Month of Apple Bugs - First Bug Unveiled

← Back to Stories (view on slashdot.org)

Month of Apple Bugs - First Bug Unveiled

Posted by Zonk on Tuesday January 2, 2007 @01:45AM from the apple-must-be-so-proud dept.

ens0niq writes "The first bug (a Quicktime rtsp URL Handler Stack-based Buffer Overflow) of the Month of Apple Bugs has been unveiled — as previously promised — by LMH and Kevin Finisterre. From the FAQ: 'This initiative aims to serve as an effort to improve Mac OS X, uncovering and finding security flaws in different Apple software and third-party applications designed for this operating system. A positive side-effect, probably, will be a more concerned (security-wise) user-base and better practices from the management side of Apple.'"

15 of 240 comments (clear)

Re:QuickTime runs on Windows too... by antime · 2007-01-02 01:56 · Score: 4, Informative

RTFA:
Affected versions
This issue has been successfully exploited in QuickTime(TM) Version 7.1.3, Player Version 7.1.3. Previous versions should be vulnerable as well. Both Microsoft Windows and Mac OS X versions are affected.
Re:And a negative side effect? by Anonymous Coward · 2007-01-02 02:01 · Score: 4, Interesting

Could you give some examples of Apple suing people to cover up security holes then?
Re:good thought but I wonder by jellomizer · 2007-01-02 02:02 · Score: 5, Informative

These people are doing Gray Hat hacking. Where like the White Hats their goal is not to do damage to others people computers, but like the black hats feel that people need to feel a little pain before anything can get done and just reporting the problems to the company is not effective enough to get it done. It falls in the range of legal hacking, But it may not be the most moral way of doing it though. It is like finding a car door open and yelling out "Hey This Car Door is Open and all the valuables are inside someone should lock it!" vs. Finding the person who owns the car and descretly telling him to that is is unlocked. Or just locking the door yourself.

--
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
No problem! by fo0bar · 2007-01-02 02:02 · Score: 4, Funny

This isn't a problem because it has been proven that only Windows can get viruses. Therefore, because it's not possible for viruses to spread with MacOS, security threats are irrelevant.

Please, try the veal.
1. Re:No problem! by SuperKendall · 2007-01-02 09:11 · Score: 4, Insightful
  
  Yes it has. The first one written specifically for OS X came in the form of a trojan. I've also seen Mac classic viruses work fine on PPC OS X systems.
  
  That was not a virus - that was a trojan (pretty huge difference if you know what the differences are!) And read through the final analysis of the work the user actually had to do to contract it.
  
  Also, we are talking about OS X viruses not "legacy" viruses that in practice no-one will be catching since almost no-one uses Classic anymore. It's been years since OS X even shipped with OS 9.
  
  Not really. Have you forgotten things like auto-installing widgets?
  
  Which they fixed pretty quickly, as noted....
  
  Apple being behind other BSD systems in patching old exploits?
  Apple being behind in patching SSH, Apache?
  
  Which don't matter as much since they come turned off by default (and still didn't see any exploits for OS X in the wild)...
  
  Uh... You need to know stuff to write a windows virus too.
  
  Not really, there is a lot more template material online on how to do so, and a number of Windows viruses in the past have been simple variants of existing worms and viruses.
  
  Not according to Norton, F-secure and McAfee.
  
  You're wrong. Care to provide any links as to why you think you're right?
  
  Uh, again no. Give me some decent examples at least.
  
  IE. Forgot about the elephant in the room again?
  
  I don't know... Most of the security techniques Apple uses were developed back in the early 90s...
  
  Oh, they were developed way before that - which is why it is so tragic Microsoft could not even be bothered to do that much until now.
  
  However, the OS in my opinion is far from being a 21st century mind set in general. I mean, look at some of the stupid stuff we have todo.
  Where we have to open a console and type
  defaults write com.apple.finder AppleShowAllFiles TRUE
  
  True there is no UI to modify some defaults like that. But anyone who wants to see ALL files in Finder is probably also going to be pretty familiar with the shell and not really mind editing XML files. Frankly I have never enabled Finder in that manner as if I want to be messing with files Finder cannot see by default, I greatly prefer to be using Terminal anyway.
  
  What makes it an advanced OS is that you have a layer that is easily configurable by most users, and then a more advanced layer that is easily adjustable through a few means. The situation is still better than what Windows offered, where you had to basically write TweakUI to get at some settings that could not simply be activated in a text file at least OS X comes with means to modify every setting in the system, even if some are not behind GUI's.
  
  Heh, or we could the simple things that have always worked well... Exploits against the user. Just send them a e-mail with a .pkg file that contains a rootkit (there are feasible methods to-do this on OS X), said hidden process scans the address books of users on Mac (Useful, since many Mac users actually do use the mail client on the system), then starts sending copies of that .pkg to those people....My point is, coming up with methods to make virii on Mac isn't that hard.
  
  Yes that would work - but Mail would warn the user about running it, and the default security level most people run at would prevent it from getting as far into the system as most rootkits are. That is the reason OS X is more security, because of the very old concept of defense in depth applied across the OS, not because any one layer is invulnerable to attack!
  
  Writing viri for any platform is dead simple if you are going to rely on the user to propagate it. But Windows has a million examples of stuff that needs no user even clicking on OK to run off and do its thing. That is another difference. That and of course, the fact that today there are no OS X viruses in the wild. Not just a few, but zero - despite many people such as yourself who think it would be easy to write one and would like to see one just to show up Mac users.
  
  --
  "There is more worth loving than we have strength to love." - Brian Jay Stanley
Re:At this rate by Rob+T+Firefly · 2007-01-02 02:04 · Score: 4, Insightful

Or I could use the Linux Cop Out... Explaining that Quicktime is actually a third party application that is bundled with the OS not the OS itself.
Actually, since Apple makes both Quicktime and MacOS, it's more like the MSIE/Office copout.

--
Slashdot Burying Stories About Slashdot Media Owned
Doesn't work for me by Anonymous Coward · 2007-01-02 02:12 · Score: 5, Interesting

I just tried this on my MacBook Pro using the provided QTL files and ruby scripts, but none of them seem to have the claimed effect. Anybody else already tried this?
Re:QuickTime runs on Windows too... by elrous0 · 2007-01-02 02:20 · Score: 4, Informative

You'll note that it's the "Month of *APPLE* Bugs," not the month of OS X bugs.
-Eric

--
SJW: Someone who has run out of real oppression, and has to fake it.
Re:good thought but I wonder by aj50 · 2007-01-02 02:28 · Score: 4, Insightful

It is like finding a car door open and yelling out "Hey This Car Door is Open and all the valuables are inside someone should lock it!" vs. Finding the person who owns the car and descretly telling him to that is is unlocked. Or just locking the door yourself.
Not really.
It's more like finding a bank vault open and shouting out, "Hey, everyone, this bank has left its vault open with your money in it."

--
I wish to remain anomalous
Re:good thought but I wonder by elrous0 · 2007-01-02 02:29 · Score: 4, Insightful

A poor analogy, methinks. It's more like discovering that an apartment building master key has gotten into criminal hands. First you go to the building manager and ask him to change the locks. If he refuses to do so promptly, you go to the residents and inform them. The problem comes when the master key gets out a lot and the building manager consistently drags his heals on changing the locks each time it does. At a certain point, you realize that the only way to really get his attention is to go directly to the residents.
-Eric

--
SJW: Someone who has run out of real oppression, and has to fake it.
Re:good thought but I wonder by jellomizer · 2007-01-02 02:38 · Score: 4, Insightful

Not exactly first in this case they are not going to the manager first they are going to the public about it first.

Next a Bad guy may not have the key, but once he knows the key is missing he will start looking around for the guy who found the key and take it away from him. It is more like the key is hidden under the welcome mat. And the guy found it one day then blabbed about it to everyone even outside the apartment.

As a land lord myself I know, some jobs can't be done right away. Some things espectially changing all the locks takes time including finding the residence and giving them the new key before they leave. so you can change their locks. Also the time to fix all the locks, dealing with people who think there lock should be replaced first, others who love their lock so much they don't want to change it. Some people creek in fear when the land lord knocks figuring they will evict them with a blink of an eye. (even though it is expensive to leave a room vacent)

--
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
Re:Apple Vs. Security Researchers by 99BottlesOfBeerInMyF · 2007-01-02 02:47 · Score: 4, Insightful

Apple has had poor relations with security researchers for years.

Actually, Apple has had pretty good interactions with security researchers in general, in my experience. Being a huge PR magnet, however, they also manage to attract showboaters trying to capitalize on the popularity they can get by behaving in a less than reasonable manner. The wireless exploit you cite, for example, turned out to be hype about a problem that affected no mac in its default state, but Apple responded to it even though they were never contacted with the details of the supposed exploit and did fix several issues they found during a review of the wireless drivers they ship. Apple has done a pretty reasonable job of patching easily exploitable/wormable problems very quickly and they don't seem to be ignoring problems reported to them. One of my coworkers found a local exploit (low risk) and reported it through Apple's Website. The fix was in the next security update and even credited him. It seems like pretty good relations with the security researcher community to me.

As for the month of Apple bugs. It is more of the same. Sure these guys could report Apple bugs to the normal channels and they'd be fixed fairly quickly and overall security would benefit. That, however, won't make the news. So instead of reporting bugs when found, these guys are intentionally delaying releasing that info to both Apple and the public. Apple isn't pressured to quickly fix bugs if they don't even now what those bugs are. The public isn't served by bugs being fixed more quickly. Users aren't served by bugs being released to the public for possible mass exploitation without Apple ever being given a chance to patch their machines. The end result is decreasing the overall security or computing. It serves no one except the researchers who are showboating and being irresponsible.
Re:I'm afraid you are incorrect, sir. by 99BottlesOfBeerInMyF · 2007-01-02 03:44 · Score: 4, Informative

The wireless exploit did apply to Airport cards;

It is my understanding that the vulnerability you reference as well as the other two they fixed were both the result of an internal audit of their wireless drivers and not the result of the exploit that was publicized. The issue is more than a little muddy, however, and I'd be grateful if you could provide a reference to show either way.
Re:I'm afraid you are incorrect, sir. by Nelson · 2007-01-02 03:49 · Score: 4, Insightful

Yeah but you see, that's against entirely different software and hardware than what secureworks supposedly demonstrated.

I really don't see how you can paint apple in to a bad place with this, secureworks created a lot of hype while disclosing nothing to anyone, Apple took the initiative and at their own expense researched the issue and fixed potential problems they found, none of which has a known exploit. None of this validates what secureworks did, it is possible it's the bug they supposedly found but it's also possible they faked the whole thing.
Re:and now Apple by 99BottlesOfBeerInMyF · 2007-01-02 04:19 · Score: 4, Insightful

...when Microsoft gets treated to the same very few care, in fact some seem to relish in it.

Microsoft is not performing due diligence and is quite frankly not giving customers what they want. They routinely sit on publicly announced bugs for long periods of time and according to people I know who have worked there less than half of the security holes they find internally are prioritized high enough to be fixed. No one is happy worms are destroying computers, but some people are happy to see MS getting bad publicity because of their actions.

Now comes the fun, if a bug is reported to Apple how long do they get to fix it? Who will determine when enough time has passed?

Well, I believe the last serious security hole reported to them was fixed in 10 days, which is pretty good turn around for development and QA. OS's can be evaluated based upon the nature of the vulnerability, risk, and duration of exposure. For something like this, if it is easily reproducible, under normal circumstances, a couple of weeks seems reasonable. If they are constantly getting new vulnerabilities once a day, it may be longer since they might need to prioritize based upon those. Think of this from the developer's standpoint. If these guys are trying to make OS X less secure, they picked a good way. Thanks jackasses.

They haven't a big enough installed base to get the "Average user" which Microsoft has to both sell to and suffer with.

What do you mean? Apple has lots of novice users including the very young and very old attracted by their reputation for ease of use. How many people on this forum do you suppose convinced their grandparents or parents to get a mac?

When they do penetrate the "Average user" market and get into double digits of popularity then they attract attention they don't want.

There is plenty of motivation for hackers to attack OS X right now. The reason it does not happen is not the lack of motivation, but the difficulty/convenience of so doing. Smaller market share makes propagation more complex. Increased scrutiny makes exposures shorter. Many worm authors have a very windows-centric knowledge base. All of these factors may mean as OS X's market share goes up, worms become more common, but to attribute this to motivation is a mistake.

Do not under estimate the creativity and capability of the hackers out there.

I know people on both ends of the security spectrum. I'm not too worried about OS X becoming bug ridden as market share increases. In fact, I think both Windows and OS X security will increase as OS X's market share increases. The problem of security is one of motivation, but not of the motivation of malware authors, but of OS vendors. Apple needs to keep customers happy to maintain market share. Thus, if malware becomes a problem for their users they will fix it or lose money. Right now Microsoft has no such motivation, so their attention to security has been spotty at best. They don't significantly lose money when users suffer from security problems. Increasing OS X's market share might motivate them to improve security. Anyone who argues that MS or Apple is doing all they can has not been paying attention.