Month of Apple Fixes

das writes "On the same day as the launch of the Month of Apple Bugs (MOAB) (blog), Landon Fuller, a programmer, Darwin developer, and former engineer in Apple's BSD Technology Group, has launched an effort to provide runtime fixes for each MOAB issue as they are released. A fix has already been posted for the first MOAB issue."

Response from Kevin Finisterre, second bug

[daveschroeder]

Kevin Finisterre, security researcher, founder of Digital Munition, and co-presenter of the Month of Apple Bugs, has also responded on the SecurityFocus focus-apple list to some of my concerns, expanding on some of the motivations and reasoning behing MOAB (followup).

Also, the second bug was just posted a few minutes ago: a udp:// URI handling vulnerability in VLC Media Player that affects both the Mac OS X and Windows versions of VLC Media Player. While not exactly what I'd call an "Apple bug" (yes, yes, I know the FAQ says they're also looking at "popular applications" that run on Mac OS X as well), it is interesting to note that vulnerabilities in cross platform applications may transfer more easily to the Intel-based Macs running Mac OS X...

In any event, Apple's immediate technical response and longer-term strategic response to MOAB should be interesting.

(Disclaimer: I am the story submitter.)

Re:Response from Kevin Finisterre, second bug

[0racle]

Month of apple bugs over in one Bug? They had to go to an application already? Also, who would have known, an application writer that makes a mistake on one platform might make that same mistake on another.

Re:Response from Kevin Finisterre, second bug

[Otter]

Man, they're really scraping the bottom of the barrel, and it's only January 2nd! A string handling vulnerability in a cross-platform app I've never heard of? They should at least have been able to make it to the end of the BCS before resorting to filler like that.

Re:Response from Kevin Finisterre, second bug

I just heard this and I don't understand this. Kevin Finisterre can't be serious about this. It's supposed to be Apple, right? Everyone can be up in arms because Michael Richards or Mel Gibson call someone something racially motivated and then when other people do something like this it's just fine. I guess it wasn't true what they said about OS X. I'm mixed but I have a light complexion so no one really called me that, but plenty of my cousins were called that. Black girls often called them that for being friends with white people and I always thought that was completely ridiculous but it was also meant to be an insult just the way anyone would use any other racial slur. But this will be a drop in the bucket because black people can say whatever they want. In my entire life the only people who have ever been "racist" toward me were black people. No one acknowledges how racist black people can be. It's like they get a free pass.

Re:Response from Kevin Finisterre, second bug

[cswiger2005]

Well, a lot of people do have Quicktime installed and configured as an automatic content handler when surfing-- and this includes not just Mac users but Windows users of QT as well. The shellcode or malware would be different for each platform, but the underlying bug is the same.

Re:Response from Kevin Finisterre, second bug

[drinkypoo]

On one hand you're right. On the other hand, if you've never heard of vlc, you've been living under a fucking rock.

Re:Response from Kevin Finisterre, second bug

[0racle]

VLC != Quicktime. On top of that Quicktime would be a valid target for the month of Apple Bugs as it ships as part of OS X and is created by Apple, VLC does not and is not. A bug in VLC is no more an apple bug then an SSH bug in PuTTY is a Windows bug.

Re:Response from Kevin Finisterre, second bug

[Otter]

See, the point of switching back to Mac from Linux for recreational desktop use is that I just click on files and they play. If I wanted abuse for not being familiar with some media player minutia, I'd still be in #mplayer trying to figure out what to install to view a WMV.

Re:Response from Kevin Finisterre, second bug

[Inner_Child]

If I wanted abuse for not being familiar with some media player minutia, I'd still be in #mplayer trying to figure out what to install to view a WMV.

You install VLC. All of that is handled, and this is why it's such a popular cross-platform media player - you just click on files and they play.

Re:Response from Kevin Finisterre, second bug

[MicrosoftRepresentit]

To be fair, although the exploit uses VLC, it looks like the vulnerability is still in the way the OS handles strings, ie it is something Apple could fix. VLC may still crash, though.

Re:Response from Kevin Finisterre, second bug

[fishbot]

WMVs played out of the box on your Mac? You didn't need Flip4Mac or anything else? How did you manage that, then?

Re:Response from Kevin Finisterre, second bug

[fishbot]

"it is interesting to note that vulnerabilities in cross platform applications may transfer more easily to the Intel-based Macs running Mac OS X..."

You appear to have completely missed the phrase "Both x86 and PowerPC versions are provided." in the reproduction steps section. The problem is that, like many people these days, you see an apparent coincidence (that both use the same architecture, even though it's a false observation) and assume causality. If you write code with a buffer overflow and compile it for x86, PPC, ARM, MIPS and your toaster, the code will still have a buffer overflow on all of them.

What I'm saying is that the architecture doesn't magically make a bug appear in a system just because it is similar to another system. The vulnerability didn't "transfer" to OS X, it simply exists in the OS X version, just like it does in the other versions. Note that only the Mac and Windows version are confirmed, but it could just as easily exist in others.

Re:Response from Kevin Finisterre, second bug

[delire]

.. while others are switching from OS X to Linux because they feel more comfortable about the transparency under which security vulnerabilities are handled..

Anyway, as on Linux and on OS X, if you install mplayer you'll still need to find external support to play WMV's. Just as on OS X, as on Linux, if you install VLC you can click a WMV and it'll play.

Re:Response from Kevin Finisterre, second bug

[Otter]

.. while others are switching from OS X to Linux because they feel more comfortable about the transparency under which security vulnerabilities are handled..

Well, as the OP points out, they seem to have run out of Apple vulnerabilities after one day. So perhaps it would be more accurate to say "others are switching from OS X to Linux because they feel more comfortable about the transparency under which a security vulnerability was handled." Tell 'em to say hi to the 12-year-olds in #mplayer for me!

Re:Response from Kevin Finisterre, second bug

[drinkypoo]

See, the point of switching back to Mac from Linux for recreational desktop use is that I just click on files and they play.

sure, unless you want to play them full screen when the author doesn't want you to - you actually have to pay for quicktime pro for that.

Or unless you want to play ogg vorbis or theora content, you'll need to install additional software.

Or unless you want to play any of these: FLV, Flash Screen Video, or AVIs with AAC, AC3, H.264, MPEG4, or VBR MP3 audio. Which is why there's Perian.

Or you could just install vlc and update it occasionally, since it seems to correctly play more media formats than any other player - and that definitely includes Apple's Quicktime.

If I wanted abuse for not being familiar with some media player minutia, I'd still be in #mplayer trying to figure out what to install to view a WMV.

vlc is the most popular video player amongst geeks for two reasons: one, it was the first player worth half a crap to work on linux; and two, it really is quite excellent. This is also why everyone but you knows what it is. Well, everyone who hasn't deluded themselves into thinking that Quicktime plays everything.

Re:Response from Kevin Finisterre, second bug

[Ash-Fox]

I'd still be in #mplayer trying to figure out what to install to view a WMV.

ffmpeg supports WMV9 already... What would you need to figure out in mplayer? It should work just fine.

Re:Response from Kevin Finisterre, second bug

[Hes+Nikke]

i've found that Quicktime Pro + Flip4Mac + some divx dirivitive does give VLC a run for it's money on my mac mini attached to my TV, particularly from a UI point of view.*

now if i don't have the time to set everything up so that it purrs, i'll throw VLC onto a system.

*i'm sure front row will be just stellar with this setup, but i have a PPC in my mini, so apple said "wait 'till leapard... or install an older version of OS X and patch it." sometimes apple's idiotic policies (.mac, quicktime pro, front row being tied to hardware, etc) make so little sence that i sometimes wonder how meny switchers are getting pissed off and swtiching right back to dell....

Re:Response from Kevin Finisterre, second bug

[rdoger6424]

vlc. VLC can do it ootb (out of the box).

Re:Response from Kevin Finisterre, second bug

[Goaway]

while others are switching from OS X to Linux because they feel more comfortable about the transparency under which security vulnerabilities are handled.

"Others"? There are two of you?

Re:Response from Kevin Finisterre, second bug

[Goaway]

Or you could just install vlc and update it occasionally, since it seems to correctly play more media formats than any other player - and that definitely includes Apple's Quicktime.

Mac users actually appreciate well-designed interfaces, so that's not really an option.

It's kind of sad when a program is beaten on interface design by mplayer, of all things.

Re:Response from Kevin Finisterre, second bug

[drinkypoo]

Mac users actually appreciate well-designed interfaces, so that's not really an option.

If you don't like the interface that comes with vlc, pick another one. Incidentally I've found quicktime to be one of the most annoying fucking apps ever. The wanky little pull-outs that slide out unnecessarily are just stupid. I guess "pretty" is what stands in for "well designed" in apple-land these days.

Re:Response from Kevin Finisterre, second bug

Call it what you want, ignore it if you want, defend [insert OS here] all you want, but the point is the same. If it runs on your system and you have it on your system, you ARE susceptible. You can rally around a specific group of people that all agree with each other and say, "Hey, it is not a [insert OS name here] problem so screw you!". Bottom line, it IS a problem. The excuse of "Well it affects [insert other OS here]" and stick your tongue out if that that makes you feel better. You do realize doing that does not make it go away or make it any less of a problem.

- My Ford caught on fire, but so did my neighbors Honda.
- My Firestone tires on my Ford exploded but so did the Firestone tires on my neighbors Honda.
- My Firestone tires on my Ford exploded because I never checked the tire pressure but so did the Firestone tires on my neighbors Honda and he never checked either.
- I drove my Ford with no oil and it died, but my neighbor with a Honda did the same.

Re:Response from Kevin Finisterre, second bug

[GaryPatterson]

Surely you meant "On the other hand, if you've never heard of vlc, you're one of maybe 95% of computer users."

Most people have never heard of VLC, because they don't live for their computer. They actually do other stuff, and don't care to go finding software like this. I've mentioned it to a few people, and none had heard of it.

Slashdot != normal people

Re:Response from Kevin Finisterre, second bug

Are you daft? Your argument made no sense whatsoever. Yes, it is a problem. Did the GP post deny that it was a problem? Unless you have a deficiency in understanding simple English, I can't see you can try to infer that the GP denied there was a problem. It is a problem, however, that is not Apple's fault. It is VLC developers' fault; thus, the point is not the same.

The GP was correcting the post that inferred the bug was in QuickTime. It's not since VLC does not depend on QuickTime to playback videos and the bug in VLC does not affect QuickTime.

Re:Response from Kevin Finisterre, second bug

Read the whole parent post jackass. Better yet, I'll paste it below:

VLC != Quicktime. On top of that Quicktime would be a valid target for the month of Apple Bugs as it ships as part of OS X and is created by Apple, VLC does not and is not. A bug in VLC is no more an apple bug then an SSH bug in PuTTY is a Windows bug.

Then you write:
The GP was correcting the post that inferred the bug was in QuickTime.

Okay, one small part of that post was clearing up that VLC != QT. That was the first three words. Did you read the rest of it? The rest of the comment was what my reply was related to, obviously you did not read the whole GP post though. I understand this bug is not directly related to an Apple OS issue. To downplay that a bug exists because it is NOT an Apple bug is rediculous. To claim that other OS's are effected as well does not change anything. Maybe after reading through all of these posts I may have infeerred the wrong thing but to me, it appears that no one gives a shit about bugs and security issues because the may not be Apples fault. Does that really matter? Can people take an issue and run with it instead of automatically trying to defend Apple? Okay, next week there is a bug that gets root access. Everyone with an Apple completely blows it off and toots a hrrn because, it was Apache and not Apples fault. Hey, guess what... It does not matter because if you were running on your Apple you would be owned!

Re:Response from Kevin Finisterre, second bug

[Silvrmane]

had to comment on your Puni Puni Poemy reference in your sig. :)

Re:Response from Kevin Finisterre, second bug

[node+3]

WMVs played out of the box on your Mac? You didn't need Flip4Mac or anything else? How did you manage that, then? No, but it's much[*] easier to get them working on a Mac than it is on Linux.

[*] My entry in the "Understatement of the Year Award for 2007".

Re:Response from Kevin Finisterre, second bug

[SuperKendall]

To downplay that a bug exists because it is NOT an Apple bug is rediculous.

An "upplaying" the bug which is not an Apple bug, in the context of a "Month of Apple Bugs" is NOT rediculous?

What if the auhtor pointed on an exploit in some code that possibly might some day be ported to OS X? To me it seems the same case, just extended. Would that also belong in the "Month of Apple Bugs"?

Re:Response from Kevin Finisterre, second bug

[sqlrob]

sure, unless you want to play them full screen when the author doesn't want you to - you actually have to pay for quicktime pro for that

Or learn a little scripting. Apple didn't learn the "if you don't want it used, don't ship it" tenet of security. The full screen functionality (at least it used to be) was easily accessible with AppleScript, even without pro.

Re:Response from Kevin Finisterre, second bug

How about this..
Next time one of your critical systems goes down and all hell breaks loose, tell your manager/supervisor/clients, that the OS was not the problem, it was only an application that was running that is not installed by default, then chuckle, shrug, and walk away. After all, the only things many people seem to care about, is that it is not the OS, who cares. Well if the ONLY thing anyone ever runs is the OS or as shipped applications, then that attitude may work out.
I have no idea how anyone could have interpeted anything other then that after reading through almost every thread in this article (including this one). I am NOT being OS specific, this concept comes up all of the time for every OS and the defenders come up all of the time with the same kool-aid. Everything is fine, we are fine, it is not the OS. That mentality towards security is dangerous.

The kicker is going to be the many people that go through every bug posted this month and will do nothing but say, look at this one, not Apple, look at that one, this one only if... blah blah blah. What's more important here? Preaching how great [insert OS name here] and glossing over the fact that regardless of the OS, there will be security issues?

Re:Response from Kevin Finisterre, second bug

[empaler]

Apple didn't learn the "if you don't want it used, don't ship it" tenet of security. MY guess is that the users willing to tweak QT with a script are more or less just as likely to download and install VLC or whatnot, so they probably decided against using developer hours on it.
Even more likely; they want to be able to display full-screen video for some odd purpose, and the third party devs all expect to be able to, also.

Re:Response from Kevin Finisterre, second bug

[heychris]

If VLC counts as a popular Mac application that Apple should be responsible for, then the MOAB is going to be very easy for the researchers. All they have to do is wait for Patch Tuesday, and claim any patches to WinXP as an Apple bug! I'm sure that Parallels is a very popular application here, so it stands to reason that it's Apples fault that Parallels runs buggy code. And think of the children running Ubuntu in Parallels that unknowingly are pwned by a Tux Racer exploit!

Now if you'll excuse me, I *know* I have an asbestos suit here somewhere... :)

CC

Re:Response from Kevin Finisterre, second bug

[iroll]

If you can spend an afternoon or two googling around to figure out wtf happened to sound AND video during a routine install of Debian and call that "progress*," you will think the hack for making Quicktime fullscreen for free is a snap.

*Granted, last time I did this was 2 years ago, I'm sure things have progressed.

Re:Response from Kevin Finisterre, second bug

[mr_mischief]

Funny, I don't recall having any issues viewing William's Money Video on my Linux machines.

Re:Response from Kevin Finisterre, second bug

[A.Gideon]

it was only an application

You're ignoring that there's a real [potential] cost difference in an OS bug vs. an application bug. Hopefully, the vendor of either will provide a quick fix and all will be well.

But the worse-case for an OS bug is large. Replacing an OS at a nontrivially sized site is a big deal. It likely will also involve replacing applications.

On the other hand, replacing a single application - while potentially annoying - is not a problem of the same scale.

Of course, all of this is aside from the real issue of this thread (that being that the MOAB is supposed to actually refer to A's Bs {8^). But the difference between an OS problem and an application problem is a significant one.

Re:Response from Kevin Finisterre, second bug

[drinkypoo]

Surely you meant "On the other hand, if you've never heard of vlc, you're one of maybe 95% of computer users." Most people have never heard of VLC, because they don't live for their computer. They actually do other stuff, and don't care to go finding software like this. I've mentioned it to a few people, and none had heard of it. Slashdot != normal people

Actually, I was talking about slashdotters, of which he is one. As you point out, this is slashdot. VLC releases hit the front page. He should really be aware of what VLC is. I'm not sure why you make the objection that an ignorant user wouldn't know about VLC... because we all here are slashdotters.

Re:Response from Kevin Finisterre, second bug

[soft_guy]

On one hand you're right. On the other hand, if you've never heard of vlc, you've been living under a fucking rock. That's a pretty broad definition of "living under a rock". Lots of people who use computers every day haven't heard of VLC. They aren't living under rocks, they just aren't geeks.

Re:Response from Kevin Finisterre, second bug

[Goaway]

Skins? We don't "skin" apps on OS X. And does it have a skin that makes the preferences window usable by humans?

And when did you last use Quicktime? It hasn't had any sliding drawers for years and years.

Re:Response from Kevin Finisterre, second bug

[drinkypoo]

sure, unless you want to play them full screen when the author doesn't want you to - you actually have to pay for quicktime pro for that

Or learn a little scripting. Apple didn't learn the "if you don't want it used, don't ship it" tenet of security.

That's not really a security issue because Quicktime and Quicktime Pro are the same software. Quicktime is simply crippleware based on the regkey - features are disabled. Want proof? The same download works for both quicktime and quicktime pro, and the difference is the key you put in. True on both mac and windows.

The full screen functionality (at least it used to be) was easily accessible with AppleScript, even without pro.

The simple fact is that Apple's a bunch of assholes for disabling such an obvious feature which is in basically every media player, and the odds of the average user writing an applescript to fullscreen quicktime is basically nil compared to the odds of them downloading VLC - which aren't good themselves, I admit.

Re:Response from Kevin Finisterre, second bug

[drinkypoo]

If you can spend an afternoon or two googling around to figure out wtf happened to sound AND video during a routine install of Debian and call that "progress*," you will think the hack for making Quicktime fullscreen for free is a snap.

Eh, shit happens. But that's pretty irrelevant when we're talking about a mac. The clueful will figure it out, but most people are not clueful. Most people are fucking lames. Which is why the mac has one button :D (sorry, couldn't resist)

Re:Response from Kevin Finisterre, second bug

[drinkypoo]

On the mac you install a program or two to get full video support. Granted, it's not a big deal. On the other hand, on my Ubuntu install, I used automatix2 (installing automatix boils down to copying and pasting some lines of text so it's not a big deal) and it just gave me checkboxes to click to download pretty much everything I need on the system. Then I went and copied and pasted some other lines of text from another website and got IE5 through IE6 under wine so that I can use them to test webpages and use pages that don't work in firefox etc. Not that I've seen any of those in literally years - I know they're out there because people bitch about them sometimes, but I don't run into them.

The simple fact is that Linux is becoming easier and easier to use and has more and more features - while it IS hard to get there today, I will freely admit, there's pretty much nothing on OSX besides the iApps that you don't have on Linux any more - between beryl/aiglx which provides you the 3d-accelerated GUI support including fun toys like an Expose-alike, beagle which gives you the desktop search, and the many other fun doodads... All I need do is wait and all of this software will be excellent - superior, in fact, to the mac, which it already is in most ways, not least because nearly everything on my system (but flash player) is Free Software and I value freedom. Meanwhile, Apple users must both wait and pay a hundred bucks every so often. If you feel that you are getting the best part of this deal, who am I to dissuade you? Steve Jobs says "thanks, sucker."

Re:Response from Kevin Finisterre, second bug

[drinkypoo]

Skins? We don't "skin" apps on OS X.

I'm sorry to hear that application developers don't offer you the same flexibility on OSX that we tend to get everywhere else.

And does it have a skin that makes the preferences window usable by humans?

Most people will never need to mess with the preferences window at all. I've looked at it a zillion times but never actually changed anything.

And when did you last use Quicktime? It hasn't had any sliding drawers for years and years.

Apparently that's how long it's been since I've needed to use Quicktime to play content. I would give them points for that but they lose all of them for putting a stupid welcome screen in Quicktime by default (I just ran quicktime for the first time in a long time - and on the dual G5 to my right, I might add. VLC forever! Or until something better comes along. Which I'm sure won't be Quicktime.)

Re:Response from Kevin Finisterre, second bug

[Goaway]

I'm sorry to hear that application developers don't offer you the same flexibility on OSX that we tend to get everywhere else.

The flexibility to choose between a wide array of interfaces that are consistent only in their all being horrible to use is not really considered a feature. We like interfaces that look like the rest of the OS, and behave in ways specified by the HIG. I do not feel the need to put stickers and custom rims on my car, and I do not feel the need to rice my computer, either.

Most people will never need to mess with the preferences window at all. I've looked at it a zillion times but never actually changed anything.

Each time I foolhardily try to use it, I have to use the preferences in order to try and improve the sub-standard subtitle rendering.

Never once have I actually managed to do so, though.

Not that "you don't need to use it" is an excuse for having a incredibly shitty interface. If you don't need it, it should not be there. If it is there, it should be needed, and it should be decent.

I would give them points for that but they lose all of them for putting a stupid welcome screen in Quicktime by default

As far as I can figure, this only happens if you actually go to the trouble of open /Applications/ and double-clicking Quicktime.app. That is not how it used - you click on a file associated to it, and it runs without any welcome screen. I don't think I've ever even seen this welcome screen.

This is not to say Quicktime is anywhere near perfect - that welcome screen is probably useless, and forcing you to register the app is bullshit, but even taking that into account, VLC is not even anywhere near the same league, interface-wise. When I have files that Quicktime won't play, VLC is pretty much my last choice. MPlayer OS X is far better designed (though it contains its share of idiocies), and considering how user-hostile mplayer usually is, that's saying something.

Re:Response from Kevin Finisterre, second bug

[sqlrob]

That's not really a security issue because Quicktime and Quicktime Pro are the same software.

Yes, it is a security issue, but only from Apple's point of view. Customers are getting something they didn't pay for. That's a hole in the implementation. The only truly secure implementation would be to not ship the feature in the lite version.

odds of the average user writing an applescript to fullscreen quicktime is basically nil compared to the odds of them downloading VLC

Not when it's easy to find and do. It's not much (if any) harder than downloading a dmg and copying the app.

Re:Response from Kevin Finisterre, second bug

Next time one of your critical systems goes down and all hell breaks loose, tell your manager/supervisor/clients, that the OS was not the problem, it was only an application that was running that is not installed by default, then chuckle, shrug, and walk away.

You might want to move a little faster than walking so that you don't have to explain why you were watching videos on your "critical system." If someone runs one of my crappy programs on their critical system, and some joker exploits it, how is that Apple's fault?

Re:Response from Kevin Finisterre, second bug

[Paradise+Pete]

I'm sorry to hear that application developers don't offer you the same flexibility on OSX that we tend to get everywhere else.

It used to be that there were important interface guidelines that users expected applications to respect, so arbitrary skins didn't really make sense. Of course now that Apple doesn't seem to worry so much about those "trivial" matters I suppose skinning will become more commonplace.

Re:Response from Kevin Finisterre, second bug

[drinkypoo]

It used to be that there were important interface guidelines that users expected applications to respect, so arbitrary skins didn't really make sense. Of course now that Apple doesn't seem to worry so much about those "trivial" matters I suppose skinning will become more commonplace.

Yeah, I started to get my back all up but luckily I finished reading your comment. Apple has three widget sets and they use them all in currently shipping versions of OSX. They have also apparently forgotten everything they ever knew about UI design.

Re:Response from Kevin Finisterre, second bug

how is that Apple's fault

Your right it is not, therefore we all can ignore any security issue that is not the fault of Apple. Thank You for proving my point.

Re:Response from Kevin Finisterre, second bug

[Magus255]

A VLC bug as a Mac bug is really dumb. Can't they find any real bugs in OS X?

Re:Response from Kevin Finisterre, second bug

[Em+Adespoton]

People appear to be confusing two Apple products: Quicktime and Quicktime Player. Quicktime is fully functional out of the box (sort of... you also need to install Perian and Flip4Mac, and might want to purchase the Apple MPEG2 plugin). Quicktime Player, on the other hand, comes bundled as crippleware. Replace Quicktime Player with Cellulo, BitPlayer, Metadata Hootenanny, or any of the other front ends available, and you have the same (or similar) access to the Quicktime engine you do with QuickTime Player Pro.

Re:Response from Kevin Finisterre, second bug

Your [sic] right it is not, therefore we all can ignore any security issue that is not the fault of Apple. Thank You for proving my point.

No problem. It would have been easier, but because of the way you comb your hair I didn't notice your point right away. Try to follow the topic, Chief.

Re:Response from Kevin Finisterre, second bug

[drinkypoo]

But Quicktime, much like Microsoft Directshow, doesn't play all currently-popular formats out of the box. You have to add codecs. So even doing so doesn't get you a complete solution. Now what you're proposing is that in addition to adding codecs or other programs which happen to install same (like democracy player, which installs perian) the user also install another video player just so that they can get fullscreen. At which point they might as well install VLC, and solve all their problems with one install. It's still absolutely ridiculous to force people to pay to get a feature that is included for free with basically every other media player on the planet.

Re:Response from Kevin Finisterre, second bug

[JurgenThor]

An "upplaying" the bug which is not an Apple bug, in the context of a "Month of Apple Bugs" is NOT rediculous? Re-diculous: adj. something so ridiculous you do it twice.

THEY FOUND A CURE FOR AIDS?!?!?!?!?!

[CmdrTaco+(troll)]

Cool.

Thanks.

[easter1916]

Thank you, Landon.

Re:Thanks.

[Tragek]

Three Cheers for Landon Fuller! As a technical question, does anyone know how efficient using Application enhancer is? I tried Shapeshifter, and found performance lacking. Was that specific to ShapeShifter, or is it a general problem with application enhancer extentions?

Re:Thanks.

[inca34]

Completely OT, but it seems the APE framework is cool but its modules may lack. =\

I have a patch for the second bug...

[inca34]

The pretty version, compliments of jasonc from #od:
find / -iname "vlc" | xargs rm -rf

so?

These bugs are not exploitable obviously right? Otherwise we'd be seeing mad mac oriented spyware.
It's simply not possible to make spyware for macs.

Re:so?

[megaditto]

They are exploitable if you make the target visit a webpage you scripted that contains the exploits. Which is not that hard if you send a link in a personal message to someone who knows you (a virus could harvest email addresses/names from your computer and it will look like coming from you): "Hey Bob, our office party pictures are online here. Love, Jane"

As I understand it, the Quicktime bug of yesterday is particularly bad since it will load automatically without asking if you wish to run it first.

Re:so?

[cswiger2005]

Yes, that's exactly right.

It's not as dangerous as a bug which requires no interaction whatsoever, but it's common enough for people to boink on random links that the risk level of that exploit could be fairly high. It will be interesting to see whether malicious exploits appear widely for any of these Mac bugs, and how quickly they spread if so...

rushed fixes, and untested at that

So some third party is going to try to rush out daily fixes? How much testing is done on these fixes, none? And how do you uninstall these quick fix hacks when Apple releases the legit fixes?

And this is being done all to save Apple's rep, so Apple fanboys can say, "ALREADY FIXED!!!"?
I'll wait for the real fixes than deploy some untested hack that some kook cooked up in his basement without having the first clue as to the wider impact of his "fix". 10 to 1, the "fix" will be worse than the bug. Hell, it might even be an exploit itself.

Re:rushed fixes, and untested at that

[inca34]

You're suffering from some serious RTFA syndrome. By doing the patch the way he did you change NO SYSTEM FILES.

Re:rushed fixes, and untested at that

I guess you missed the "download the source" link. Moron.

Re:rushed fixes, and untested at that

[daveschroeder]

All this is a little fun exercise and a public service, if you will. Also, anyone can examine the code.

How do you uninstall these quick fixes? Simple. They'll almost all invariably be runtime fixes with Application Enhancer (APE). APE modules are just self-contained directories; nothing more. They can be unloaded on demand, and APE itself can be easily installed, uninstalled, disabled, and modules can be loaded and unloaded at will.

Also, Landon Fuller is anything but an "Apple fanboy", or in any way remotely interested in "saving Apple's rep". The idea is to look at the bugs, and see if a quick technical solution or remediation can be provided. No one has to install them. Since the code is available, anyone can see what's being done, including the rest of the community. If one wishes to wait for Apple's official patches, fine.

Aside from all of this, of course Mac OS X, like any other operating system or large software project, has bugs. Some of these bugs will enable vulnerabilities that can be exploited. I fail to see how any of this is surprising. If you're actually interested, I've summed up my thoughts on this here.

Re:rushed fixes, and untested at that

[landonf]

So some third party is going to try to rush out daily fixes?

If I have time, or if people help me.

How much testing is done on these fixes, none?

I tested thoroughly on Intel and PowerPC Macs. I wouldn't release a fix to the world without being fairly certain that it works correctly. You're welcome to review the code for the first fix -- it's about 10 lines. I'd be happy to explain the various entry points for you, too. We're using these fixes on all our Macs here at Three Rings Design.

Alternatively, you can not use the patch. I won't mind.

And how do you uninstall these quick fix hacks when Apple releases the legit fixes?

You open the Application Enhancer pref pane and hit the "-" (minus) button.

Re:rushed fixes, and untested at that

[chochos]

I'm sorry but the APE is not easy to uninstall at all. And it causes a lot of trouble; I once used x-shade or whatever its name was and it installed APE; after some time I started having some problems with the machine being slow and some other stuff, I looked for solutions and a lot of people were posting about how APE causes many problems. I uninstalled it by following the directions in the forums (which include removing files buried deep in some directory) and my problem was fixed. Why would the solutions require using a third-party application such as APE? QuickTime can be fixed by Apple and they can issue a security update; VLC is open source and it would only require downloading a newer version. I really hope APE is not necessary for any fixes (except for fixing the unsanity stuff, which I stay away from).

Re:rushed fixes, and untested at that

[daveschroeder]

Ugh. :-(

APE isn't going to be necessary for ANY fixes from Apple. Apple will release their fixes in due course, and they'll be like all their previous fixes have been: normal updates to the OS that come down via Software Update, etc.

But since we can't directly fix Apple's code, this is a little technical exercise that fixes them with runtime patches. One very easy way to do runtime patches and code injection such as this is to use APE.

Also, APE is *very* easy to uninstall. It has its own uninstaller right in the installer, which will, categorically and definitely, uninstall every single last thing that has anything to do with APE.

Also, there is nothing wrong with APE, and here is a very detailed explanation of exactly what APE is and what it does.

All this project is is just that: a project. The community is welcome to inspect all of the source code, and anyone is free to use these runtime patches. Yes, QuickTime, and VLC, and everything else that will be covered in MOAB will be fixed by Apple and the various applicable vendors/developers. That is not at all the point of providing on-demand runtime fixes each day, and you have apparently totally missed the point of this projects, and the post you responded to where I pretty concisely explain it.

Re:rushed fixes, and untested at that

Aside from all of this, of course Mac OS X, like any other operating system or large software project, has bugs. Some of these bugs will enable vulnerabilities that can be exploited. I fail to see how any of this is surprising.

This attitude is why we'll continue to see more and more security vulnerabilities (from all vendors). Which become more and more dangerous as our society's dependencies on software become deeper.

You've basically reached the conclusion that there's no reason for vendors to even try. Because it's "okay" to screw up and ship security holes, and some "responsible security researcher" will be nice, and do the vendor's work for free, and "responsibly disclose" the vendor's mistake.

I'll stick to my personal prediction: only legislation will cure this disease and teach people that software security is important, and training programmers is important, and paying for secure software is important. This legislation would be awful and might even destroy open source software, but I'm tired of the endless stream of security holes. I'm tired of downloading popular open-source apps and finding security holes just by scrolling through the code (no I don't report them. I fix them in my clients' copies.)

Can you imagine a parallel universe where arrogant doctors, or bridge designers, or any other profession, routinely say things like "most patients die" .. "most bridges randomly fall down" .. "most stock trades are off by 2-3 cents"?

I don't believe that all software contains an endless stream of security holes. I believe that all these idiotic off-by-one or buffer overflow errors can be tested for and avoided. If an independent individual can discover these bugs, so can Apple, "at the factory". Software isn't a physical process, it's just a bunch of ones and zeros going in and out. It should be possible to make sure no sequence of bytes will cause a security breach.

Re:rushed fixes, and untested at that

[dogfriend]

Hey, thanks for providing the runtime fix(es).

Stay tuned....

for a Month of I Don't Care.

Nothing to see here. Move along.

[PurifyYourMind]

Apple products don't have bugs. They have worms.

Re:Nothing to see here. Move along.

[Anarchitect_in_oz]

What about fruit fly?
It's done a lot of damage to Apple crops near my house.

Can they fix

[Piroca]

The stupid anti-aliased font rendering in OS X?

Re:Can they fix

[quis]

Why is it "stupid", just out of curiosity?

Re:Can they fix

[Weston+O'Reilly]

I think the poster is referring to a bug/quirk that will sometimes render a line of text with a slightly bolder appearance than other lines on the screen. Scrolling or highlighting and unhighlighting will usually make it redraw properly. It is irritating and has been around for awhile, at least since I started using Tiger.

Re:Can they fix

I don't know about the grandparent, but I think it makes the text really blurry and fuzzy, to the point where it's harder to read than decently-rendered aliased fonts, even on the lowest setting. It's a bit frustrating for me; I can finally afford an LCD, and now every OS (not just OS X) wants to make everything blurrier than the worn-out CRT I'm replacing. Looking at an OS X, Vista, or recent Linux screenshot makes me think I need glasses; everything looks slightly out of focus.

I understand that a lot of people seem to like text anti-aliasing, I just don't, and wish I could just shut it off. Unfortunately, with more and more OSes and applications, it seems I can't.

Re:Can they fix

[Rosyna]

Well, there is Silk which allows you to turn off antialiasing. Sure, everything looks like crap with corn in it... but at least it's not "blurry".

Re:Can they fix

[Piroca]

Maybe we should do some kind of lobby to push for no anti-aliasing in Leopard. Nowadays I have to use windows over Parallels just to use Firefox and Eclipse. At least in windows I have the option to turn anti-aliasing off...

Re:Can they fix

[Piroca]

You could use TinkerTool too. But it won't solve the problem, OS X doesn't allow you to change the default font used everywhere (Lucida Grande) and that font looks terrible in the user interfaces when not aliased. Besides, a lot of applications just seem to think that anti-aliasing is the rule and do whatever they want.

Re:Can they fix

[Rosyna]

OS X doesn't allow you to change the default font used everywhere (Lucida Grande) and that font looks terrible in the user interfaces when not aliased.

Perhaps OS X doesn't, but Silk does. That was kinda my point, just kinda.

Re:Can they fix

[Piroca]

TinkerTool supposedly allows it too. It's just that OS X doesn't respect settings for the "core" fonts as it should.

Depressing

[geekmansworld]

The immaturity of the tech community is quite disappointing.

Re:Depressing

Yes, if only vendors didn't make security researches sign non-disclosure agreements.

Stop the presses

[Swimport]

The acronym MOAB has already been taken http://en.wikipedia.org/wiki/Massive_Ordnance_Air_ Blast_bomb
To prevent confusion I propose it should be Apple Month of the Bugs. AMOB

Re:Stop the presses

[UnknowingFool]

I thought the military renamed the MOAB to BFB2000.[ducks}

Re:Stop the presses

[Swimport]

Do you mean the BFG9000 (Big Fucking Gun) from doom? http://www.doomworld.com/pageofdoom/weapons.html

Re:Stop the presses

[Moofie]

Um, no, probably not. But thanks for playing.

BFG is a gun.

BFB is a...wait for it...bomb.

Re:Stop the presses

[UnknowingFool]

No. Big Fucking Bomb 2000. :)

Re:Stop the presses

[vistic]

And, computer related, it's also the name of some cluster management software made by Cluster Resources of Utah.

Re:Stop the presses

[arifirefox]

hopefully Apple won't explode because those MOAB's...they sure blow up reeeeeeal goood

Install a fix not from Apple? Fat Chance

[aardwolf64]

I don't care who this guy is... I'm not downloading "fixes" for my iMac from anyone but Apple:
Steps to Recreate
1. Go to MOAB site, record exploit info
2. Create malicious version of exploit
3. Post to web as a "fix" and tell users to blindly install

Thanks, but I'd prefer to maintain ownership of my machine...

Re:Install a fix not from Apple? Fat Chance

You also missed the "download the source" link didn't you, doucheface?

Re:Install a fix not from Apple? Fat Chance

[daveschroeder]

Uh...then look at the source code yourself.

Nothing is hidden, and Landon isn't trying to hide anything that's being done.

Also, these fixes are runtime fixes via APE modules. They only place they're "installed" is into APE, so they can all be easily removed/disabled at will (as can APE itself). There is nothing wrong with the principle of runtime patching, and this is really a technical exercise more than anything. But again, the code is all right there, and you can see exactly what is being done.

PR for Vista launch

Whats this guys motivation? He says specifically in his FAQ that he did not tell Apple of these problems, he just releasing it publicly.

Rarely, the point is releasing them without vendor notification. Although, sometimes we may decide to pass an issue through the appropriate people. The problem with so-called 'responsible disclosure' is that for some people, it means keeping others on hold for insane amounts of time, even when the fix should be trivial. And the reward (automated responses and euphemism-heavy advisories) doesn't pay off in the end.

So why do we have to wait an entire month to get to bug #31. Whats the motivation to keep bug #31 alive for 31 more days?

Also from the FAQ:


7. John Doe has written a 'post' in his blog, saying he debunks the XXX bug, what's that?

No worries. It's probably someone begging for attention or PR-brainwashed

Thats right, anybody who disagrees is psycho. Is that you George?

Re:PR for Vista launch

[WNight]

You laugh, but most of this thread is people saying how the bug didn't work, mocking the guy. I'd rather patch a theoretical bug than sit around laughing with the fanbois over how lame it is the expect to find a bug in Apple software right until I contract my first virus. Mac users have drunk the "Unix is always secure" kool-aid. Heh.

Just keep laughing, and please totally ignore all bug reports. If it was important, Steve Jobs would have called you personally - seriously, Apple service is just *that* good.

Re:Install a fix not from Apple? Fat Chance

[inca34]

See above posts, maybe even RTFA... then RTFSC. All 10 lines of it. Cheers.

Actually...

[aardwolf64]

Sorry... that acronym is already taken:
AMOB Anna Maria Oyster Bar (Bradenton, FL)
AMOB Automatic Meteorological Oceanographic Buoy

You should try an acronym that is totally original, like:
Exploits & bugS from aPple moNth

Re:Actually...

[blugu64]

hey now ESPN is already taken, just put a 2 after it so we know it's the second one ;)

privsep?

[emil]

I realize that the idea is just catching on in IE and has not been implemented anywhere else, but why doesn't Safari setuid() the rendering engine to guest (or some other nonprivileged user)?

Is this feature in the works? I certainly hope so.

Re:privsep?

[cswiger2005]

You could probably try doing this yourself:

chown unknown /Applications/Safari.app/Contents/MacOS/Safari
chmod u+s unknown /Applications/Safari.app/Contents/MacOS/Safari ...and you'll probably need to also change the following:

chown -R unknown ~/Library/Caches/Safari
chown -R unknown ~/Library/Safari

Re:privsep?

pfft... like a Mac fanboy/mouse jockey would know what the hell you're talking about. I *still* don't know why there's a command line in OS X. Mac hipsters are too mentally challenged to use it.

Re:privsep?

[emil]

I think that the program must explicitly set a new userid; the real, effective, and saved userids are not changed by the permissions on the file. The file permissions merely allow these functions to be called, they do not change ownership - this must be explicitly done in C. I can verify this in my Stevens book if you want.

So... without help in the Safari binary, it will not be running with less privilege regardless of the permissions.

Re:privsep?

[cswiger2005]

For a program to change UID/EUID to another user, it needs to have superuser permissions. We're not going to gain in security by making Safari setuid-root or encouraging someone to browse the web as root (most likely).

Making Safari setuid via the filesystem requires fewer changes and no need for superuser.

Re:privsep?

[emil]

For a program to change UID/EUID to another user, it needs to have superuser permissions. We're not going to gain in security by making Safari setuid-root or encouraging someone to browse the web as root (most likely). Making Safari setuid via the filesystem requires fewer changes and no need for superuser.

It most certainly does not:

$ cc -o uidtest uidtest.c
$ cat uidtest.c
#include <stdio.h>
#include <unistd.h>

main()
{
int x;

x = getuid();
printf("%d\n", x);
x = geteuid();
printf("%d\n", x);
setreuid(99, 60);
seteuid(99);
x = getuid();
printf("%d\n", x);
x = geteuid();
printf("%d\n", x);
}
$ su -c "chown nobody uidtest; chmod u+s uidtest"
$ ll uidtest
-rwsr-xr-x 1 nobody users 4941 Jan 3 15:14 uidtest
$ ./uidtest
60
99
99
99

Re:privsep?

[cswiger2005]

For a program to call setuid(), it needs to have superuser permissions. For a program to be made setuid via the filesystem, you have to invoke chmod via "su". Unless you make the program setuid-root, it cannot change the user information to some arbitrary other user.

Re:privsep?

[emil]

For a program to call setuid(), it needs to have superuser permissions. For a program to be made setuid via the filesystem, you have to invoke chmod via "su".

If you will notice, I am not calling setuid(), but instead calling setreuid() and seteuid(). I used root to change ownership to nobody and add setuid to nobody, but root is no longer involved in the program after the permission change. Both the real and effective userid have changed to nobody when the program runs, without root permissions at all.

Stevens has a good discussion of what is and is not allowed if you need a refresher.

The one problem with this approach is the "saved set-user-id" - a hostile program might be able to call setreuid() to switch back by guessing the original uid_t of the calling program. On many macs with a single account, this would be a well-known number.

Re:Install a fix not from Apple? Fat Chance

If he can't read C++, what good does reading the source code do?

Unabomber.

[CODiNE]

Nice pic of the unabomber sketch on the release page... quite telling.

Month of Slashdot Dupes

On the same day as slashdot ran this article slashdot also ran this dupe, indicating that it's editing problems have still not been solved. When asked to comment, a slashdot spokesperson replied "My hovercraft is full of eels".

Re:Month of Slashdot Dupes

[99BottlesOfBeerInMyF]

One is the month of bugs. The other is the moth of fixes, a response to the first and a different project by different people. You can at least correctly read the title of the article summary before declaring it a dupe. MOAB != MOAF.

Re:Month of Slashdot Dupes

[spectral]

Yeah, you tell that MOFO.

Re:Install a fix not from Apple? Fat Chance

[inca34]

I think it's within the breathing computer tech IQ's capability to google enough to understand 10 lines of straightforward code. Otherwise, ask someone you trust. Like your mechanic for cars, we have technicians for computers.

I examined the source

I think I'll wait to apply Landon's fix until Preston, Spencer, and Chaz have had a chance to review it.

Seriously, who would give their kid some fag name list Landon?

Has anyone verified bug is exploitable yet?

[SuperKendall]

From the other thread, it appeared that no Mac owner posted saying that they had been able to replicate the results - the people that did post results said the quicktime file given crashed Quicktime, but did not run the payload target. Simply being able to crash an application is not the same as actually executing arbitrary code.

Re:Has anyone verified bug is exploitable yet?

[paimin]

I tried the exploit on my Powerbook G4, and it did crash Quicktime, but no payload here as well.

Re:Has anyone verified bug is exploitable yet?

[Shaklee39]

It sets eip to a hard-coded address, therefor, it is exploitable. You are fucking retarded. Just because the proof of concept only crashes it doesn't mean it's not exploitable.

MOAB

[Omeger]

Also means = Mother of All Bombs. Hmm...

Re:Install a fix not from Apple? Fat Chance

[NineNine]

Uh...then look at the source code yourself.

Worst possible response. Are you suggesting that all Apple users become professional software developers? My girlfriend has trouble getting iTunes to work correctly. I don't think that the source code would mean anything to her. And no, I would NEVER suggest installing any Apple fixes that are not directly from Apple. I wouldn't care if it was Linus Torvalds, himself that was posting fixes.

Re:Install a fix not from Apple? Fat Chance

[landonf]

I don't care who this guy is... I'm not downloading "fixes" for my iMac from anyone but Apple

Absolutely -- but I'd still strongly suggest disabling the QuickTime RTSP component:

http://isc.sans.org/diary.php?storyid=1993

1. Go to MOAB site, record exploit info 2. Create malicious version of exploit 3. Post to web as a "fix" and tell users to blindly install

You forgot number 4:

4. Have my professional and personal reputation permanently sullied.

I'll pass! =) The code is up for review, but if you don't feel comfortable with my fix, you can disable the primary attack vector by following the directions from the SANS web site.

MOABs

[El_Smack]

I bet they find the Mother Of All Bugs during the Month of Apple Bugs. Will S. Jobs have to take Management Of Aggressive Behavior classes so as not to snap under the strain? I sense the Mother Of All Battles coming from the Apple fanbase.
Microsoft Often Anticipates Bugs, but they have a "fix it after it shows itself" policy. Maybe Our Apple Boys will take security more seriously now.
May Omnipotent Allah Bless their efforts.

It's not even shipped by default !

[Space+cowboy]

So

[simon:~] simon% vlc
tcsh: vlc: Command not found.
[simon:~] simon% perl VLCMediaSlayer-x86.pl
jump address is: 0x41424344
writing to file: pwnage.m3u
[simon:~] simon% open pwnage.m3u
[simon:~] simon% (opens iTunes)

the application for this second bug is not even shipped on Mac's by default! Meaning that this completely 3rd-party software, if installed onto a Mac, can cause problems with the Mac. And this is Apple's problem how, exactly ?

Simon

Re:It's not even shipped by default !

[jafac]

It's not shippped on Macs by default - but, by the virtue of it being the ONLY way to play some popular video formats on Macintosh, I'd say it may as well be installed by default.

Does every Mac get VLC installed on it by a user who's sick of downloading videos that won't play? Probably not. But it's still a compelling reason to have VLC.

I give Apple partial blame here, for not more vigorously pursuing codecs (or formats, or wrappers, or packages, or whatever technical jargon is used as an excuse) for Quicktime, and not more vigorously promoting wider use of non-assinine codecs among video content providers on the web. I'm not sure what they can do - but apparently, Microsoft has got to be doing something to encourage the use of these video formats that only play in Windows, or VLC.

Re:It's not even shipped by default !

[Rosyna]

It's not shippped on Macs by default - but, by the virtue of it being the ONLY way to play some popular video formats on Macintosh, I'd say it may as well be installed by default.

Even assuming this is correct, VLC isn't and doesn't become the default handler for m3u files. itunes remains the handler even after VLC is installed

Second bug fix already in progress...

[daveschroeder]

See here for details.

OS X -only fix ?

As I understand it, the QuickTime bug also affects Windows, but the runtime fix is Mac-only.

Re:Install a fix not from Apple? Fat Chance

[Overly+Critical+Guy]

Worst possible response. Are you suggesting that all Apple users become professional software developers?

Talk about an exaggerated response. Nobody's telling your girlfriend to look at source code or become a professional software developer. Source code is available for those smart enough to understand it, and if anything bad is in it, the community would be warned.

Typical "open source" security

This should be a darling situation for the Lunix/OSX love-fest community.

Someone points out all the ways their OS can easily get h@xxor3d, and someone not affiliated with the official product has to fix it.

So in other words, Lunix and Apple get a free ride concerning their lack of security... while every obsure, situational, irrelevant problem with Windows is celebrated like a holiday here.

w00t! Three Cheers for "Security Through Obscurity"!!!

Re:Typical "open source" security

[Blikkie]

I'd rather say that it is rather typical of open source security that there is a source to fix to begin with. While there is a lot uf closed code in Apple software, this one was apparently quite easily fixable by a Darwin developer. Actually the last few big windows scares had a third party fix before the official fix as well, because some people took the trouble to hack the windows bugs.

Teh weak MOAB...

[jpellino]

So far it's 50% Apple Bugs.

No wonder this guy's hiding.

THIS is an Apple bug?

[skingers6894]

A VLC bug is an Apple Bug?

Well, if that qualifies maybe they should start looking into MS Office for Apple bugs......

Re:THIS is an Apple bug?

Yes, it is. Check VLC's source the string "pbclevtug (p) Nccyr Pbzchgre, Vap. Nyy Evtugf Erfreirq"

Re:THIS is an Apple bug?

[dogfriend]

Well, if that qualifies maybe they should start looking into MS Office for Apple bugs......

"They" are saving the MS Office bugs for weeks 2 and 3

Re:THIS is an Apple bug?

[porkchop_d_clown]

In the sense that it affects Apple machines, sure.

But, yeah, it's kind of weak. If this is the best they can come up with, Apple can rest easy.

Re:Install a fix not from Apple? Fat Chance

[NineNine]

And will "the community" notify my GF about not installing this patch? No, it's NEVER a good idea to install non-official patches, unless you like trojans.

Re:Install a fix not from Apple? Fat Chance

[Rosyna]

Sure it is, especially when the code is peer-reviewed and fixes a security problem that could theoretically invite malware.

It's just like not taking the polio vaccinations because you've heard they might cause HIV as a western plot even though there's no evidence and no rational mind would think that. Sigh, I wish I was kidding about that.

Re:Install a fix not from Apple? Fat Chance

[inca34]

Will somebody please root this kid's so-called girlfriend already?

MOAB is BS

What, pray tell, is Apple supposed to do about A BUG IN VLC? Being able to run an application is by definition arbitrary code execution. What is Apple supposed to do to stop people from running arbitrary code (i.e., run applications)? How is Apple supposed to know what an application is supposed to do, v. what it is actually trying to do?

Why is this classified as an Apple bug when it affects VLC on Windows too?

This whole MOAB thing is lame, lame, lame.

Sorry, but that's bogus

[Space+cowboy]

I was going to use a stronger word, but my New Years resolution is still (diminishingly) in effect...

If Apple don't supply a piece of software, it is *not* their fault that there can be subsequent problems using that piece of software, it's the program-author's fault. Obviously vlc isn't completely necessary (otherwise I would have it installed, I install a fair amount of linux-related s/w). I do have windows-media player and realmedia player installed...

To say that just because Apple don't supply a particular feature (viewing movies that require codec XXX), it's Apple's problem when you install 3rd-party software that does is just ... wrong. I can't think how you could think that. It's hard to construct an argument when your starting premise is just nonsense.

By the same logic, it's Apple's fault that:

  - I can't run my FPGA-mapping software on my Mac Pro, because Xilinx don't support the Mac. Apple ought to do something.
  - I can't run any game I want on the Mac. Curse those game-producing companies, oh no, wait, it's Apple's fault.
  - My Mac doesn't make toast! How simple is making toast? Apple ought to pull their finger out!
  - ad nauseum.

Install 3rd-party software, have problems with that software, blame the software author. Don't blame the machine manufacturer / operating-system provider.

Moan like buggery (*) (hmm, unfortunate turn of phrase :-) that QT doesn't support the codecs that you want, but it's not Apple's fault that other 3rd-party codecs have bugs in. Yes, I'm a Mac fan, but not a fanboy - I completely agree with bug #1, but this is just completely ... bogus.

Simon

(*) "Moan like buggery" isn't really rude where I come from, oddly enough...

Thanks Landon!

[5plicer]

I really appreciate what you're doing.

Re:Thanks Landon!

[necro2607]

Hey dude, kinda funny seeing you on here... wtf, come on MSN more, eh??!! ;)

Because it just creates a false sense of security.

[argent]

I realize that the idea is just catching on in IE and has not been implemented anywhere else, but why doesn't Safari setuid() the rendering engine to guest (or some other nonprivileged user)?

First, let me make one point clear. This is not "just catching on in IE", it has been used for running potentially exloitable applications in UNIX for decades. It's a last resort when applied to interactive programs... it's usually used with applications that are running unattended and providing services to the outside world... and the limitations of this kind of technique are abundantly clear. UNIX environments typically take this kind of thing several stages further, using chrooted environments and jails to really isolate the untrusted code from the rest of the system.

Second, Security is like sex, if you're penetrated you're fucked. Just because an exploit in IE can only have an effect on resources owned by a restricted user should not be considered a big deal. Why?

(1) Once you can run local native code, you're in a MUCH better position to devise a secondary exploit against a local privilege escalation vulnerability.

(2) Resources accessible to Internet Explorer include (of necessity) any security tokens (passwords, etcetera) used for access to online services, as well as anything else that you use the same tokens for... like, say, your local account.

I've repeatedly argued that the fact that the local user runs with lower privileges on Mac OS X than on Windows is not nearly as important as Mac fanatics make out. Well, the converse is true... this new hack Microsoft has come up with to avoid facing the security flaws in the design of IE isn't nearly as importantas Microsoft apologists make out.

Frist psOt

the point more woul3 you like to

Its not unreasonable & Landon is contributing!

[IM+Scary]

If Apple would be as slow about the fix as MS was about the WMF fix, I might indeed install a patch from a 3rd party (as I chose to do for WMF).

There are pros and cons to third party patches (and you have identified a possible negative case), but there solid ways to validate the decision with the security community, even if you can't read the code yourself.

I think its really cool that Landon is spending his time writing counters and taking a decidedly positive action in this investigation.

Personally, I never heard of APE before this, and knowing something about that software is already a positive result for me, even if I only disable rtsp handler (which I have done).

You can tell MOAB doesn't have an ax to grind

[ZombieRoboNinja]

because they call Mac fanboys crackheads on their front page.

Re:Install a fix not from Apple? Fat Chance

[argent]

Are you suggesting that all Apple users become professional software developers?

They don't need to. They just need to know someone they trust who is competant to read the source. It doesn't even have to be someone they know... for example, if source this small was crocked there would be approximately two thousand posts in this discussion pointing it out. So, really, "all Apple users" just have to know someone who they trust who knows where to look.

Especially since Apple's fixes, in the past, have not always been as good as third party fixes. They still haven't fixed the "help" hole properly, for example...

http://www.scarydevil.org/~peter/io/apple.html

Re:Install a fix not from Apple? Fat Chance

[mrondinelli]

Hi Landon, thanks for the fix.

One concern I'd like to point out (having looked at your source) is that you use NSAddImage to load the QuickTimeStreaming component in order to resolve the address of the problem function. The concern is that every process will then have the QuickTimeStreaming component and its dependencies loaded into memory.

Aside from the excess use of address space that you point out, this may unintentionally expose more applications to bugs from frameworks they don't normally link against, such as:

• QuickTime
• QuickTimeStreaming
• Carbon
• SystemConfiguration
• Security
• AudioToolbox
• AudioUnit
• libobjc

I wouldn't be surprised to see these guys take advantage of this in a future exploit.

I'm not too familiar with dyld or APE patching unfortunately so I don't have a solution to offer. Ideally, one can patch only those apps or bundles that link against the QTS framework themselves.

Re:Install a fix not from Apple? Fat Chance

[landonf]

Aside from the excess use of address space that you point out, this may unintentionally expose more applications to bugs from frameworks they don't normally link against, such as: [snip] I wouldn't be surprised to see these guys take advantage of this in a future exploit. I'm not too familiar with dyld or APE patching unfortunately so I don't have a solution to offer. Ideally, one can patch only those apps or bundles that link against the QTS framework themselves.

Thank you very much for reviewing the code. I ultimately decided that the additional complexity required to watch for the QTS component being dynamically loaded was more risky than simply forcing it to be loaded. It seems like the simplest way to ensure that the function in question is -always- patched.

The only security downside, as far as I know, is that an existing exploit could potentially execute some of the newly loaded code (See http://en.wikipedia.org/wiki/Return-to-libc_attack ). However, after reviewing a number of applications (Safari, Firefox, Adium, Mail.app, VLC) it became apparent that most of the libraries in question were already being loaded anyway. It seems like additional risk is very minute, but I could be missing something important =)

Re:Install a fix not from Apple? Fat Chance

[I'm+Don+Giovanni]

But the source code is meaningless as a guarantee of nonmaliciousness (intentional or unintentional) unless you compile the code yourself. Because that's the only way to know that the "fix" you install matches the source code.

JoeBlow isn't going to be able to compile the code himself. So it doesn't really matter if JoeBlow sees that some guy claiming to be a software dev on the net reviewed and ok'ed the code.

And I can verify it does not work on a MacPro

[SuperKendall]

I finally got a chance to try the exploit on my own Macbook Pro, where it did not work.

Given that the Ruby script is slightly flawed, how are we to assume that they are even capable of coming up with a real exploit instead of just crashing applications?

Month of Apple Bugs, indeed! Given the second bug (an error in VLC! Oh My!) I think the whole effort is going to backfire and point, correctly or not, as a shining example as to the lack of serious problems in OS X itself (unless they are saving something good for later, but it seems like they had better produce a real bug shortly or face derision).

You have to wonder now if the Oracle one was canceled because they couldn't get any of those exploits to work either - or perhaps never figured out how to install Oracle, that took me a few passes the first time I tried to set it up.

Re:Install a fix not from Apple? Fat Chance

[argent]

But the source code is meaningless as a guarantee of nonmaliciousness (intentional or unintentional) unless you compile the code yourself.

Or you can get a copy from someone trustworthy who has done so, or you have someone trustworthy verify that the executable matches the source, or... the point is, the source code allows you to build a stronger chain of trust for the software. For any software, whether it's a fix or a game... after all, the same argument about installing a security fix from anyone but Apple applies to installing *any* software from anyone but Apple.

Do you have any third party proprietary software on your computer at all?

0%

[SuperKendall]

I just verified myself - the proof of concept exploit for the bug that was actually an Apple bug did not work. Crashing Quicktime is not the same as an exploit that executes arbitrary code, obviously an actual exploit is more complex than he thought. Or perhaps I should use the phrase "Imagined" since we have yet to see a single post from a user that got the exploit to work.

Re:0%

[porkchop_d_clown]

Apparently it works on *some* machines.

Someone, I think it was Macslash reported that a few machines got the full exploit, while most simply got the crash. Crashes aren't good, but they're hardly arbitrary code execution, either.

Also - I seem to remember hearing that the newest intel chips have hardware protection that prevents the execution of code loaded into data buffers (i.e., buffer overrun attacks) - could that have an effect?

Re:0%

[LizardKing]

I seem to remember hearing that the newest intel chips have hardware protection that prevents the execution of code loaded into data buffers (i.e., buffer overrun attacks) - could that have an effect?

Don't know, however the "exploit" doesn't work on my PowerPC based Mac either.

Not the only way, codec packs in Quicktime

[SuperKendall]

It's not shippped on Macs by default - but, by the virtue of it being the ONLY way to play some popular video formats on Macintosh, I'd say it may as well be installed by default.

That's just plain wrong - I don't use it much myself because I simply have used codec packs that install into Quicktime, for things like Divix videos and WMV9. What codecs were you thinking of that you can't load this way?

A more meaningful though still questionable bug would have been in a Divix codec pack for Quicktime. I would question it since the only people that really "need" diivx are people downloading video from torrents where it is the formal of choice; many users just watch YouTube and buy TV on ITMS, those users would not need anything but the default Quicktime.

Apparently I'm abnormal.

[porkchop_d_clown]

It's popular enough that every minor release was posted to /. *and* it plays videos I wasn't able to play with QuickTime. I've used it for years.

Re:Apparently I'm abnormal.

[GaryPatterson]

I use VLC as well, and have for a few years. It's a great addition to my computer, although the UI is pretty awful (but getting better in leaps and bounds).

That doesn't mean it's popular though. I still don't know anyone outside of tech-based websites who's heard of it when asked.

Heh. For me it was

[porkchop_d_clown]

having to re-apply a collection of kernel patches for the USB drivers every time I got a kernel update. (This was back in early 2.4, you understand).

These days, it's Linux goes on the back end machine, OS X on the front end, and Windows off the deep end.

Re:Install a fix not from Apple? Fat Chance

[ZachPruckowski]

I'd give you odds that 50 people with the experience to know what they're doing downloaded it. Since it comes from a trusted source (a developer), and is promoted by another trusted source (Security Focus), and other people have downloaded it without issue, and others have looked at the code without issue, I'd say it's as safe as can be.

Well, technically a fruit fly is not a true bug...

It is of the order Diptera or flies. True bugs belong to the order Hemiptera and only Hemiptera...

QuickTime + Flip4Mac + Perian = no need for VLC

[Vandil+X]

Many people forget that they have to add codecs to WMP on Windows to get it to run videos encoded with alternate video codcs (DivX, XviD, etc.).

QuickTime for Mac OS X can be similarly augmented:

Simply download Flip4Mac (free) for WMV support and Perian (free) for support for just about everything else.

No need for VLC.

Re:QuickTime + Flip4Mac + Perian = no need for VLC

[WNight]

Quite right. For all the talk of how Windows and Mac just work, it takes at least a full day to install a Windows machine with a full developer's suite of tools, virus scanners, etc. If I'd just had all the software made into a slipstreamed disk it would have been one thing, but you can't SSH from Windows, can't write Perl or Ruby, can't play any non-WMV video format more recent than MPEG2 without a special codec pack you have to download from a Russian site... Of course, you don't have the benefit of public-key signatures on the packages and a consistent installer interface to use to do this either.

I know that the Linux GUI might not have all the glitz of a Mac, but I can setup a new Debian box with everything I want in half an hour, including custom apps. Sound works, most videos work. (I can rarely play all my movies in any one OS or player, they're a mix of old and new and rarely use one nice set of codecs.)

My mom is currently using Linux and whenever someone sends her an attachment she can't open I just SSH in, open the desktop via VNC, and fix the problem with her watching. A properly setup Mac would be friendlier, a bit, but not really in the few apps she uses all the time, Firefox, Thunderbird, XMMS. Almost what was installed on her last Windows box (Mozilla, WinAmp...)

If you want to open a box and turn it on, get a Mac. If you want to run one script and have all your software installed and working, get Debian. If you want the worst user experience today, get Windows. Seriously, it's far from desktop ready!

Not that I've found

[SuperKendall]

Someone, I think it was Macslash reported that a few machines got the full exploit, while most simply got the crash.

I've posted on Macslash, and Digg as well looking for anyone who can reproduce the results (and now have tried it myself on my own Macbook Pro) - I have yet to see a post saying it works on thier computer. On the website they have a shell exploit version which they gaurantee works "but you have to verify with a debugger". to the naked eye, it also crashes Quicktime with no other result.

Even if it happens sometimes, I question how serious a bug really is that only happens when the stars (or more accuratley, memory locations in an application) align. That doesn't seem like a very appealing hole for an attacker to try, as users will be driven away in droves by a video that simply crashes quicktime.

Also - I seem to remember hearing that the newest intel chips have hardware protection that prevents the execution of code loaded into data buffers (i.e., buffer overrun attacks) - could that have an effect?

That takes some enabling to use, I think the OS has to enable it and OS X does not do so yet. Or it might be more of a compiler kind of thing for an application; I forget. I don't think it helps much currently in OS X.

Re:Not that I've found

I have yet to see a post saying it works on thier computer.

That's because of the fully functional exploit's behavior. It causes the computer to log onto slashdot and post a message saying "it didn't work for me."

Month of Apple Fixes ...

[hritcu]

Terrorists Lose!

Re:Because it just creates a false sense of securi

[emil]

First, let me make one point clear. This is not "just catching on in IE", it has been used for running potentially exloitable applications in UNIX for decades.

Internet Explorer is currently the only browser that implements this technique, and it does so only on Vista (AFAIK).

I've repeatedly argued that the fact that the local user runs with lower privileges on Mac OS X than on Windows is not nearly as important as Mac fanatics make out.

I run as a restricted user on Windows, and I use RunAs to elevate privilege when necessary. I would prefer the browser to run with even less privilege, so there was low possibility that a hostile process could wipe out My Documents or anything else I own. In any case, I feel much more secure running restricted as a hostile ActiveX component/buffer overflow will have a much harder time escalating privilege, modifying or installing software, or wiping out my hard drive. The idea here is not to be the "low hanging fruit" for a mass attack - a determined attacker might have to spend MUCH more time breaking into my systems, granted that it probably could be done. ssh has been using privsep for some time; the browser should too.

Re:Install a fix not from Apple? Fat Chance

[soft_guy]

My girlfriend has trouble getting iTunes to work correctly. Dude, you should totally dump her.

Re:Install a fix not from Apple? Fat Chance

[Overly+Critical+Guy]

Uh, if your girlfriend is connected enough to the community to know about an unofficial patch, she'd be connected enough to know what the community thinks about that patch.

Re:Install a fix not from Apple? Fat Chance

[landonf]

As a reply to my earlier comment -- I've been stewing on this, and decided to err on the side of caution and register a dyld "add image" callback for the QT Streaming Component, using _dyld_register_func_for_add_image(). I'll include the changes with the next bug fix.

Thank you very much for your suggestion.

Might see some attacks but...

[snuf23]

Windows is a much more attractive target due to the large number of possible exploits, users that don't patch their systems and a huge install base. Certainly on the money making side of spyware and bot nets, the Mac is still not a very interesting target.
Even were a Mac virus or worm to hit the wild, the rate of propagation would likely be a lot slower than on Windows due to the fewer systems out there.

Re:Might see some attacks but...

[cswiger2005]

Certainly it's true that there have not been major outbreaks targetting Mac users for financial gain, but some of the more recent games like sniffing mail passwords in an internet cafe and then holding the account's email contents hostage would affect Mac users just as they would a Windows user.

Re:Install a fix not from Apple? Fat Chance

[argent]

No, it's NEVER a good idea to install non-official patches, unless you like trojans.

By the same logic it's NEVER a good idea to install third-party software. :)

Hi Andrew!

[5plicer]

You know, I think this is the first I've run into someone I know on Slashdot! I had Tyson over for turkey soup a couple of weeks ago, and he also complained about how I'm never on MSN. I'll see what I can do. ;)

good to see

[toby]

The obvious way to handle it, I thought when the story broke last month...

well never mind...

[Pliep]

...in a few days the MacWorld Expo keynote will be done and everyone will be writing and blogging about that, MOAB never to be heard again.

Re:Because it just creates a false sense of securi

[unicode]

Certainly there are advantages to running an application or system components as a user with restricted privileges. However, there are also many disadvantages, namely complexity.

How far do you take this approach, 3 levels four levels....etc. Increasing the complexity, in this case by having different operational privileges for different sections of a system also will result in unexpected issues occurring more frequently. Even though the original goal is to reduce what can happen.

An example: Operating system

A single user operating system is less complex than a multi user operating system. Therefore, a single user application is less complex than a multi user application.

Complexity, provides functionality, in this case it may offer this functionality as increased security. However, it comes at a cost. As the system complexity increases so do the opportunity for errors to occur

To increase security, you could run a separate OS in a virtualized environment or better yet on a separate machine. Then and only then run the browser on this machine or in this virtual environment. The more things we try to do on one system the more attractive it will become as a target. See this article.

It will be interesting to see where this technology leads in the future. It could well become the de-facto.

your mac doesn't make toast?

[commodoresloat]

Try repairing the permissions and then reset the Reality Distortion Field.