Slashdot Mirror
Month of Apple Bugs - First Bug Unveiled
ens0niq writes "The first bug (a Quicktime rtsp URL Handler Stack-based Buffer Overflow) of the Month of Apple Bugs has been unveiled — as previously promised — by LMH and Kevin Finisterre. From the FAQ: 'This initiative aims to serve as an effort to improve Mac OS X, uncovering and finding security flaws in different Apple software and third-party applications designed for this operating system. A positive side-effect, probably, will be a more concerned (security-wise) user-base and better practices from the management side of Apple.'"
Credit line removed by the editor, but i found this report on HUP.
Could you give some examples of Apple suing people to cover up security holes then?
These people are doing Gray Hat hacking. Where like the White Hats their goal is not to do damage to others people computers, but like the black hats feel that people need to feel a little pain before anything can get done and just reporting the problems to the company is not effective enough to get it done. It falls in the range of legal hacking, But it may not be the most moral way of doing it though. It is like finding a car door open and yelling out "Hey This Car Door is Open and all the valuables are inside someone should lock it!" vs. Finding the person who owns the car and descretly telling him to that is is unlocked. Or just locking the door yourself.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
This isn't a problem because it has been proven that only Windows can get viruses. Therefore, because it's not possible for viruses to spread with MacOS, security threats are irrelevant.
Please, try the veal.
Slashdot Burying Stories About Slashdot Media Owned
"The problem with so-called 'responsible disclosure' is that for some people, it means keeping others on hold for insane amounts of time, even when the fix should be trivial."
Is Apple as bad as MS when it comes to fixing security flaws? Is there really a need to show how "insecure" OS X is? Or is this more a "your going to start listening to security experts when they have something to say or else..." type situation. I did read the FAQ but they really don't show any evidence to prove why this is a good thing, how this will improve OS X security, or how Apple has been unwilling to fix flaws in the past.
They could be 1000% right, but on the surface I just don't see anything which either confirms or denies their theory. It would be nice to at least read some sort of history of how Apple has interacted with Security researchers in the past.
If you wanna get rich, you know that payback is a bitch
I just tried this on my MacBook Pro using the provided QTL files and ruby scripts, but none of them seem to have the claimed effect. Anybody else already tried this?
-Eric
SJW: Someone who has run out of real oppression, and has to fake it.
It's more like finding a bank vault open and shouting out, "Hey, everyone, this bank has left its vault open with your money in it."
I wish to remain anomalous
-Eric
SJW: Someone who has run out of real oppression, and has to fake it.
If they were truly interested in "improving MacOS X" or "improving practices on the management side of Apple" then they would release these bugs to Apple first. Don't wait an insane amount of time, but give them a nice reasonable amount of time to fix the bugs. Heck, even tell them you plan on releasing them on thus and so date and start the month *then*, giving props to Apple for those they have fixed.
Integrate Keynote and LaTeX
This analogy sucks because a guy leaving his door unlocked doesn't normally affect others and there is no need to publicize it.
Gray Hat hacking is like discreetly telling the guy that his car door is open, waiting for a while to give him a chance to lock his door, then yelling "Hey This Car Door is Open and all the valuables are inside". The most hotly debated item is how long the waiting part of "waiting for a while to give him a chance" should be because there is no clear consensus on how long it should be. Vendors believe that the waiting time should be until the vendor announces the vulnerability, which may be 'never'. Some Gray Hats believe that a vulnerability should be publicized as soon as it is discovered.
The biggest issue is that vendors rarely say how to report security vulnerabilities in a way that the vendor will acknowledge that it has been made aware of the potential vulnerability. This lack of acknowledgment is the primary reason for Gray Hats having to publicize the vulnerability. Another big issue is that security engineers live and die by being the first to report a vulnerability -- and vendors don't usually give credit to the engineer who reported the vulnerability to them. Even if a patch for a serious vulnerability is released the vendor may not even acknowledge that a serious vulnerability has been patched.
Have Apple sued a whistleblower or someone who have reported a security issue. EVER?
Or is the parent just full of lies, FUD and other unpleasant and damaging stuff?
- Henrik
- when the Shadows descend -
Not exactly first in this case they are not going to the manager first they are going to the public about it first.
Next a Bad guy may not have the key, but once he knows the key is missing he will start looking around for the guy who found the key and take it away from him. It is more like the key is hidden under the welcome mat. And the guy found it one day then blabbed about it to everyone even outside the apartment.
As a land lord myself I know, some jobs can't be done right away. Some things espectially changing all the locks takes time including finding the residence and giving them the new key before they leave. so you can change their locks. Also the time to fix all the locks, dealing with people who think there lock should be replaced first, others who love their lock so much they don't want to change it. Some people creek in fear when the land lord knocks figuring they will evict them with a blink of an eye. (even though it is expensive to leave a room vacent)
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
I tried the exploit.. doesn't work on my macbook.
Apple has had poor relations with security researchers for years.
Actually, Apple has had pretty good interactions with security researchers in general, in my experience. Being a huge PR magnet, however, they also manage to attract showboaters trying to capitalize on the popularity they can get by behaving in a less than reasonable manner. The wireless exploit you cite, for example, turned out to be hype about a problem that affected no mac in its default state, but Apple responded to it even though they were never contacted with the details of the supposed exploit and did fix several issues they found during a review of the wireless drivers they ship. Apple has done a pretty reasonable job of patching easily exploitable/wormable problems very quickly and they don't seem to be ignoring problems reported to them. One of my coworkers found a local exploit (low risk) and reported it through Apple's Website. The fix was in the next security update and even credited him. It seems like pretty good relations with the security researcher community to me.
As for the month of Apple bugs. It is more of the same. Sure these guys could report Apple bugs to the normal channels and they'd be fixed fairly quickly and overall security would benefit. That, however, won't make the news. So instead of reporting bugs when found, these guys are intentionally delaying releasing that info to both Apple and the public. Apple isn't pressured to quickly fix bugs if they don't even now what those bugs are. The public isn't served by bugs being fixed more quickly. Users aren't served by bugs being released to the public for possible mass exploitation without Apple ever being given a chance to patch their machines. The end result is decreasing the overall security or computing. It serves no one except the researchers who are showboating and being irresponsible.
Black hats are interested in profiting from their knowledge of vulnerabilities. These guys aren't.
I disagree. Black hats are interested in illegally profiting from vulnerabilities. White hats are interested in legally and ethically benefiting from vulnerabilities. Grey hats are interested in benefitting from security exploits in ways that are unethical and questionably legal.
They want them to be fixed and know that even the deified Apple won't allocate resources to fixing problems that have a low profile.
No, these guys want publicity for themselves. Apple has been quite responsive to security researchers and most that I know think Apple has been doing a pretty reasonable job. If you're going to argue that bugs need to be publicly released because Apple won't fix them otherwise, you need to support that assertion. Even then, what is your justification for not releasing it immediately, but doling them out more slowly? That doesn't benefit anyone but these researchers for whom it provides prolonged media exposure they hope to gain from financially.
So they're out to raise the profile of each problem.
Raising the profile of a problem makes sense, if it is being exploited in the wild or if you've contacted the vendor and they're dragging their heels while people are at risk. Otherwise, it is simply harmful to everyone involved.
Much better than using the vulnerabilities to build Mac-based botnets...
Ahh, the classic "we're not as bad as China" argument. Doing something unethical isn't made any less unethical by the fact that someone else is doing something even more unethical. These guys obviously are interested in one thing, getting themselves in the news to make themselves money.
Is it just me, or is this event well timed? A month of Apple bugs/exploits on the lead up to Windows Vista's commercial release on January 30th (the most "secure" version of Windows). Sounds sinister to me.
Q: What's worse than finding a worm in your apple? A: Finding a bug in your MAC.
The reality distortion field you cite is warping your perspective. Apple is actually not particularly litigious compared to most companies their size. To my knowledge they've never sued anyone for publicizing bugs. They don't even normally go after publications that intentionally publicize their trade secrets unless they admit having obtained those secrets from an insider Apple does not know the identity of, and in the one case of that, they sued only for the name of the informant, not for any damages against the publication. The thing is, the litigation they do enegage in, is often highly publicized, making it seem as though they are very litigious.
So to answer your question, if they have a reasonable grasp on reality, no they aren't worried about being sued.
The wireless exploit you cite, for example, turned out to be hype about a problem that affected no mac in its default state...
The wireless exploit did apply to Airport cards; but you are correct that researchers mishandled the disclosure - which, as I said, resulted in a lot of hard feelings on both sides.
Clear, Dark Skies
"Apple has had poor relations with security researchers for years. Partly it's because of the smug attitude of many Apple users - who assume that because they don't get attacked their OS is more secure"
Huh? Apple's users are to blame for Apple's work with security researchers?
Imagine that meeting - "Steve, I'd love to make sure we use every avenue available to us to secure the platform, but heck, our users are just thumbing their noses at the rest of the OS world, and gosh, but it's fun to see - I say let's just live with the holes." "Sounds good to me, Phil - thanks for the insight. Now, about that MacBoy Advance SP that Scooter's been working on..."
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
Microsoft is not performing due diligence and is quite frankly not giving customers what they want. They routinely sit on publicly announced bugs for long periods of time and according to people I know who have worked there less than half of the security holes they find internally are prioritized high enough to be fixed. No one is happy worms are destroying computers, but some people are happy to see MS getting bad publicity because of their actions.
Now comes the fun, if a bug is reported to Apple how long do they get to fix it? Who will determine when enough time has passed?
Well, I believe the last serious security hole reported to them was fixed in 10 days, which is pretty good turn around for development and QA. OS's can be evaluated based upon the nature of the vulnerability, risk, and duration of exposure. For something like this, if it is easily reproducible, under normal circumstances, a couple of weeks seems reasonable. If they are constantly getting new vulnerabilities once a day, it may be longer since they might need to prioritize based upon those. Think of this from the developer's standpoint. If these guys are trying to make OS X less secure, they picked a good way. Thanks jackasses.
They haven't a big enough installed base to get the "Average user" which Microsoft has to both sell to and suffer with.
What do you mean? Apple has lots of novice users including the very young and very old attracted by their reputation for ease of use. How many people on this forum do you suppose convinced their grandparents or parents to get a mac?
When they do penetrate the "Average user" market and get into double digits of popularity then they attract attention they don't want.
There is plenty of motivation for hackers to attack OS X right now. The reason it does not happen is not the lack of motivation, but the difficulty/convenience of so doing. Smaller market share makes propagation more complex. Increased scrutiny makes exposures shorter. Many worm authors have a very windows-centric knowledge base. All of these factors may mean as OS X's market share goes up, worms become more common, but to attribute this to motivation is a mistake.
Do not under estimate the creativity and capability of the hackers out there.
I know people on both ends of the security spectrum. I'm not too worried about OS X becoming bug ridden as market share increases. In fact, I think both Windows and OS X security will increase as OS X's market share increases. The problem of security is one of motivation, but not of the motivation of malware authors, but of OS vendors. Apple needs to keep customers happy to maintain market share. Thus, if malware becomes a problem for their users they will fix it or lose money. Right now Microsoft has no such motivation, so their attention to security has been spotty at best. They don't significantly lose money when users suffer from security problems. Increasing OS X's market share might motivate them to improve security. Anyone who argues that MS or Apple is doing all they can has not been paying attention.
Partly it's because of the smug attitude of many Apple users - who assume that because they don't get attacked their OS is more secure; but part is also the researchers themselves.
So please explain to all of us why we have no viruses on the Mac yet, even with some tens of millions of fairly homogoneous computers around (same OS, same patches, much of the same hardware) in a world where botnets of even just a hundred thousand nodes bring in real money. There is financial incentive enough for the macs to have viruses and spyware, yet they do not.
Perhaps you should instead apply Occam's Razor, and think that if in fact any given OS sees fewer attacks than another, it is actually more secure.
Of course there are holes in OS X, any reasonable Mac users realizes this. But we also know we have yet to see any real exploits in the wild. So far this effort is not really doing anything about that situation either way, if you'll read below you'll find this first proof of concept exploit does not even work!
"There is more worth loving than we have strength to love." - Brian Jay Stanley
"Apple has had poor relations with security researchers for years. Partly it's because of the smug attitude of many Apple users"
Let me just say, FUCK YOU. Seriously. And no, this is not a troll, but feel free to rate this down otherwise.
I am a Windows developer for my employer, but do most of my work off a Mac running VPC or now Parallels. When I first started doing this, I had to buy my own machine because my employer didn't feel the need to give in to my concerns. Now, half my staff do the same thing (and I run my old office).
Every so often, one of us finds a hole in the Mac, and there are proper channels to go through. Occasionally we get notes back thanking us, other times, we don't. I don't expect to be notified each and every time.
And then we have researchers like the ones that found the supposed wifi hole. That required both computers to be synch'd together. And a script to be running on the second 'hacked' computer. And a dozen of other things where even the researchers admitted that with these perfect conditions, they could only gain access once in 100 times -- and that they needed the script running on the other machine because they needed something to target that they knew was going to be resident in memory. And even duplicating this in a clean room, experts were unable to replicate what the researchers had done to the point they STILL think its only theoretical and that the original folks had faked the test.
And then the researchers state they did it purely because they wanted to put a cigarette out in the eyes of the 'smug mac users'.
So yeah, we don't have perfectly secure machines, no one does. If the original 'researcher' had been honest and upfront about the nature of the problem and left the politics out, there would have been a LOT less He Said She Said BS. It started with the researchers before Apple or anyone else had a chance to respond. Oh yeah, that Johnny Cache is SUCH a rebel...couldn't even prove his metal and then blamed Apple for keeping him down, all the while most other security researchers are actually THANKED by Apple publicly for finding flaws.
So again, Fuck You as I respond to a trollish post in a like manner...
I guess that depends on your defenition of third party. To me, neither IE nor Quicktime are not third party applications as they are made by the same company. The differentiation that you may be looking for is whether these are core system applications or optional (secondary) applications. While both bundled are with the OS, MS has constantly said that IE is a part of the OS and cannot be removed. Quicktime and Safari can be uninstalled on a Mac. The question whether IE should be tied to the OS is another debate.
Well, there's spam egg sausage and spam, that's not got much spam in it.
The assumed known address is wrong, but it does crash quicktime on my machine.
/Applications/QuickTime Player.app/Contents/MacOS/QuickTime Player
...
:)
Snips from my crash log:
OS Version: 10.4.8 (Build 8N1051)
Report Version: 4
Command: QuickTime Player
Path:
Parent: WindowServer [57]
Version: 7.1.3 (7.1.3)
Build Version: 65
Project Name: QuickTime
Source Version: 4650000
PID: 9548
Thread: Unknown
Exception: EXC_BAD_INSTRUCTION (0x0002)
Code[0]: 0x00000001
Code[1]: 0x00000000
Unknown thread crashed with X86 Thread State (32-bit):
eax: 0xffffffff ebx: 0x41414141 ecx: 0x900012f8 edx: 0xffffffff
edi: 0x41414141 esi: 0x41414141 ebp: 0xdeadbabe esp: 0xbfffd628 (hello deadbabe!)
ss: 0x0000001f efl: 0x00010286 eip: 0x918bef3a cs: 0x00000017
ds: 0x0000001f es: 0x0000001f fs: 0x00000000 gs: 0x00000037
Not so good.
Slashdot. It's Not For Common Sense
11 months out of the year are the "Month of Windows Bugs" but your dad thinks OS X is less secure because of this?
Clear, Dark Skies
Where the hell did I say Windows is more secure than OS X?
You were responding in a thread discussing the relative security of Windows and OS X and whether or not market share was the only factor. You then made the statement, "Sonny, I write device drivers for a living, on Linux and on Mac. I assure you, the Mac isn't more secure." Since that was the first mention of Linux, I, and probably most other readers assumed the first sentence was a statement of your credentials while latter comment was regarding OS X and Windows. You were thus modded as flamebait, but perhaps you should have been modded as offtopic, depending upon your intention. Then I argued that, "Apple does respond to security concerns on their platform, while MS has little motivation to do so" to which you responded with, "MS releases security patches and updates even more frequently than Apple." If you weren't addressing my point, what were you trying to say?
Work on that reading comprehension, would you?
Having worked as both an editor and a professional author, I can assure you my reading comprehension is fine. Perhaps you should work on your writing skills a little and try to express complete thoughts if you want people to understand what you really mean?
I tracked down the issue and created a runtime fix using Unsanity's Application Enhancer. The overflow is in the QuickTime Streaming component's INet_ParseURLServer() function -- the fix patches that function and pre-validates the URL before passing it off to the real function implementation. If the URL is too long, the patch replaces the Evil URL with a benign, but invalid one, and then calls the original function.
It's worth noting that disabling RTSP, as noted elsewhere, is not sufficient -- there are other vulnerable entry-points to INet_ParseURLServer(), as it is used for generic URL parsing.
More information is available here:
http://www.unsanity.org/archives/mac_os_x/the_mont h_of_trolly_trolls_and.php
and the patch (with source!) can be downloaded here:
http://landonf.bikemonkey.org/code/macosx
You can test the fix (make sure to log out and log back in after installing APE!) in Safari (or Firefox) by visiting this URL:
http://landonf.bikemonkey.org/static/rtsp_crash.ht ml
If you're using Safari, QuickTime should display a "bad address" error once the patch is installed. If the patch isn't installed, Safari will crash.
http://plausible.coop
And I think you're mistaken if you believe that marketshare directly reflects the security of a platform. The number of users has little to do with the number of exploitable bugs in it or architectural flaws. More existing bugs might be found in more popular platforms but that doesn't prove that more exist that just aren't found in other platforms. Windows is less secure because it simply wasn't a design factor when most of it was built, that and MS went out of their way to do things differently than how existing systems like UNIX did.
I just tried this on my MacBook Pro using the provided QTL files and ruby scripts, but none of them seem to have the claimed effect. Anybody else already tried this?
I could not. And only one person I know could. Other people had to heavily modify the script and run QT Player in gdb along with some other voodoo to get it to exploit properly. Doesn't seem like this will cause much harm.
Either way, a third party developer already fixed this crasher.
It's not calling curl or the shell from memory, it appears (from the description) to be a return-to-libc-attack. I am not an expert on this particular thing, but a return-to-libc attack is where you use a buffer overflow to overwrite the return address of the stack frame. Under normal circumstances, the rtsp URL parser would return to his calling function, but if an overflow overwrites the return address, you can basically rewrite the stack's memory of who called the URL parser in the first place. So, instead of returning to where Quicktime called it, your computer can be tricked into returning to a different place in memory, like somewhere in libc. Libc has all kinds of dangerous functions, namely system(3), which accepts a string as an argument (which you have also put on the stack with your buffer overflow) and will run an arbitrary program on your computer (like curl, but bash and perl and ruby can do all kinds of damage).
Of note is the fact that this exploit gets around NX, because your payload need not be executable, it merely is a return address and a string to pass into libc. Also of note is that this exploit does not cause privilege escalation; any processes started by the exploit will run under the privileges of the user who clicks on the file, and you will still get a sudo-dialog if the sploit tries to do things as wheel.
If I am misreading this exploit, please correct me. They say "arbitrary code execution" in the summary.
Don't blame me, I voted for Baltar.