plans working for Microsoft Windows.
There really is a long-term benefit from good behavior on the part of corporations: your customers will actually go out of their way to help you.
Unlike macobserver, who seems to think things like security holes are better left unmentioned, I salute LMH and Kevin Finisterre for doing this.
You are welcome on my lawn.
"Apple has had poor relations with security researchers for years. Partly it's because of the smug attitude of many Apple users - who assume that because they don't get attacked their OS is more secure"
Huh? Apple's users are to blame for Apple's work with security researchers?
Imagine that meeting - "Steve, I'd love to make sure we use every avenue available to us to secure the platform, but heck, our users are just thumbing their noses at the rest of the OS world, and gosh, but it's fun to see - I say let's just live with the holes." "Sounds good to me, Phil - thanks for the insight. Now, about that MacBoy Advance SP that Scooter's been working on..."
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
Not to minimise the problems of writing large complex software systems, but complexity is the second problem... insecure design is the first.
I'm more concerned with the fact that Safari uses the same URI handler and helper database as Finder (LaunchServices) and that Apple is more interested in giving people a false sense of security with pop-up dialogs than changing the API slightly to make it inherently secure.
* Split LaunchServices up into "web oriented" applications that are indended for use with untrusted files, and "desktop" applications. This would have the additional advantage of allowing for "viewer" versions of applications that have reduced functionality and simpler design (going back to the original poster's point).
* Disable "Open safe files after downloading" by default, and if it remains an option then include a comment in the preferences pane that enabling it will reduce the security of your system.
* And don't EVER include software installers in the list of "safe" applications! I ca not comprehend the confusion in the mind that would lead Apple to install widgets and packages directly from the browser. Firefox makes the same mistake, by the way... it's like watching gangrene spread.
This is not as bad a design problem as Microsoft's use of the HTML control as a universal gateway for viruses and spyware, but it's bad enough that it should be given priority.
can see what its like to be noticed.
when Microsoft gets treated to the same very few care, in fact some seem to relish in it.
Now comes the fun, if a bug is reported to Apple how long do they get to fix it? Who will determine when enough time has passed?
I look at it this way, Apple still is well off. They haven't a big enough installed base to get the "Average user" which Microsoft has to both sell to and suffer with. When they do penetrate the "Average user" market and get into double digits of popularity then they attract attention they don't want. Do not under estimate the creativity and capability of the hackers out there.
That old adage about a bunch of monkeys is apt
* Winners compare their achievements to their goals, losers compare theirs to that of others.
I can help but feel that this whole thing is just sour grapes. I certainly don't feel that improving OSX is the sole motivation behind this. The blog reeks of immaturity and lacks any form of professionalism. The language is smug and juvenile? pwnage? (Wow, high school all over again). They go into great deatil on how execute the exploit but dedicate one sentence on how to avoid it. Then, where is the discrete vendor warning that traditional researchers give before going public? They are not doing it! Are they trying to provoke an attack? I don't see the service that they are doing for me as OSX user. In fact, I look upon this whole stunt with nothing but contempt. I see this as a snipe at mac users because it hasn't been attacked. I think this line says it all!
You're the PC now, Mac (YTPNM).
You don't have to be smart to use a Mac, you just have to be smart enough to buy one
The same argument could be made about many of the Microsoft bugs... IE is a third party application taht is bundled with the OS and not the OS itself. Same argument... on the otherhand QT is an Apple product so if there are security risks associated with it, the company should patch it--and not just for the most recent version of the OS.
Partly it's because of the smug attitude of many Apple users - who assume that because they don't get attacked their OS is more secure; but part is also the researchers themselves.
So please explain to all of us why we have no viruses on the Mac yet, even with some tens of millions of fairly homogoneous computers around (same OS, same patches, much of the same hardware) in a world where botnets of even just a hundred thousand nodes bring in real money. There is financial incentive enough for the macs to have viruses and spyware, yet they do not.
Perhaps you should instead apply Occam's Razor, and think that if in fact any given OS sees fewer attacks than another, it is actually more secure.
Of course there are holes in OS X, any reasonable Mac users realizes this. But we also know we have yet to see any real exploits in the wild. So far this effort is not really doing anything about that situation either way, if you'll read below you'll find this first proof of concept exploit does not even work!
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Your opinion might have meant something if you hadn't posted AC. As it is, it's hard to believe you've actually done any OS X programming - or at least any recent programming. Tiger cleaned up the kernel API's quite a bit.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
While I've played with ruby, perl, C and work almost daily in a variety of shells I honestly don't have the background to fully understand what they've offered up here.
From the article (and based on my limited understanding) it relies on the shell and curl being resident in a known memory location? Can someone with deeper OS X internals knowledge explain why the system would always put the shell and curl into the same memory space? This seems to go contrary to what I would expect; that the system allocates memory when a program is executed and that memory can be any from the available pool.
If OS X is indeed always putting certain programs into specific memory addresses, then yes this is definitely a problem that Apple needs to fix now. Otherwise, an attack using this approach is more like firing a gun in a pitch black room and hoping you hit a target that may (or may not) be somewhere in the room. While there is a chance it will work, I would rather spend time picking numbers for the lottery (the potential payoff would be much better).
Their link to the Phrack article http://felinemenace.org/papers/p63-0x05_OSX_Heap_E xploitation_Technqiues.txt is a more interesting read. I can't make any claims that I understand that better but after reading through it, it makes more sense. Exploiting programs that use Apple's Webkit. Whether or not those exploits still exist, I don't know.
"The avalanch has already started, it is too late for the pebbles to vote." -Kosh
MacOSX is still turning up significant flaws that were fixed in other flavours of UNIX many years ago.
True, Apple is running into some of the same old problems as they try to build new things to interact with old things. I wish they had stricter security reviews processes.
Apple has probably the worst attitude to quality control I have ever come across in the PC industry (ie. they don't appear to have any). You might think that Windows has many problems with security holes, but looking at the automated code review tools and approach to security within Microsoft, and comparing this to Apple's approach, it is safe to say that the inferior end product will most definitely be Apple's.
I don't know Apple's policies on code review. I know they do some audits and that is it. It looks like they could really use some improvement. That said, I do know people from MS and their security reviews are a joke. From anecdotes, less than half of all security holes reported internally are given high enough priority to ever be fixed and they don't have a thousand monkeys pounding on open code. And in the end, it is results that matter. Apple does not have a malware problem, and is mildly resistant to amateur directed attacks. Windows has a huge malware problem and can often be hacked with freely available script kiddy tools.
I also find Microsoft staff much more helpful and knowledgeable than the moron 'experts' that apple usually fields.
I've submitted bugs to both Apple and MS. Some of the Apple ones were fixes (all the security ones). None of the MS bugs have ever been fixed.
It is just to buggy, lacks scalability (try using heavily threaded programs, or I/O / network intensive apps), and the kernel seems to have some fairly significant and obscure bugs that can waste significant time.
Are you talking about server roles or desktops? Both OS X and Windows are less than optimal servers. Windows can't multitask its way out of a wet paper bag and has always had stability and security issues that result in unavailable services. I'd not build a server on either OS X or Windows though. If you're looking at the desktop, however, there is no comparison.
I am sticking to platforms I trust:- AIX, Linux, and Solaris. They have their own lesser problems, but at least quality and scalability are not a serious concern.
Quality and scalability aren't concerns on Linux? Where can I get this mythical version of Linux?
I guess that depends on your defenition of third party. To me, neither IE nor Quicktime are not third party applications as they are made by the same company. The differentiation that you may be looking for is whether these are core system applications or optional (secondary) applications. While both bundled are with the OS, MS has constantly said that IE is a part of the OS and cannot be removed. Quicktime and Safari can be uninstalled on a Mac. The question whether IE should be tied to the OS is another debate.
Well, there's spam egg sausage and spam, that's not got much spam in it.
Nice way to describe it. Another way would be "rather than engaging in anything even resembling a cursorily, let alone thorough internal, investigation, Apple decided that the best way to resolve the issue was to hit a third party with tens of thousands in legal bills, rather than investigate the issue itself".
I said that the incident contributed to bad feelings between Apple and security researchers. You contrived that to mean that I blame Apple for the problem.
I'm beginning to understand why so many researchers find Apple users annoying.
Clear, Dark Skies
nother way would be "rather than engaging in anything even resembling a cursorily, let alone thorough internal, investigation, Apple decided that the best way to resolve the issue was to hit a third party with tens of thousands in legal bills, rather than investigate the issue itself".
Sure, but the point you are missing is that Apple was legally in the right. They had every right to sue and not only for the name of the leak, but also for punitive damages large enough to shut down the small publication and discourage others. The fact that they didn't speaks to Apple's propensity to not use litigation to stop speech they don't like. And that is the subject we were addressing, should these researchers be afraid that Apple will bring a baseless lawsuit against them in order to stop their publication. The answer is, no, Apple doesn't stop speech it doesn't like when it can legally shut them down.
Perhaps you could try reading my post again, look at your own reply and consider how Apple fanboys have a reputation for pissing off people who have to work with Apple.
For the win: Please point out where I said it was Apple's fault they had a poor relationship with security researchers.
Clear, Dark Skies
Avoid Missing Ball for High Score
We just had this argument last night.. great to see so much "support" from the alternative OS community.
-GiH
The assumed known address is wrong, but it does crash quicktime on my machine.
/Applications/QuickTime Player.app/Contents/MacOS/QuickTime Player
...
:)
Snips from my crash log:
OS Version: 10.4.8 (Build 8N1051)
Report Version: 4
Command: QuickTime Player
Path:
Parent: WindowServer [57]
Version: 7.1.3 (7.1.3)
Build Version: 65
Project Name: QuickTime
Source Version: 4650000
PID: 9548
Thread: Unknown
Exception: EXC_BAD_INSTRUCTION (0x0002)
Code[0]: 0x00000001
Code[1]: 0x00000000
Unknown thread crashed with X86 Thread State (32-bit):
eax: 0xffffffff ebx: 0x41414141 ecx: 0x900012f8 edx: 0xffffffff
edi: 0x41414141 esi: 0x41414141 ebp: 0xdeadbabe esp: 0xbfffd628 (hello deadbabe!)
ss: 0x0000001f efl: 0x00010286 eip: 0x918bef3a cs: 0x00000017
ds: 0x0000001f es: 0x0000001f fs: 0x00000000 gs: 0x00000037
Not so good.
Slashdot. It's Not For Common Sense
Apple does respond to security concerns on their platform, while MS has little motivation to do so.
I'm afraid you're showing some ignorance - MS releases security patches and updates even more frequently than Apple. On the other hand, neither patches holes as aggressively as most Linux distributions or even the programmers of the open source CMS system I use.
Clear, Dark Skies
Apple routinely patches much more serious bugs at the OS level so I don't understand what all the fuss is about. The fact remains that the security situation in Windows was so ludicrous that an unpatched Windows machine would be compromised within minutes of being connected to the internet. It forced Microsoft to drop everything and perform a security sweep of all their existing software, causing the highly visible delays in products such as Vista and Visual Studio 2005. And the security procedures in place now at Microsoft ensures that future software development will continue to proceed at a snail's pace.
It's simply about market share and nothing else. At the end of the month Windows' security problems will still exist while Mac users will continue to not have to worry about spyware and viruses, all of which really negates the stated intent of the Month of Apple Bugs exercise.
ENDUT! HOCH HECH!
11 months out of the year are the "Month of Windows Bugs" but your dad thinks OS X is less secure because of this?
Clear, Dark Skies
I just recently learned more about this;
Yes, you can assume that when a given application loads into memory the various components will end up in the same addresses every time.
Think about it - in a virtual memory system, memory addresses are rewritten so that the application thinks it has all of memory to itself, even though it doesn't. So, even if the physical location the application gets loaded to is probably different every time, the virtual addresses are almost always going to be the same.
So, how do you defend against this? Apparently, newer operating systems, including Vista and XP (I think?) have a randomizing function that changes the virtual addresses around so that they are different every time the program is loaded. This helps make this kind of exploit harder - although I suspect there are still ways to do it.
Clear, Dark Skies
How does this indicate that Windows is "more secure" despite the fact that it is compromised so often by comparison?
Where the hell did I say Windows is more secure than OS X? When did I say that frequent updates are a measure of security?
Work on that reading comprehension, would you?
Clear, Dark Skies
This isn't a pissing contest; pointing to the insecurity of Windows doesn't make OS X secure - the point is that Apple can and should do more to secure OS X.
This is actually an opportunity for Apple to win some hearts and minds - both from the security community and from users at large. If they go after these holes and patch them aggressively then their reputation can only be improved. If, instead, this month simply becomes "the month of fanboys attacking security researchers" you can expect Apple to lose some of its polish.
Clear, Dark Skies
The problem is from what happened last year during the "month of kernel bugs" - that website was dedicated to exposing problems in all popular operating systems - which was all well and good and interesting and useful - but when they published Apple bugs they apparently collected a lot of hate from Apple users.
Apparently they collected enough hate from various Apple blogs and users that it motivated them to create this second site.
Clear, Dark Skies
As long as their choice of third-party apps includes only fairly widespread apps, I wont' complain. But if they start to find problems in some random odd shareware app that the vast majority of even technically-inclined Mac users don't use, then they'll be pushing it. (MS Office for Mac, fine. Photoshop, fine. FireFox, fine. Delicious Library, borderline. Missing Link, borderline. BonEcho, sorry, no.)
Another non-functioning site was "uncertainty.microsoft.com."
The purpose of that site was not known.
You were responding in a thread discussing the relative security of Windows and OS X
Ummm... No. I started this thread by describing Apple's relationship with security researchers as troubled. Any attempt to drag Windows into it was done by you.
You know, it says something about your own biases that I can say "Linux and OS X" and you read "Windows".
Then I argued that, "Apple does respond to security concerns on their platform, while MS has little motivation to do so" to which you responded with, "MS releases security patches and updates even more frequently than Apple." If you weren't addressing my point, what were you trying to say?
I, in fact, exactly responded to your point - you made a ridiculous claim, that MS does not respond to security issues. First, this has nothing to do with whether or not Windows is more secure than OS X. Second, your statement is quite obviously false, because MS has spend a vast amount of energy trying to fix the security issues in their operating system.
So, seeing how you can't correctly parse other people's statements, and you apparently don't even understand the illogic of your own statements, I can't see the point in continuing this discussion.
Clear, Dark Skies
Does the exploit actually work as stated? Forget the politics and point scoring - has anybody actually made this exploit work? That's important, right?
Although I've never seen any hard numbers on how much pre-binding improves things; as a developer it has given my serious problems because it complicates how shared libraries are built.
Clear, Dark Skies
The *demo* crashes by simply trying to jump to the address "0xbabeface". The point is that if they wanted to, they could have used a more dangerous payload, like a virus.
Heh. If they had released a demo that actually did something nasty, now *that* would have been irresponsible.
Clear, Dark Skies
Yeah, but throwing chairs has never been Steve Jobs' style.
Everything I needed to know about life, I learnt from Blake's Seven
childishness to the whole MOAB thing. But not just on LHM's side (note - I'm not accusing you of this).
I'm a semi-active follower of security websites and podcasts, and it's pretty evident: somebody does the "Month of Browser Bugs" and everyone claps, they do the "Month of Kernel Bugs" and everyone claps - except Apple users. When MOKB published Apple problems, the backlash was nasty, with lots of the old "you're destroying my security by telling people about these security holes" nonsense. That nasty reaction is exactly what led to the current Month of Apple Bugs.
And, like it or not, Apple has to deal with the PR problems created by random bloggers spewing garbage - whether they are fanboys or hackers.
Clear, Dark Skies
Actually, I think a better analogy would be if the lock on the car door was broken in some way, and someone were going around shouting "Hey, you can open this car door if you do this" and then demonstrating the technique to open the door.
The difference is that the owner would need to take the car in to the dealer to get it fixed (a patch) or they would have to devise a method to keep from getting ripped off while waiting for the dealer to come up with a fix (a workaround).
That analogy also helps to explain why it is unethical to announce the flaw before the vendor has an opportunity to try to fix it. It isn't the user's fault that the door lock has a design flaw, but the user will be affected by getting their stuff ripped off. If it is reported to the car manufacturer, then they can come up with a fix and recall the car for a repair, hopefully before a lot of users get ripped off.
I tracked down the issue and created a runtime fix using Unsanity's Application Enhancer. The overflow is in the QuickTime Streaming component's INet_ParseURLServer() function -- the fix patches that function and pre-validates the URL before passing it off to the real function implementation. If the URL is too long, the patch replaces the Evil URL with a benign, but invalid one, and then calls the original function.
It's worth noting that disabling RTSP, as noted elsewhere, is not sufficient -- there are other vulnerable entry-points to INet_ParseURLServer(), as it is used for generic URL parsing.
More information is available here:
http://www.unsanity.org/archives/mac_os_x/the_mont h_of_trolly_trolls_and.php
and the patch (with source!) can be downloaded here:
http://landonf.bikemonkey.org/code/macosx
You can test the fix (make sure to log out and log back in after installing APE!) in Safari (or Firefox) by visiting this URL:
http://landonf.bikemonkey.org/static/rtsp_crash.ht ml
If you're using Safari, QuickTime should display a "bad address" error once the patch is installed. If the patch isn't installed, Safari will crash.
http://plausible.coop
I'm really enjoying being attacked by multiple people for pointing out that the security researchers and Apple don't get along - and that Apple's users are part of the reason. You're really going out of your way to prove me right, aren't you? The insinuation that I think this somehow makes OS X less secure is pure gravy.
And, no, you're wrong - Apple's market share has a direct affect on the security of the OS, because it reduces the likelihood they will be targeted; which is why I gave Macs to my kids, wife and mom.
Clear, Dark Skies
After having used Macs since (literally) Finder 1.0 it's a little bewildering to be attacked as pro-microsoft.
Clear, Dark Skies
Yeah, people who can't support their arguments often retreat.
Seeing how you want me to support arguments I never made, I don't see how I can.
Do you find spewing hostility on slashdot to be cathartic, or are you like this in real life, too?
Clear, Dark Skies
For my father, it's a question of Insecure and buisiness as usual, or a big risk to go to another insecure OS. If Linux or Mac OS looked solid, secure, fiscally reasonable, and usable, it would be much easier to persuade him. (I talked him into trying out Open Office at least.. progress!)
The problem is that the decision makes are the majors, the real movers and shakers, are not young technologists. They don't have the time or interest that I have to pick up and play with it just for fun. It's not as simple for him to say "hmm, mac is making some nice laptops and dell's laptops have been sucking wind, let me give it a try" when it has to work or cost him real $$$. I know that *I* can make any machine running any OS do what I need to get my work done, he can't make that same assumption, and he can't risk bringing that kind of instability in along with a change - he's not responsible if the status quo sucks - that's to be assumed - but if he says "here try this" and it breaks - it dosen't matter that the old system used to break, the one he gave you broke. It's his fault, he should be fired. And so it goes.
You can attack the message if you want - but I've done that gig for 10 years, trying to persuade purchases to diversify their OS base to avoid vulnerability, only to recieve confused or upsett stares. When all the person you provide your service to can think of is "change is bad" the message can't be mixed - the new must be better than the old on as many fronts as possible.
-GiH
There's so much blather on the security sites about it, it's hard to even get a clear time line let alone a canonical recitation of the facts. As I mentioned elsewhere, the guys who originally published this exploit clearly mangled the disclosure; and now there's so much pointless hostility around the whole process that the entire subject has become poisoned.
That's why I mentioned in another post that it's possible for Apple to spin this whole process their way - if they make nice and aggressively pursue these bugs, they have a chance to pull a PR win out of this. If they allow the poison pen atmosphere to continue, I think they're looking at more trouble down the road.
I'd really prefer Apple got into the habit of treating security issues as aggressively as the Linux distros do than end up being treated with the same contempt have for Windows.
Clear, Dark Skies
Have you considered exposing him to Security Now? Not to get him to convert to Mac, but simply to help him get informed about how bad computer security is these days.
I'd suggest PaulDotCom but he'd probably have a heart attack if he found out the kind of stuff IT guys get up to when looking for security problems in their networks.
Clear, Dark Skies
There are many ways to crash applications, but not as many ways to actually take advantage of the crash to execute arbitrary code - I have yet to see a post from any Mac users who in fact were able to make this exploit work.
Until we see confirmation that people get anything but this crash, there is no exploit demonstrated, just a way to crash Quicktime.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
I just tried this on my MacBook Pro using the provided QTL files and ruby scripts, but none of them seem to have the claimed effect. Anybody else already tried this?
I could not. And only one person I know could. Other people had to heavily modify the script and run QT Player in gdb along with some other voodoo to get it to exploit properly. Doesn't seem like this will cause much harm.
Either way, a third party developer already fixed this crasher.
Well, actually, it's not like that either. It's more like a group of people carefully and surreptitiously prodding at a bank vault door every night for months. Then, one day, they open the door to the fullest while the light is out and shout your phrase. Most consumers wouldn't be amused. Most would wonder why this group was working under secrecy, rather than the openness they claim to support. Most would wonder why they're shouting (they were silent for months). Welcome to the paradox of information awareness in the 21st century.
Certainly not that Apple is hard to work with. If you actually read what I said, I said that Apple has a troubled relationship security researchers and that part of it was due to Apple's users and part of it was due to the researchers themselves. At which point did I blame Apple for anything?
Going back to market share - we're talking about two different things, I think. Yes, the number of holes is unrelated to market share - but the ability of an exploit to propagate in the field is directly affected by it.
Consider two diseases that are passed by physical contact. The first disease affects 90% of the population, but 10% are immune. Such a disease will spread quickly, simply because of the likely hood of physical contact between people who are vulnerable.
By contrast, the second disease only affects 10% of the population, and 90% are immune. This disease will spread very, very slowly because it is much less likely for vulnerable people to make contact. While this isn't the same as true immunity, it has a similar practical affect.
Clear, Dark Skies
these so-called security researchers, who pay more attention to bloggers and posters than to the real issue.
They need to do the right thing, not the cute thing, and not do what is simply a glib response to their offended sensibilities.
This is not about just MOAB, it easily applies to these guys behavoir in the whole series.
That any platform's fanboys make LHM pout is no excuse to act like a punk, poke the OS with a stick, and show the public how to take down said OS.
What made MOAB happen is LHM's decision to execute it in exactly this fashion.
I can't fault bloggers or posters for simply spewing their opinion. Everyone does. That's what blogs and forums are about, some happen to be polished enough to withstand the light of day, but most aren't. That's not what security research is about, so it's imcubment upon these alleged security professionals to act as such and do this through regular, responsible channels if they expect anyone, Apple included - to take them seriously.
Apple's not basing their security actions on the demeanor of whiney mac fanboys - neither should these researchers.
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
Or is it possible that this entire exercise in revealing these obscure exploits is being funded by those in Redmond to attempt to slam Apple for their product in a lame attempt to get people interested in using VISTA?
That's not exactly evidence, is it? It's not even hearsay (which is a kind of evidence, according to Lionel Hutz).
I don't normally respond to my own posts, but two people modded this as "troll?" I'd love to hear an explanation of the logic behind that moderation.
I disagree. Black hats are interested in illegally profiting from vulnerabilities. White hats are interested in legally and ethically benefiting from vulnerabilities. Grey hats are interested in benefitting from security exploits in ways that are unethical and questionably legal.
In what way is full disclosure unethical? How is what MOAB is doing of questionable legality?
The answers are both "It's not."
This is a classic win-win situation. The researchers get their publicity. Apple gets good PR for writing patches as they come in. Hell, Apple gets free labor from the researchers. The customer gets a more secure operating system.
After all, I am strangely colored.
How can Apple's *users* be affecting the relationship between Apple and security researchers?
I could understand if you claimed Apple's management affected that relationship, or that Apple's history affected the relationship, but I can't see how an unconnected third party can change the way two other parties relate. The users make a lot of noise, but I don't see how that affects security researchers or Apple, if either of them are professional.
I'm happy to be wrong on this, but you need to show something more substantive that a bald statement.
It's because they are full of shit.
The second "bug" is a remote execution flaw in VLC, without privilege escalation. It's platform independent, for that matter. VLC is buggy; and the only "neat" thing about a VLC flaw on OS X would be if it gave you root, but it doesn't.
It's a publicity stunt, and if the remaining bugs are as pointless as this VLC one.... well, it's idiotic.
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
You can see it happening in this very article.
1. Security researcher publishes Mac OS X vulnerability. Just has (s)he would a Linux or Windows bug.
2. Researcher is immediately attacked by hundreds of rabid Apple fanboys, who act as if Researcher tried to nail them to a cross.
3. Researcher gets pissed off. Every Linux user and other computer professional who understands the state of computer security gets pissed off.
4. Apple now has a public relations problem as multiple individuals decide they need to poke smug Apple users with a sharp stick to show them they aren't as smart as they think they are.
How hard is this to understand?
Try listening to various security podcasts; especially pauldotcom - they don't mind OS X because they know it's just another flavor of Unix and just as secure (and insecure) as any other flavor of Unix. But they all absolutely hate people who *use* OS X and consider us all to be smug pricks who wouldn't know a security hole from their bung hole.
Clear, Dark Skies
Nothing like being mature about it...
So, basically, your point is that they are bad because they weren't superior to all the people who attacked them?
I'm sorry, I still don't understand what the fuss is about. I'm a member of news feeds and podcasts that publish vulnerabilities every day for Linux, Windows, Apache, Drupal, MySQL, and so on. But for some reason many Apple users think they should be exempt from this process and behave badly when no one else agrees with them.
Clear, Dark Skies
Oh, I get it now. You're saying that security researchers are unprofessional... Funny, I'd have thought the real security researchers would go through the normal channels
Dear Lord. Pompous *and* ignorant.
I'm sorry; but as I've mentioned elsewhere, publishing vulnerabilities on a website or a newsfeed is "normal channels". Often, when you're talking about people who are used to the FOSS scene, they are the only channels.
I regularly get warnings about unpatched security holes in Ubuntu, Drupal, and more. I've never seen Ubuntu users get pissed because someone warned them about a security hole. Usually we just gratefully check to see if we're exposed and do whatever we have to do to protect against the problem until a patch is found.
Clear, Dark Skies
But the coward is right, using APE to patch function entry points really isn't the way to go; Apple needs to fix it themselves.
:-P
I have to say, though, I am impressed that you apparently saw more into this problem that the MOAB guys did - the way the bug report is written they didn't realize it was a general exploit against all quicktime URLs.
On the other hand, maybe they *did* realize it was a general URL validation bug and they were hoping to get several days of "Apple Bugs" out of it.
Clear, Dark Skies
In the instant after reading this sentence, your next action will be: intentionally and willfully refraining from gifting me one million dollars, by the specific process of contacting me at synaptik_slashdot@yahoo.com so that I can reply to your email with a paypal account by which you can tender your payment of the one million dollars, payable to the name that I will also disclose therein.
Hmm. Since you've now read the above, but I haven't received the one million dollars from you, I can only assume that my prediction of your subsequent action ("intentionally and willfully refraining from gifting me one million dollars") came true, and thus I have met the requirements of your offer.
Therefore, please contact me at synaptik_slashdot@yahoo.com so that I can reply to your email with a paypal account by which you can tender your payment of the one million dollars, payable to the name that I will also disclose therein.
HSJ$$*&#^!#+++ATH0
NO CARRIER
From what I've read, nobody knows who LMH is. Now, how much weight do you really want to put behind an initiative being run by somebody who won't reveal his/her name? If you are making security issues public and want anybody to take them seriously, tell us who you are and what credentials you have that call for the tech community to take you seriously. Until then, to me you are a bozo out for attention.
Government's idea of a balanced budget: take money from the right pocket to balance...oh who am I kidding?
Guys
A security researcher has to be professional about how they release their information.
1) Who died and left you to decide what "professional" means?
2) How, exactly, do you know that they haven't tried informing Apple first? If you were actually familiar with the issue you would know that they have been complaining about Apple being unresponsive since last year.
So, again, I stand by my insults. You pompously assert that you are the arbiter of "professional" behavior and you ignorantly claim that they never tried to go through "normal" channels without bothering to find out if they have or not.
Clear, Dark Skies
Well, if the rest of the so-called "bugs" are crap like the VLC one, we could slashdot them into oblivion, just have teams constantly taking the site down for the whole month. It's what we do, isn't it?
Do not meddle in the affairs of dragons for you are cruchy and good with ketchup.
MOBB - Established and run mainly by HD Moore (who most people seem to accept does things relatively well). Moore also withholds the nastiest of exploit code (despite giving sufficient detail on how to go further), makes an effort to pre-notify the vendors, and generally does enough to be seen as one of the 'Good Guys'.
MOKB - The spate of wireless driver vulnerabilities and associated linked exploit code at first glance seems to be a follow on from the Secureworks debacle at the Black Hat Briefings (and so probably draws more of the vicious responses). There are decreasing levels of vendor notification and more cases of complete exploit code readily available. At least one of the vulnerabilities and associated exploit code is publicly torn apart by another researcher (who also suggests that the original researchers need more time learning to interpret the debugger output).
WOOB - Relatively unknown researcher tries to spend the first week of December releasing Oracle bugs and previously-unknown Oracle 0-day code. It is assumed by many that Oracle applied legal pressure to stop the process (numerology fans might want to check out the binary code behind the message cancelling the project, and compare it to the text of the message).
MOAB - LMH (capabilities now established due to participation in MOKB) and KF set out to release exploit code and vulnerability details for issues that have not been previously notified to the vendor (as the FAQ clearly states). Most observers are quite willing to wait and see something come out that targets OS X specifically (despite being called MOAB). With the first vulnerability being a problem with protocol handling in a media codec (installed by default), and the second a protocol handling problem in cross-platform software that is not even shipped with OS X, many observers are starting to question the capability of the researchers (and that is coming from people within the industry, not necessarily OS X fanatics).
When you are going to target something that is protected / supported by fanatical and vocal supporters, you really need to make sure that what you provide is bullet-proof and can stand up to criticism, else it will end up in a quagmire of flaming. Guess what hasn't happened so far?
InfoSec that matters, when it counts.
In what way is full disclosure unethical?
Full disclosure that is intentionally delayed for a period of time exposing users to risk during that time is certainly unethical, especially when you are financially benefitting from that delay.
This is a classic win-win situation.
Okay you found a potential security hole. Should you A) contact Apple and give them time to fix it before letting all the malware authors know about it? B) release it immediately so that people are aware and can fix it and so Apple is pressured to start work right away? or C) don't tell Apple or the public but sit on the bug until the day it will generate the most publicity for you personally?
In a given situation I can see either A or B as a viable option. If Apple is slow to fix bugs that aren't public and you think the bug is probably being exploited in the wild, sure full disclosure might make sense. Of course Apple has a pretty damn good record in that regard (the last bug fix was released 10 days after Apple was told of the bug) and there is no evidence that either of the "vulnerabilities" announced so far is being actively exploited. What argument can you make to defend option C? If Apple can't work on a fix and the public can't act to defend themselves you've managed to combine the drawbacks to both of the above without any benefit to users. You've made the platform just a tiny bit less secure, in order to get PR. That is unethical and irresponsible.
You'll note that it's the "Month of *APPLE* Bugs," not the month of OS X bugs.
Sadly the second bug announced is in VLC, which is not made by Apple at all, but merely runs on OS X as a platform. So those bitching were correct, but premature.
An example QTL file exploiting this issue (pwnage.qtl) is available (it will say 'happy new year' via /usr/bin/say, and expects the command string to be located at 0x17a053c, tested on Mac OS X 10.4.8 8L2127, x86 architecture). If it doesn't work on your system, use the exploit to generate another QTL with your own options or the shell spawn variant (pwnage-shell.qtl, 100% reliable for a current up-to-date x86-based OS X system).
Clear, Dark Skies
It's on the front page of the main site which, for some reason, isn't the web site the code is on:
http://applefun.blogspot.com/
Clear, Dark Skies
Microsoft is not performing due diligence and is quite frankly not giving customers what they want.
Microsoft's attitude to security is criminal. They have refused to even consider fixing the underlying problems that are celebrated many times a year with new "cross zone" attacks... even maintaining the broken design responsible in the face of having the company broken up by the justice department.
That's a security hole that's getting its 10th birthday this year.
"Now comes the fun, if a bug is reported to Apple how long do they get to fix it? Who will determine when enough time has passed?"
Well, I believe the last serious security hole reported to them was fixed in 10 days, which is pretty good turn around for development and QA.
Apple: 10 days.
Microsoft: 10 years.
That's fair.
There is a buffer overflow.
Yes, but not all buffer overflows can lead to code exploits. This particular expolit relies on the buffer overflow exactly hitting a specific memory address, that does not appear to always be where they were thinking it was - rendering the attack as is useless (as noted it does not work on my maacbook).
You can be forgiven for not understanding the full implications of a buffer overflow from the sensationalistic approach the media has taken, where every buffer overflow is a gauranteed entry into the darkest heart of your system. Next time don't be so afraid of what you don't know or udnerstand.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
I want to point one thing out, though. The rtsp hole *does* exist on all Macs, MOAB just screwed up their demo of it. If you look at the fix that was posted here, the author of the fix identified the function affected.
In my mind, that's the worst thing about all this because the MOAB people have effectively damaged their reputation and confused the issue about a serious security hole.
Clear, Dark Skies
Well, aren't you just a wet blanket, ruining all our fun! :-D
(porkchop goes to sit in the corner, facing the wall)
Clear, Dark Skies
I actually wish they had reported this a year or two ago - if you dig into the bug, they link to an in-depth analysis of the malloc system works and I could have really used that when I was porting some software from Linux to OS X; I spent weeks working out how to trick the Mac libc into letting me pin user memory for DMA operations.
Clear, Dark Skies